From ba4542ffaa56d4cd4ad5e7cf8b111855f2a5749c Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Wed, 13 Sep 2023 17:47:36 +0200 Subject: [PATCH 01/32] tmp Signed-off-by: David van der Spek --- .../central-dashboard/templates/authorizationpolicy.yaml | 2 +- .../templates/envoy-filter-kubeflow-userid.yaml | 2 +- .../templates/gateway-authorizationpolicy.yaml | 8 ++++---- .../central-dashboard/templates/kubeflow-gateway.yaml | 2 +- kubeflow/helm/central-dashboard/values.yaml.tpl | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml index c4ed3957a..29c767cef 100644 --- a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml @@ -10,7 +10,7 @@ spec: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingressgateway-service-account + - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingress selector: matchLabels: {{- include "central-dashboard.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml b/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml index 339293eec..7e7e20be3 100644 --- a/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml +++ b/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml @@ -7,7 +7,7 @@ metadata: spec: workloadSelector: labels: - app: istio-ingressgateway + app: istio-ingress configPatches: - applyTo: HTTP_FILTER match: diff --git a/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml b/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml index e490f024a..b583ec5ff 100644 --- a/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml +++ b/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml @@ -8,8 +8,8 @@ spec: action: ALLOW selector: matchLabels: - app: istio-ingressgateway - istio: ingressgateway + app: istio-ingress + istio: ingress rules: - to: - operation: @@ -28,8 +28,8 @@ spec: selector: # Same as the istio-ingressgateway Service selector matchLabels: - app: istio-ingressgateway - istio: ingressgateway + app: istio-ingress + istio: ingress provider: name: kubeflow rules: diff --git a/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml b/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml index 24c25d0d8..ccd721c50 100644 --- a/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml +++ b/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml @@ -6,7 +6,7 @@ metadata: namespace: kubeflow spec: selector: - istio: ingressgateway + istio: ingress servers: - hosts: - {{ .Values.global.domain }} diff --git a/kubeflow/helm/central-dashboard/values.yaml.tpl b/kubeflow/helm/central-dashboard/values.yaml.tpl index ed65ef84f..4d99d8a7c 100644 --- a/kubeflow/helm/central-dashboard/values.yaml.tpl +++ b/kubeflow/helm/central-dashboard/values.yaml.tpl @@ -1,4 +1,4 @@ -{{ $istioNamespace := namespace "istio" }} +{{ $istioNamespace := namespace "istio-ingress" }} {{ $hostname := .Values.hostname }} global: application: From 7bb4ca61c3a695d9bf412eb08916b5f59739103c Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Wed, 13 Sep 2023 20:16:01 +0200 Subject: [PATCH 02/32] make recipes private Signed-off-by: David van der Spek --- kubeflow/plural/recipes/kubeflow-aws.yaml | 1 + kubeflow/plural/recipes/kubeflow-gcp.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/kubeflow/plural/recipes/kubeflow-aws.yaml b/kubeflow/plural/recipes/kubeflow-aws.yaml index 5c46020ba..971969d00 100644 --- a/kubeflow/plural/recipes/kubeflow-aws.yaml +++ b/kubeflow/plural/recipes/kubeflow-aws.yaml @@ -2,6 +2,7 @@ name: kubeflow-aws description: Installs Kubeflow on an EKS cluster provider: AWS primary: true +private: true oidcSettings: uriFormat: https://{domain}/oauth2/callback authMethod: POST diff --git a/kubeflow/plural/recipes/kubeflow-gcp.yaml b/kubeflow/plural/recipes/kubeflow-gcp.yaml index fdba26517..e76165c64 100644 --- a/kubeflow/plural/recipes/kubeflow-gcp.yaml +++ b/kubeflow/plural/recipes/kubeflow-gcp.yaml @@ -2,6 +2,7 @@ name: kubeflow-gcp description: Installs Kubeflow on a GKE cluster provider: GCP primary: true +private: true oidcSettings: uriFormat: https://{domain}/oauth2/callback authMethod: POST From ec00c16a9eb5f6195d506eda5d7b32d513f4d0fb Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 14 Sep 2023 16:00:54 +0200 Subject: [PATCH 03/32] feat: use dedicated gateway + remove oauth2proxy Signed-off-by: David van der Spek --- .../templates/authorizationpolicy.yaml | 2 +- .../envoy-filter-kubeflow-userid.yaml | 33 ----- .../gateway-authorizationpolicy.yaml | 62 ---------- .../helm/central-dashboard/templates/hpa.yaml | 10 +- .../templates/kubeflow-gateway-cert.yaml | 15 --- .../templates/kubeflow-gateway.yaml | 30 ----- .../templates/oidc-configs.yaml | 46 ------- kubeflow/helm/central-dashboard/values.yaml | 19 ++- .../helm/central-dashboard/values.yaml.tpl | 17 --- kubeflow/helm/gateway/.helmignore | 23 ++++ kubeflow/helm/gateway/Chart.lock | 6 + kubeflow/helm/gateway/Chart.yaml | 11 ++ kubeflow/helm/gateway/README.md | 3 + .../helm/gateway/charts/gateway-1.19.1.tgz | Bin 0 -> 7159 bytes kubeflow/helm/gateway/deps.yaml | 15 +++ kubeflow/helm/gateway/templates/_helpers.tpl | 86 +++++++++++++ .../envoy-filter-ingressgateway-settings.yaml | 28 +++++ .../envoy-filter-proxy-protocol.yaml | 24 ++++ .../templates/kubeflow-gateway-cert.yaml | 17 +++ .../gateway/templates/kubeflow-gateway.yaml | 39 ++++++ .../templates/oauth2-envoy-filter.yaml | 116 ++++++++++++++++++ .../helm/gateway/templates/oauth2-secret.yaml | 10 ++ kubeflow/helm/gateway/values.yaml | 54 ++++++++ kubeflow/helm/gateway/values.yaml.tpl | 33 +++++ kubeflow/plural/recipes/kubeflow-aws.yaml | 2 + 25 files changed, 482 insertions(+), 219 deletions(-) delete mode 100644 kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml delete mode 100644 kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml delete mode 100644 kubeflow/helm/central-dashboard/templates/kubeflow-gateway-cert.yaml delete mode 100644 kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml delete mode 100644 kubeflow/helm/central-dashboard/templates/oidc-configs.yaml create mode 100644 kubeflow/helm/gateway/.helmignore create mode 100644 kubeflow/helm/gateway/Chart.lock create mode 100644 kubeflow/helm/gateway/Chart.yaml create mode 100644 kubeflow/helm/gateway/README.md create mode 100644 kubeflow/helm/gateway/charts/gateway-1.19.1.tgz create mode 100644 kubeflow/helm/gateway/deps.yaml create mode 100644 kubeflow/helm/gateway/templates/_helpers.tpl create mode 100644 kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml create mode 100644 kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml create mode 100644 kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml create mode 100644 kubeflow/helm/gateway/templates/kubeflow-gateway.yaml create mode 100644 kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml create mode 100644 kubeflow/helm/gateway/templates/oauth2-secret.yaml create mode 100644 kubeflow/helm/gateway/values.yaml create mode 100644 kubeflow/helm/gateway/values.yaml.tpl diff --git a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml index 29c767cef..d86805d74 100644 --- a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml @@ -10,7 +10,7 @@ spec: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingress + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "central-dashboard.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml b/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml deleted file mode 100644 index 7e7e20be3..000000000 --- a/kubeflow/helm/central-dashboard/templates/envoy-filter-kubeflow-userid.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - name: kubeflow-userid - namespace: {{ .Values.global.istioNamespace }} -spec: - workloadSelector: - labels: - app: istio-ingress - configPatches: - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.router - patch: - operation: INSERT_BEFORE - value: - name: envoy.filters.http.lua - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua - inline_code: | - function envoy_on_request(request_handle) - headers = request_handle:headers() - if headers:get("x-auth-request-email") then - request_handle:headers():add("kubeflow-userid", headers:get("x-auth-request-email")) - end - end diff --git a/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml b/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml deleted file mode 100644 index b583ec5ff..000000000 --- a/kubeflow/helm/central-dashboard/templates/gateway-authorizationpolicy.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - name: {{ include "central-dashboard.fullname" . }}-allow-in-cluster-redirect - namespace: {{ .Values.global.istioNamespace }} - labels: {{- include "central-dashboard.labels" . | nindent 4 }} -spec: - action: ALLOW - selector: - matchLabels: - app: istio-ingress - istio: ingress - rules: - - to: - - operation: - hosts: - - {{ .Values.global.domain }} # needed for redirect after authentication - - "*.{{ .Values.global.domain }}" ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - name: istio-ingressgateway-oidc - namespace: {{ .Values.global.istioNamespace }} -spec: - action: CUSTOM - selector: - # Same as the istio-ingressgateway Service selector - matchLabels: - app: istio-ingress - istio: ingress - provider: - name: kubeflow - rules: - - to: - - operation: - hosts: - - {{ .Values.global.domain }} - - "*.{{ .Values.global.domain }}" ---- -apiVersion: security.istio.io/v1beta1 -kind: AuthorizationPolicy -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - name: knative-local-kubeflow - namespace: {{ .Values.global.istioNamespace }} -spec: - action: ALLOW - rules: - - to: - - operation: - hosts: - - "*.{{ .Values.global.clusterDomain }}" - when: - - key: request.headers[kubeflow-request-source-namespace] - values: - - '*' - selector: - matchLabels: - app: knative-local-gateway - istio: knative-local-gateway diff --git a/kubeflow/helm/central-dashboard/templates/hpa.yaml b/kubeflow/helm/central-dashboard/templates/hpa.yaml index 4826b55e7..078970fb5 100644 --- a/kubeflow/helm/central-dashboard/templates/hpa.yaml +++ b/kubeflow/helm/central-dashboard/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "central-dashboard.fullname" . }} @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/central-dashboard/templates/kubeflow-gateway-cert.yaml b/kubeflow/helm/central-dashboard/templates/kubeflow-gateway-cert.yaml deleted file mode 100644 index 58237ee37..000000000 --- a/kubeflow/helm/central-dashboard/templates/kubeflow-gateway-cert.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - name: kubeflow-ingressgateway-certs - namespace: {{ .Values.global.istioNamespace }} -spec: - secretName: kubeflow-ingressgateway-certs - issuerRef: - name: letsencrypt-prod - kind: ClusterIssuer - commonName: {{ .Values.global.domain }} - dnsNames: - - {{ .Values.global.domain }} - - "*.{{ .Values.global.domain }}" diff --git a/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml b/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml deleted file mode 100644 index ccd721c50..000000000 --- a/kubeflow/helm/central-dashboard/templates/kubeflow-gateway.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: networking.istio.io/v1beta1 -kind: Gateway -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - name: kubeflow-gateway - namespace: kubeflow -spec: - selector: - istio: ingress - servers: - - hosts: - - {{ .Values.global.domain }} - - "*.{{ .Values.global.domain }}" - port: - name: http - number: 80 - protocol: HTTP - # Upgrade HTTP to HTTPS - tls: - httpsRedirect: true - - hosts: - - {{ .Values.global.domain }} - - "*.{{ .Values.global.domain }}" - port: - name: https - number: 443 - protocol: HTTPS - tls: - mode: SIMPLE - credentialName: kubeflow-ingressgateway-certs diff --git a/kubeflow/helm/central-dashboard/templates/oidc-configs.yaml b/kubeflow/helm/central-dashboard/templates/oidc-configs.yaml deleted file mode 100644 index 30994f11d..000000000 --- a/kubeflow/helm/central-dashboard/templates/oidc-configs.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if .Values.oidcProxy.enabled }} -apiVersion: v1 -kind: Secret -metadata: - name: kubeflow-oauth2-proxy-config -type: Opaque -stringData: - OAUTH2_PROXY_PROVIDER: oidc - OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 - OAUTH2_PROXY_METRICS_ADDRESS: 0.0.0.0:44180 - OAUTH2_PROXY_COOKIE_EXPIRE: 168h - OAUTH2_PROXY_COOKIE_REFRESH: 167h - OAUTH2_PROXY_COOKIE_SECURE: "true" - OAUTH2_PROXY_COOKIE_NAME: _oauth2_proxy - OAUTH2_PROXY_COOKIE_SAMESITE: lax - OAUTH2_PROXY_EMAIL_DOMAINS: "*" - OAUTH2_PROXY_OIDC_ISSUER_URL: {{ .Values.oidcProxy.issuer }} - OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" - OAUTH2_PROXY_SCOPE: "openid profile" - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true" - OAUTH2_PROXY_SET_XAUTHREQUEST: "true" - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" - OAUTH2_PROXY_UPSTREAMS: {{ .Values.oidcProxy.upstream }} - OAUTH2_PROXY_USER_ID_CLAIM: email - OAUTH2_PROXY_CLIENT_ID: {{ .Values.oidcProxy.clientID }} - OAUTH2_PROXY_CLIENT_SECRET: {{ .Values.oidcProxy.clientSecret }} - OAUTH2_PROXY_COOKIE_SECRET: {{ .Values.oidcProxy.cookieSecret }} ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - labels: - {{- include "central-dashboard.labels" . | nindent 4 }} - name: kubeflow-oauth2-proxy-monitor -spec: - endpoints: - - interval: 5s - path: /metrics - port: metrics-oauth - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - selector: - matchLabels: - {{- include "central-dashboard.labels" . | nindent 6 }} -{{- end }} diff --git a/kubeflow/helm/central-dashboard/values.yaml b/kubeflow/helm/central-dashboard/values.yaml index bd0853c97..bba7c5a32 100644 --- a/kubeflow/helm/central-dashboard/values.yaml +++ b/kubeflow/helm/central-dashboard/values.yaml @@ -2,22 +2,17 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. -oidcProxy: - enabled: false - upstream: static://200 - issuer: https://oidc.plural.sh/ - clientID: "" - clientSecret: "" - cookieSecret: "" - global: - domain: kubeflow.kubeflow-aws.com - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" - oidcIssuer: https://oidc.plural.sh/ - jwksURI: https://oidc.plural.sh/.well-known/jwks.json + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" kubeflowComponents: notebooks: diff --git a/kubeflow/helm/central-dashboard/values.yaml.tpl b/kubeflow/helm/central-dashboard/values.yaml.tpl index 4d99d8a7c..72a2d2f05 100644 --- a/kubeflow/helm/central-dashboard/values.yaml.tpl +++ b/kubeflow/helm/central-dashboard/values.yaml.tpl @@ -1,24 +1,7 @@ -{{ $istioNamespace := namespace "istio-ingress" }} {{ $hostname := .Values.hostname }} global: application: links: - description: kubeflow dashboard ui url: {{ $hostname }} - istioNamespace: {{ $istioNamespace }} domain: {{ $hostname }} - -{{- if .OIDC }} -oidcProxy: - enabled: true - upstream: static://200 - issuer: {{ .OIDC.Configuration.Issuer }} - clientID: {{ .OIDC.ClientId }} - clientSecret: {{ .OIDC.ClientSecret }} - cookieSecret: {{ dedupe . "central-dashboard.oidcProxy.cookieSecret" (randAlphaNum 32) }} - -podLabels: - security.plural.sh/inject-oauth-sidecar: "true" -podAnnotations: - security.plural.sh/oauth-env-secret: "kubeflow-oauth2-proxy-config" -{{- end }} diff --git a/kubeflow/helm/gateway/.helmignore b/kubeflow/helm/gateway/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/kubeflow/helm/gateway/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/kubeflow/helm/gateway/Chart.lock b/kubeflow/helm/gateway/Chart.lock new file mode 100644 index 000000000..6e4e46112 --- /dev/null +++ b/kubeflow/helm/gateway/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: gateway + repository: https://pluralsh.github.io/plural-helm-charts + version: 1.19.1 +digest: sha256:07ce90c69d8d013e339d6d1bb45ece138c0d20abeb6079dc6b09b6aa9edeb8b9 +generated: "2023-09-14T15:38:52.229116+02:00" diff --git a/kubeflow/helm/gateway/Chart.yaml b/kubeflow/helm/gateway/Chart.yaml new file mode 100644 index 000000000..29e411cb3 --- /dev/null +++ b/kubeflow/helm/gateway/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: gateway +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "1.19.0" +dependencies: +- name: gateway + version: 1.19.1 + repository: https://pluralsh.github.io/plural-helm-charts # TODO: remove once https://github.com/istio/istio/pull/45894 is included in a release + condition: gateway.enabled diff --git a/kubeflow/helm/gateway/README.md b/kubeflow/helm/gateway/README.md new file mode 100644 index 000000000..88c6bdf10 --- /dev/null +++ b/kubeflow/helm/gateway/README.md @@ -0,0 +1,3 @@ +# Kubeflow Gateway + +This chart installs an Istio gateway for use by Kubeflow. diff --git a/kubeflow/helm/gateway/charts/gateway-1.19.1.tgz b/kubeflow/helm/gateway/charts/gateway-1.19.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b3e7c77c859f1f9cad5962652ccf9a3d826a09cc GIT binary patch literal 7159 zcmVDc zVQyr3R8em|NM&qo0PKBha~rp^U_Q^U=%sS&+PUP2dRWfkmbX^1brMxgkH-i5`{v*Ac-;PXyuY*a&CdRl@%UhTu=`~HoAJ)>!QS{A7~elB-KUg_h;PPs zuB+X+f02h2^j8#;ayEh0ZbXWr`g14V`CB}WQk03Hg);Ac!YqeG%L>f7fE0_2uPIx= zu~d|UlO`F_L_;r?D&%B)o9d4-<=YuiDAo3ytTce!CM*@4rlXy|?S9<(+iqO2Mf3sJ z7hI%r5{$hJs|-8q|_XkV{@>DKM^Jh9FTn5}BqIVPTr6p_ ztlt|HPWXUIAW&$d!sn3(F_@w)c+Qy;Jd=hZSzr#rn*WC0VGLKN=<%(LeaT4OekS4c6V9 zmZ*k6zCbJ-Gg zSEl@%rIkJ4^S)9VSt&904beO@jcLnnKw~ANQNh!IKFy6n@Ep|=OR0TT!G)T@VCTtr zcRc8Pm5CtQr3`dqyPpf9mJ=9kOGT92uD@wW%KjS@6<1DCVO|)=IDvudMGYotiU|=l zoGn*X8EwG}oKuF5HAyL`T0_E_!jG!biGrtE`j6*OGRGWRizO))&xxXm(QApycTi3l z&C47LL02@x1xgV3&yor&!!ydvznV$#{TK*KVSj(m=ot%@YA4>^{V!K3XW80gvFbc! zsA5{I_G4PSFIiPt`d%Y`uT8U>f?Uf)WpU)&_}n&e0{=JCttFJ9IPZS*@@@tF&AKph zlaTV&(G(lzx<+TMt?VaJVlWpQ)Gdro1!f^ z}jTley z95YN57xs2Yfp%FE(IoZPPIeSdgVR7 zu|FhHK(y;;s4lqpP<{2bYe84Y{MR^gKb&*)@xi&NVGT4V3xuM~GANAjXy5Oh)C`wo zMY#Yf*?(&PF100#tqpBJOu!COEWX-O9%kAh17;H8cz(jwsX(dSzkxd~vn&wV`sFz$ z0zH4WtUEWcw)aW8V-n8hbWsWf657sFp1z<`lxFPpLzynHHtUX6akLd}!4GTSP|M|M z(JeXE6*?1_!Xszur!_G;x1;z?gq-ryufnSTEQ#O79 zMB4>J5TC;il&nKdO@}mCudS}Z2VdboTzQg7?%8R@pkzxVnOd$-d3v;>i7`P&N~bWV zn59GGxHasGWHhzSmp}x<^mzW0E$rn-gHEj)9O}kRwfb!6iRU zJ;#KzR8C;e_>4oysMKR6nEuMMGDkVpu{EYZnG4_iNa&QOQinQPHGGQXLuFxfRGIQb zZYP{2SSYzI6&GZI+bfHAJC58hZ@@ZrztWNTpHG0T#!&IKhs^(0Pb>c;lO^UP{%^_I z{nc@O{%2?BVE0KY|Fgfh|KuV6^Ch0k2w?E7?e@V01}>YR1z_Zafs4hq{kb(5YH&Rg z(y-Rx*>@yOskT}qI~BY@p(x711m+}@XaI`v^`!~92aAl)NLKybMQvVR4K1{fE^iCp z8ZPz}ds{UD2CU4o!Mg^6O@qr%$Mk`+bTH{qEtQ~bF&O&y$jaOxtFucQ;R}K}XXmI| zSc3>YBxyre`0oMH)f?#0V%|}vaDie_y?f_=T@7#5Vf7H|nm(&g^+<^0iiuepF9S3) z&NC#eCi1Fo!yp)yZ7SbsWTSjN%=@hJ*AD`3k1`7X_54M)x~(qQ0pe|;8OgB^*2zc{ zHW)SD7JoDKb{E;$m`mHl+OP@j&g!P{?g0xI>h4%gh}Glrf$`~*!!{?$GeV?Rieb9i%+bpYI#?e0=|o|_dDo5RJ|h9 zn>qa)W7169-W5ZbEp`$Q+;(A~jnH|K1>qA}_b zj$2s{n;*V?@ZRrNW+eHdLx^4~g6WVxVgj32m)J00a?A3~8IRj~)z*x}HO0CkPi?Vm zX4II{V4_3+eS#|#EkD_w>e$@0sYRW_s~rJ-x=NJ#P|(5zS$GD<_l^;GAZ^Rhul)G>oVVc-C$>Unv(Cb#`hwEy;O$D z=s%&BNdI^BB{SSU|62{5w@+TbIXaKkM|E#?+_e7pU}wLR|J{4~kpKM>&*1VBC`+<3 z#cK6YYz!;JaCJ2RS(PQS^pGhD0#Pxj-N@UaD~6)ew|ePa=SC zVToDp7RJEkCB$bIA~q`zudZsC1uC;hp${lJ!H){0!osZI_|C1s1H#~^H*Zd%S{1Nq z(Xp9lQbc}`+sY28Mmb?*fjKg@P1!=Al>XmQVpkn*_f&O$Uv-%THIDqBUu9yetN-tp zm=!2wtcrVD3Veh9@9pom_5aE4-u{FBe~IVvas;VeM%YsS(bZL?ztTD2KU?}ZI6HcI zba;L=IyroGWI+KmaQv&CM>MN0|EQMV42*(!N%xB!t18T*nj4WcNw__7mNtHCTXK21 z{ay6jj7;2a22&SdDY$(BK-}`2nO#d^p-dV*j=tM=_}ZK^P<7RXpiIqS@E>yYA94V( z-DG3PcfZ|c3;4q<2O$Z<;J*eict3zYK#7tiaIj~7()_%f&*?`Pj0VtYO_vgv@HeDr z+ZxN|wxMnUeHPyl9$VDi@6u)XUpllg)Y9Raa#(F0(cef>#LapBYQu%L?wulkz&}f_ zu+_9K7HdY+(QG|wxQTPOV6(T7T?%=XlE&A5U` zT)-pzrzrvhQWS&7!QVzO2ag{+u9}y1Lk&fymj1@~|LpDUf~PNo4*#Sc{8w#ryFr1y zS`zs)uG_6Jq^jm6ga$A_ zZb4rSxS2$2S55^QyJD?q+qm4^3t@ihr0qF;Gn!zrO$vGZ8-QBo|Iwy)JT^n8X6tW{ zcHn+o)9|nDqyNmO8~@dtXYOk^*iHMto*Z=Izo!Qe>wmt;6Yl>cMIpCWJ8p-Q_O4EY z^ovksg5@b%KXOzgC5lX{{WUijMhhkjlHjB>*fXy!lv~zrawEo|v~gyYGy4M=WhpWR z`=%&qZtZCXmcd7D1o=Nmo`o26?Xp0#sVi`NRq=XVOYAbsPzA3I>mAOyTM$w05zy_f zi#b!%`osG;+k~8`Wcf1S$p)@;U47lQ1B=+JyF(mwpvT&1M{~i3MWLS#mwjo+)3E06 z>tc;I>L+V7>gK&qVO1@LyZwb%b+WfYB5)P5eFH5Um>Pswy{+={(o0r5M_$*~*(h)q zHg=tHzbf`Q?Kni!+)EY8TIkXnP;CZ!(ld0r5KF!*23cH-UL z(O3_oNI_;aql%)8e=cX}ELi*_Rqp5Gken?zCvyZzS%PLm+N5v0cs*nYe->qyZSRct z_I3|y=`{P%g0AwLt!}ZKEl8i6CASk8j0cfJ7tUdbwH`nu8G;@7`)xAo^}c(l$}6B{lNq3SJhQ zKAv!qigaTHpAb@2ZdRn$3c#}H>TXX zbxdg{aDtpvP0RLbw~^!B3^qeWcEb#=&1n6^1^rz+uk4hkhpq&QzgqqZ?l*yD8u`Yo zdp*Os#nqSf)9*hu^H=-y8#&fEFe9iT6t)1y6$%g4*i@*7afMI`nuKhh_ZGZG_HcwI*Q zbF=Av`SLzCUK4xncC!CpW&*OS|AJ?DzX9Nl@!z<8{^S0Wy}bwh{}RvT<@R^ysGuy| zfrWD}++nUR`4PhjSM}j<`g?HJV6_w~Fd||`l5k=yv>xUgDb-TPV#Zg+AHKKigS2A;Z--q%47kR>UeZdId3xOV4xFa$jw@rCvL7Y7Q)uO&I;<`n0 z-{%eMMF$S9nY3?Y279ehj$(oEC`Bxu^J3lMX;A3#XN>4O&GC4fySyFe+6Q*J$;&}| zsar3`<|b*2v2#G@=U}9M4m&v6Giqkq!-n4m^QIl@T|P9>UMVfsxxoHqHcvi ztL)R>vQJyfJv)3e+zM6cny&3GRE>j^X`9_?j;gJv=WZ;gn`q3(#?f7SQ2NQE&~}qP z#r|*f|L%O;+I(+f!D9+PAp^oeIe`oK>)2HqGe|EAmk6&^cJnHJy*7Lu%# z3dImg>G;D7WKw?{1ves1VNNpy#r*|2*th}3LJo~2xwEkE)Vna6LoXe5bEm<|)~Qi6 zk$c`R(Vd0g*}po3sVOjooUCDnMn+Ug6D_uZpAEd+k-hyOCO`XFo<0v}e<~kdVI^`(M@%Z+1eC2MYv0+I=#H5owa~d|}rBo)nvLvgP3OeGS z`9t}qetWU8WA56cO0g?=Hvw0hx4W*Pt}7a;CDxxtwjygG%^?qz&3SAE@W{%!G=FWu zk&$NaMWX0MrGBJxEs7hF(?V&FO@G@gbwi6b9;blz_yqgU$Okl!tqK~oX`J-82!1m8ONuUHg3VIGE;QqhT_}5zWO9az}rUgTe8FUr#JDr z#^9`(^JyO4)cqLkOaqp*@6xD%Y8&&4E`(jWZ|A@MenPMQ}Z#jO?ue zl?Nzks=E?qnDL7^I-Z-u{E0cb#8`tN5J)nu;SHjxwg_6(MGQaj3tVY;VXrfqD`fS3 zMxpE+pE?pX279%JqdZxXEJL=SY!OG%Z--|m$0t8d?0sH=E7yL;V$?ihi@-zMD?Zc( z58l<+l$hkB=F0*N3uiW@8~O`A$Qm*vmT?R}7MN%@3Y2B0WbDNGB`!#^ZpMU;tC8)g zCDjp{^8kE4M{_Tfriq$Am~sVR1k;=_I!CFbi{HGTliLkn=x&&}3EJxURGWO1XnN3{ zo#33E4_f2sx21O5ESSC=0yQ_53DhAUvQ+C}mKotGB?{@p$>XpWWK_LiL7ep2PAj;S zbe3VqaFr1Whp$8 zim;T3l>Uy@bsa9A8v4KOVeP~4HV@4M+fJ$byJRT}n0n5}eKAS=-E`OtWHsf1(<2{@ z%xXVsN6%JAh)h2i2OIa)gNp$N>XR@`1w zD6l|lq^z?yrq8=@16nmQ`VLOZSw`j38V;@<3Dw$aMEWN`aFA4SvDV=BaL?erQ_aGP zz(>cHUqk0ohHylrg5OZ8$6k}%orz%Xw-8K5(cd*1kU8gSSsMv|XPvuT$F$a}L%rfI zHkTjzM4*cnq>V7lLY6r4X3fW%MxLfU;b(8$Y5LnQtM>*)lal(Nr5Z5!Yh$Jza_q%I zfu}JiB{Yirvk5#ATir2}AzT|O-LtkZ6!xG3sRS(wOs%7`4HmVEHjKB9+Sq?8r-r&3 zSAneWatTBFymhq@wd^#pTg@8Bl6*a~`_F2&Sbn#85>4lvKbsLTG%b17I})^B*<{T+ zh+zv}hXW78BE@a5*G=!-2WIBDiwO({pofaOYy6mn6h)PGwq!5pxCYb|xp~dI()+sfinH z^Q^Pz*6u#vvi5d$Fwz4B!;oja16BLIJ}~7LP<=vgo2AEBwLqKUnKdHXWjUcsk=3GJ z4ZHk}puK9Z11lmJWs8Xc3c^TOqNv5#M31_3>l#ZFExCK3c$WIICSw17?BKpP_gx+b z7UD2mKw{?mD7xF!%(2kg-`lFJAu>}`))2YNbgS#HFo(1hR#>ToLhwX;n1~DTdtUwE zT-b|jYX)hG{S~)%Fsa|Zt!@Y<>557&t{Gr3yl|(}QMGpR>Hi$7*IEG&C3|h-056Xckr2u zRZk9I9i5*ZK0lh)xxb!J$qB17H%*iA^YO`x^JkCzg`;&$|2T4W^{QA@RsF1CE;Pj& zrH-2h-(DK*Z~ynZtHJ+-)b4@)P|h$>8H`3Xf!|ixU^LQ-cOj_4XG)alXFw3XHF&>u zRGC8~VxL-dO*1H;d5|wtok97mM)_H_8oSf3^19Q=CW*iWp&BY`0LLM`E*HdzVV*wxM}`(_sO`u{%d^ju>SvxJR2`ij{5eM*SpF6 t9`c(v*Y|CyzhUck&o20{&8LUw;dyu-o`1LJ{{;X5|NmVn2^#>4008A9GA{rC literal 0 HcmV?d00001 diff --git a/kubeflow/helm/gateway/deps.yaml b/kubeflow/helm/gateway/deps.yaml new file mode 100644 index 000000000..063e12128 --- /dev/null +++ b/kubeflow/helm/gateway/deps.yaml @@ -0,0 +1,15 @@ +apiVersion: plural.sh/v1alpha1 +kind: Dependencies +metadata: + application: true + description: Deploys kubeflow crafted for the target cloud +spec: + dependencies: + - type: helm + name: bootstrap + repo: bootstrap + version: '>= 0.7.12' + - type: helm + name: istio + repo: istio + version: '>= 0.2.1' diff --git a/kubeflow/helm/gateway/templates/_helpers.tpl b/kubeflow/helm/gateway/templates/_helpers.tpl new file mode 100644 index 000000000..3403b95f3 --- /dev/null +++ b/kubeflow/helm/gateway/templates/_helpers.tpl @@ -0,0 +1,86 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "gateway-plural.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gateway-plural.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gateway-plural.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "gateway-plural.labels" -}} +helm.sh/chart: {{ include "gateway-plural.chart" . }} +{{ include "gateway-plural.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "gateway-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "gateway-plural.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "gateway-plural.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "gateway-plural.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the hmac secret for oauth2 +*/}} +{{- define "gateway-plural.hmacResource" -}} +resources: +- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" + name: hmac + generic_secret: + secret: + inline_string: {{ .Values.oidc.hmacSecret }} +{{- end }} + +{{/* +Create the client (token) secret for oauth2 +*/}} +{{- define "gateway-plural.clientSecretResource" -}} +resources: +- "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" + name: token + generic_secret: + secret: + inline_string: {{ .Values.oidc.clientSecret }} +{{- end }} diff --git a/kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml b/kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml new file mode 100644 index 000000000..66ef1c694 --- /dev/null +++ b/kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml @@ -0,0 +1,28 @@ +{{- if eq .Values.provider "aws" }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gateway-plural.fullname" . }}-ingressgateway-settings + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} + configPatches: + - applyTo: NETWORK_FILTER + match: + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + patch: + operation: MERGE + value: + name: envoy.filters.network.http_connection_manager + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + skip_xff_append: false + use_remote_address: true + xff_num_trusted_hops: 1 +{{- end }} diff --git a/kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml b/kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml new file mode 100644 index 000000000..5e009a806 --- /dev/null +++ b/kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml @@ -0,0 +1,24 @@ +{{- if eq .Values.provider "aws" }} +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gateway-plural.fullname" . }}-proxy-protocol + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} + configPatches: + - applyTo: LISTENER + patch: + operation: MERGE + value: + listener_filters: + - name: envoy.filters.listener.proxy_protocol + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol + - name: envoy.filters.listener.tls_inspector + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector +{{- end }} diff --git a/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml b/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml new file mode 100644 index 000000000..43088e89f --- /dev/null +++ b/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.istioGateway.enabled .Values.istioGateway.tls.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "gateway-plural.fullname" . }}-ingress-cert + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + secretName: {{ include "gateway-plural.fullname" . }}-ingress-cert + commonName: {{ .Values.global.domain }} + dnsNames: + - {{ .Values.global.domain }} + - "*.{{ .Values.global.domain }}" + issuerRef: + name: {{ .Values.istioGateway.tls.issuerRef.name }} + kind: {{ .Values.istioGateway.tls.issuerRef.kind }} +{{- end }} diff --git a/kubeflow/helm/gateway/templates/kubeflow-gateway.yaml b/kubeflow/helm/gateway/templates/kubeflow-gateway.yaml new file mode 100644 index 000000000..8ba1c1d13 --- /dev/null +++ b/kubeflow/helm/gateway/templates/kubeflow-gateway.yaml @@ -0,0 +1,39 @@ +{{- if .Values.istioGateway.enabled }} +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: {{ include "gateway-plural.fullname" . }} + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + selector: + {{- if hasKey .Values.gateway.labels "istio" }} + {{- with .Values.gateway.labels.istio }} + istio: {{.|quote}} + {{- end }} + {{- else }} + istio: {{ include "gateway.name" .Subcharts.gateway | trimPrefix "istio-" }} + {{- end }} + servers: + - port: + name: http + number: 80 + protocol: HTTP + hosts: + - {{ .Values.global.domain }} + - "*.{{ .Values.global.domain }}" + {{- if .Values.istioGateway.tls.enabled }} + tls: + httpsRedirect: true + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: {{ include "gateway-plural.fullname" . }}-ingress-cert + hosts: + - {{ .Values.global.domain }} + - "*.{{ .Values.global.domain }}" + {{- end }} +{{- end }} diff --git a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml new file mode 100644 index 000000000..548c7ab95 --- /dev/null +++ b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml @@ -0,0 +1,116 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: EnvoyFilter +metadata: + name: {{ include "gateway-plural.fullname" . }}-oauth2 + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + workloadSelector: + labels: + {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} + configPatches: + - applyTo: CLUSTER + match: + cluster: + service: oauth + patch: + operation: ADD + value: + connect_timeout: 10s + lb_policy: ROUND_ROBIN + load_assignment: + cluster_name: oauth + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: {{ trimPrefix "https://" .Values.global.oidc.issuer | trimSuffix "/" }} + port_value: 443 + name: oauth + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + sni: {{ trimPrefix "https://" .Values.global.oidc.issuer | trimSuffix "/" }} + type: LOGICAL_DNS + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.filters.http.jwt_authn + portNumber: 443 + patch: + operation: INSERT_BEFORE + value: + name: envoy.kubeflow.oauth + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2 + config: + {{- with .Values.oidc.scopes }} + auth_scopes: + {{- toYaml . | nindent 12 }} + {{- end }} + authorization_endpoint: {{ .Values.global.oidc.authEndpoint }} + credentials: + client_id: {{ .Values.oidc.clientID }} + hmac_secret: + name: hmac + sds_config: + path: /etc/istio/config/hmac-secret.yaml + token_secret: + name: token + sds_config: + path: /etc/istio/config/token-secret.yaml + forward_bearer_token: true + redirect_path_matcher: + path: + exact: /oauth2/callback + redirect_uri: https://%REQ(:authority)%/oauth2/callback + signout_path: + path: + exact: /logout + token_endpoint: + cluster: oauth + timeout: 5s + uri: {{ .Values.global.oidc.tokenEndpoint }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "gateway-plural.fullname" . }}-oauth2 + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} + jwtRules: + - forwardOriginalToken: true + fromHeaders: + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email +--- +apiVersion: security.istio.io/v1 +kind: AuthorizationPolicy +metadata: + name: {{ include "gateway-plural.fullname" . }}-oauth2 + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} + rules: + - from: + - source: + requestPrincipals: ["*"] diff --git a/kubeflow/helm/gateway/templates/oauth2-secret.yaml b/kubeflow/helm/gateway/templates/oauth2-secret.yaml new file mode 100644 index 000000000..34b007e02 --- /dev/null +++ b/kubeflow/helm/gateway/templates/oauth2-secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: oauth2-secret + labels: + {{- include "gateway-plural.labels" . | nindent 4 }} +type: Opaque +data: + hmac-secret.yaml: {{ include "gateway-plural.hmacResource" . | b64enc | quote }} + token-secret.yaml: {{ include "gateway-plural.clientSecretResource" . | b64enc | quote }} diff --git a/kubeflow/helm/gateway/values.yaml b/kubeflow/helm/gateway/values.yaml new file mode 100644 index 000000000..70c32834d --- /dev/null +++ b/kubeflow/helm/gateway/values.yaml @@ -0,0 +1,54 @@ +global: + domain: "" + istioIngressServiceAccount: kubeflow-gateway + clusterDomain: cluster.local + userIDHeader: kubeflow-userid + userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" + +nameOverride: "" +fullnameOverride: "" + +provider: "" + +oidc: + clientID: "" + clientSecret: "" + hmacSecret: "" + scopes: + - openid + - profile + +gateway: + name: kubeflow-gateway + autoscaling: + minReplicas: 2 + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + istio: kubeflow-gateway + volumes: + - name: oauth-creds + secret: + secretName: oauth2-secret + defaultMode: 420 + volumeMounts: + - name: oauth-creds + mountPath: /etc/istio/config/ + readOnly: true + +istioGateway: + enabled: true + hosts: [] + tls: + enabled: true + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer diff --git a/kubeflow/helm/gateway/values.yaml.tpl b/kubeflow/helm/gateway/values.yaml.tpl new file mode 100644 index 000000000..d1612038c --- /dev/null +++ b/kubeflow/helm/gateway/values.yaml.tpl @@ -0,0 +1,33 @@ +{{ $istioNamespace := namespace "istio-ingress" }} +{{ $hostname := .Values.hostname }} + +global: + domain: {{ $hostname }} + {{- if .OIDC }} + oidc: + issuer: {{ .OIDC.Configuration.Issuer }} + jwksURI: {{ .OIDC.Configuration.JwksUri }} + authEndpoint: {{ .OIDC.Configuration.AuthorizationEndpoint }} + tokenEndpoint: {{ .OIDC.Configuration.TokenEndpoint }} + {{- end }} + +{{- if eq .Provider "aws" }} +gateway: + service: + annotations: + service.beta.kubernetes.io/aws-load-balancer-name: {{ .Cluster }}-kubeflow-nlb + service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' + service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing + service.beta.kubernetes.io/aws-load-balancer-type: external + service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance + proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 2 } }' +{{- end }} + +provider: {{ .Provider }} + +{{- if .OIDC }} +oidc: + clientID: {{ .OIDC.ClientId }} + clientSecret: {{ .OIDC.ClientSecret }} + hmacSecret: {{ dedupe . "gateway.oidc.hmacSecret" (randAlphaNum 32) }} +{{- end }} diff --git a/kubeflow/plural/recipes/kubeflow-aws.yaml b/kubeflow/plural/recipes/kubeflow-aws.yaml index 971969d00..fd799e4c4 100644 --- a/kubeflow/plural/recipes/kubeflow-aws.yaml +++ b/kubeflow/plural/recipes/kubeflow-aws.yaml @@ -43,6 +43,8 @@ sections: name: aws - type: HELM name: aws-iam-controller + - type: HELM + name: gateway - type: HELM name: central-dashboard - type: HELM From 09e0e97080c660e45d808fa05aab4b52693f5bf0 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 14 Sep 2023 16:45:34 +0200 Subject: [PATCH 04/32] first pass of general cleanup Signed-off-by: David van der Spek --- .../templates/authorizationpolicy.yaml | 1 - .../templates/clusterrolebinding.yaml | 2 +- .../templates/configmap.yaml | 2 - .../templates/deployment.yaml | 1 - .../central-dashboard/templates/role.yaml | 1 - .../templates/rolebinding.yaml | 3 +- .../central-dashboard/templates/service.yaml | 9 - .../templates/serviceaccount.yaml | 1 - .../templates/virtualservice.yaml | 1 - .../templates/controller/certificate.yaml | 1 - .../controller/clusterrolebinding.yaml | 2 +- .../katib/templates/controller/configmap.yaml | 2 - .../helm/katib/templates/controller/hpa.yaml | 10 +- .../mutatingwebhookconfiguration.yaml | 4 +- .../katib/templates/controller/service.yaml | 1 - .../validatingwebhookconfiguration.yaml | 2 +- .../db-manager/authorizationpolicy.yaml | 1 - .../katib/templates/db-manager/database.yaml | 3 +- .../helm/katib/templates/db-manager/hpa.yaml | 10 +- .../katib/templates/db-manager/secrets.yaml | 1 - .../katib/templates/db-manager/service.yaml | 1 - .../templates/db-manager/serviceaccount.yaml | 1 - .../web-app/authorizationpolicy.yaml | 3 +- .../templates/web-app/clusterrolebinding.yaml | 2 +- .../katib/templates/web-app/deployment.yaml | 1 - .../helm/katib/templates/web-app/hpa.yaml | 10 +- .../helm/katib/templates/web-app/service.yaml | 1 - .../templates/web-app/serviceaccount.yaml | 1 - .../templates/web-app/virtualservice.yaml | 1 - kubeflow/helm/katib/values.yaml | 12 +- .../helm/mysql-cluster/templates/cluster.yaml | 1 - .../helm/mysql-cluster/templates/secrets.yaml | 1 - .../templates/serviceaccount.yaml | 1 - .../controller/clusterrolebinding.yaml | 2 +- .../templates/controller/configmap.yaml | 1 - .../templates/controller/deployment.yaml | 1 - .../notebooks/templates/controller/hpa.yaml | 10 +- .../notebooks/templates/controller/role.yaml | 1 - .../templates/controller/rolebinding.yaml | 3 +- .../templates/controller/service.yaml | 1 - .../templates/controller/serviceaccount.yaml | 1 - .../templates/pod-defaults/certificate.yaml | 1 - .../pod-defaults/clusterrolebinding.yaml | 2 +- .../templates/pod-defaults/deployment.yaml | 1 - .../mutatingwebhookconfiguration.yaml | 2 +- .../templates/pod-defaults/service.yaml | 1 - .../pod-defaults/serviceaccount.yaml | 1 - .../web-app/authorizationpolicy.yaml | 3 +- .../templates/web-app/clusterrolebinding.yaml | 2 +- .../templates/web-app/configmap.yaml | 3 - .../templates/web-app/deployment.yaml | 1 - .../helm/notebooks/templates/web-app/hpa.yaml | 10 +- .../notebooks/templates/web-app/role.yaml | 1 - .../templates/web-app/rolebinding.yaml | 3 +- .../notebooks/templates/web-app/service.yaml | 1 - .../templates/web-app/serviceaccount.yaml | 1 - .../templates/web-app/virtualservice.yaml | 1 - kubeflow/helm/notebooks/values.yaml | 14 +- kubeflow/helm/operators/mpi/.helmignore | 23 - kubeflow/helm/operators/mpi/Chart.yaml | 6 - kubeflow/helm/operators/mpi/README.md | 3 - .../helm/operators/mpi/crds/mpi_crds.yaml | 155 - kubeflow/helm/operators/mpi/deps.yaml | 21 - .../helm/operators/mpi/templates/_helpers.tpl | 64 - .../operators/mpi/templates/clusterrole.yaml | 142 - .../mpi/templates/clusterrolebinding.yaml | 13 - .../operators/mpi/templates/configmap.yaml | 10 - .../operators/mpi/templates/deployment.yaml | 65 - .../helm/operators/mpi/templates/hpa.yaml | 28 - .../mpi/templates/serviceaccount.yaml | 13 - kubeflow/helm/operators/mpi/values.yaml | 60 - kubeflow/helm/operators/mpi/values.yaml.tpl | 1 - kubeflow/helm/operators/mxnet/.helmignore | 23 - kubeflow/helm/operators/mxnet/Chart.yaml | 6 - kubeflow/helm/operators/mxnet/README.md | 3 - .../helm/operators/mxnet/crds/mxnet_crds.yaml | 59 - kubeflow/helm/operators/mxnet/deps.yaml | 21 - .../operators/mxnet/templates/_helpers.tpl | 64 - .../mxnet/templates/clusterrole.yaml | 100 - .../mxnet/templates/clusterrolebinding.yaml | 13 - .../operators/mxnet/templates/deployment.yaml | 60 - .../helm/operators/mxnet/templates/hpa.yaml | 28 - .../mxnet/templates/serviceaccount.yaml | 13 - kubeflow/helm/operators/mxnet/values.yaml | 60 - kubeflow/helm/operators/mxnet/values.yaml.tpl | 1 - kubeflow/helm/operators/pytorch/.helmignore | 23 - kubeflow/helm/operators/pytorch/Chart.yaml | 6 - kubeflow/helm/operators/pytorch/README.md | 3 - .../operators/pytorch/crds/pytorch_crds.yaml | 47 - kubeflow/helm/operators/pytorch/deps.yaml | 21 - .../operators/pytorch/templates/_helpers.tpl | 64 - .../pytorch/templates/clusterrole.yaml | 83 - .../pytorch/templates/clusterrolebinding.yaml | 13 - .../pytorch/templates/deployment.yaml | 75 - .../helm/operators/pytorch/templates/hpa.yaml | 28 - .../operators/pytorch/templates/service.yaml | 20 - .../pytorch/templates/serviceaccount.yaml | 13 - kubeflow/helm/operators/pytorch/values.yaml | 63 - .../helm/operators/pytorch/values.yaml.tpl | 1 - .../helm/operators/tensorflow/.helmignore | 23 - kubeflow/helm/operators/tensorflow/Chart.yaml | 6 - kubeflow/helm/operators/tensorflow/README.md | 3 - .../tensorflow/crds/tensorflow_crds.yaml | 57 - kubeflow/helm/operators/tensorflow/deps.yaml | 21 - .../tensorflow/templates/_helpers.tpl | 64 - .../tensorflow/templates/clusterrole.yaml | 88 - .../templates/clusterrolebinding.yaml | 13 - .../tensorflow/templates/deployment.yaml | 72 - .../operators/tensorflow/templates/hpa.yaml | 28 - .../tensorflow/templates/service.yaml | 20 - .../tensorflow/templates/serviceaccount.yaml | 13 - .../helm/operators/tensorflow/values.yaml | 63 - .../helm/operators/tensorflow/values.yaml.tpl | 1 - kubeflow/helm/operators/xgboost/.helmignore | 23 - kubeflow/helm/operators/xgboost/Chart.yaml | 6 - kubeflow/helm/operators/xgboost/README.md | 3 - .../operators/xgboost/crds/xgboost_crds.yaml | 3640 ----------------- kubeflow/helm/operators/xgboost/deps.yaml | 21 - .../operators/xgboost/templates/_helpers.tpl | 64 - .../xgboost/templates/clusterrole.yaml | 76 - .../xgboost/templates/clusterrolebinding.yaml | 13 - .../xgboost/templates/configmap.yaml | 6 - .../xgboost/templates/deployment.yaml | 64 - .../helm/operators/xgboost/templates/hpa.yaml | 28 - .../operators/xgboost/templates/service.yaml | 20 - .../xgboost/templates/serviceaccount.yaml | 13 - kubeflow/helm/operators/xgboost/values.yaml | 63 - .../helm/operators/xgboost/values.yaml.tpl | 1 - .../api-server/authorizationpolicy.yaml | 1 - .../api-server/clusterrolebinding.yaml | 2 +- .../templates/api-server/configmap.yaml | 1 - .../templates/api-server/deployment.yaml | 1 - .../templates/api-server/destinationrule.yaml | 1 - .../pipelines/templates/api-server/role.yaml | 1 - .../templates/api-server/rolebinding.yaml | 3 +- .../templates/api-server/service.yaml | 4 +- .../templates/api-server/serviceaccount.yaml | 1 - .../clusterrolebinding.yaml | 2 +- .../argo-workflow-controller/configmap.yaml | 2 - .../argo-workflow-controller/deployment.yaml | 1 - .../argo-workflow-controller/role.yaml | 1 - .../argo-workflow-controller/rolebinding.yaml | 3 +- .../argo-workflow-controller/service.yaml | 1 - .../serviceaccount.yaml | 1 - .../cache/deployer/clusterrolebinding.yaml | 2 +- .../templates/cache/deployer/deployment.yaml | 1 - .../templates/cache/deployer/role.yaml | 1 - .../templates/cache/deployer/rolebinding.yaml | 3 +- .../cache/deployer/serviceaccount.yaml | 1 - .../cache/server/authorizationpolicy.yaml | 1 - .../cache/server/clusterrolebinding.yaml | 2 +- .../templates/cache/server/deployment.yaml | 1 - .../templates/cache/server/role.yaml | 1 - .../templates/cache/server/rolebinding.yaml | 3 +- .../templates/cache/server/service.yaml | 1 - .../cache/server/serviceaccount.yaml | 1 - .../helm/pipelines/templates/configmap.yaml | 1 - .../templates/database/database-user.yaml | 3 +- .../templates/database/databases.yaml | 9 +- .../pipelines/templates/database/secrets.yaml | 1 - .../templates/metadata/envoy/configmap.yaml | 1 - .../templates/metadata/envoy/deployment.yaml | 1 - .../templates/metadata/envoy/service.yaml | 1 - .../metadata/envoy/serviceaccount.yaml | 1 - .../grpc-server/authorizationpolicy.yaml | 1 - .../metadata/grpc-server/deployment.yaml | 1 - .../metadata/grpc-server/destinationrule.yaml | 1 - .../metadata/grpc-server/service.yaml | 1 - .../metadata/grpc-server/serviceaccount.yaml | 1 - .../metadata/grpc-server/virtualservice.yaml | 1 - .../metadata/writer/clusterrolebinding.yaml | 2 +- .../templates/metadata/writer/deployment.yaml | 1 - .../templates/metadata/writer/role.yaml | 1 - .../metadata/writer/rolebinding.yaml | 3 +- .../metadata/writer/serviceaccount.yaml | 1 - .../persistence-agent/clusterrolebinding.yaml | 2 +- .../persistence-agent/deployment.yaml | 1 - .../templates/persistence-agent/role.yaml | 1 - .../persistence-agent/rolebinding.yaml | 3 +- .../persistence-agent/serviceaccount.yaml | 1 - kubeflow/helm/pipelines/templates/role.yaml | 1 - .../helm/pipelines/templates/rolebinding.yaml | 3 +- .../clusterrolebinding.yaml | 2 +- .../scheduled-workflow/deployment.yaml | 1 - .../templates/scheduled-workflow/role.yaml | 1 - .../scheduled-workflow/rolebinding.yaml | 3 +- .../scheduled-workflow/serviceaccount.yaml | 1 - .../pipelines/templates/serviceaccount.yaml | 3 - .../viewer-controller/clusterrolebinding.yaml | 2 +- .../viewer-controller/deployment.yaml | 1 - .../templates/viewer-controller/role.yaml | 1 - .../viewer-controller/rolebinding.yaml | 3 +- .../viewer-controller/serviceaccount.yaml | 1 - .../authorizationpolicy.yaml | 1 - .../visualization-server/deployment.yaml | 1 - .../visualization-server/destinationrule.yaml | 1 - .../visualization-server/service.yaml | 1 - .../visualization-server/serviceaccount.yaml | 1 - .../web-app/authorizationpolicy.yaml | 6 +- .../templates/web-app/clusterrolebinding.yaml | 2 +- .../templates/web-app/configmap.yaml | 2 - .../templates/web-app/deployment.yaml | 1 - .../templates/web-app/destinationrule.yaml | 1 - .../helm/pipelines/templates/web-app/hpa.yaml | 10 +- .../pipelines/templates/web-app/role.yaml | 1 - .../templates/web-app/rolebinding.yaml | 3 +- .../pipelines/templates/web-app/service.yaml | 1 - .../templates/web-app/serviceaccount.yaml | 1 - .../templates/web-app/virtualservice.yaml | 1 - kubeflow/helm/pipelines/values.yaml | 11 +- .../templates/authorizationpolicy.yaml | 3 +- .../templates/clusterrolebinding.yaml | 2 +- .../templates/configmap.yaml | 2 - .../templates/deployment.yaml | 1 - .../profile-controller/templates/hpa.yaml | 10 +- .../profile-controller/templates/role.yaml | 1 - .../templates/rolebinding.yaml | 3 +- .../profile-controller/templates/service.yaml | 1 - .../templates/serviceaccount.yaml | 1 - .../templates/virtualservice.yaml | 1 - kubeflow/helm/profile-controller/values.yaml | 10 +- .../web-app/authorizationpolicy.yaml | 3 +- .../templates/web-app/clusterrolebinding.yaml | 2 +- .../serving/templates/web-app/configmap.yaml | 1 - .../serving/templates/web-app/deployment.yaml | 1 - .../helm/serving/templates/web-app/hpa.yaml | 10 +- .../serving/templates/web-app/service.yaml | 1 - .../templates/web-app/serviceaccount.yaml | 1 - .../templates/web-app/virtualservice.yaml | 1 - kubeflow/helm/serving/values.yaml | 8 +- .../controller/clusterrolebinding.yaml | 4 +- .../templates/controller/configmap.yaml | 1 - .../templates/controller/hpa.yaml | 10 +- .../templates/controller/role.yaml | 1 - .../templates/controller/rolebinding.yaml | 3 +- .../templates/controller/service.yaml | 1 - .../templates/controller/serviceaccount.yaml | 1 - .../web-app/authorizationpolicy.yaml | 3 +- .../templates/web-app/clusterrolebinding.yaml | 2 +- .../templates/web-app/configmap.yaml | 1 - .../tensorboards/templates/web-app/hpa.yaml | 10 +- .../templates/web-app/service.yaml | 1 - .../templates/web-app/serviceaccount.yaml | 1 - .../templates/web-app/virtualservice.yaml | 1 - kubeflow/helm/tensorboards/values.yaml | 8 +- .../helm/training-operator/templates/hpa.yaml | 10 +- kubeflow/helm/training-operator/values.yaml | 12 + .../controller/clusterrolebinding.yaml | 4 +- .../templates/controller/configmap.yaml | 1 - .../volumes/templates/controller/hpa.yaml | 8 +- .../volumes/templates/controller/role.yaml | 1 - .../templates/controller/rolebinding.yaml | 3 +- .../volumes/templates/controller/service.yaml | 1 - .../templates/controller/serviceaccount.yaml | 1 - .../web-app/authorizationpolicy.yaml | 3 +- .../templates/web-app/clusterrolebinding.yaml | 2 +- .../volumes/templates/web-app/configmap.yaml | 2 - .../helm/volumes/templates/web-app/hpa.yaml | 10 +- .../volumes/templates/web-app/service.yaml | 1 - .../templates/web-app/serviceaccount.yaml | 1 - .../templates/web-app/virtualservice.yaml | 1 - kubeflow/helm/volumes/values.yaml | 10 +- 262 files changed, 215 insertions(+), 6309 deletions(-) delete mode 100644 kubeflow/helm/operators/mpi/.helmignore delete mode 100644 kubeflow/helm/operators/mpi/Chart.yaml delete mode 100644 kubeflow/helm/operators/mpi/README.md delete mode 100644 kubeflow/helm/operators/mpi/crds/mpi_crds.yaml delete mode 100644 kubeflow/helm/operators/mpi/deps.yaml delete mode 100644 kubeflow/helm/operators/mpi/templates/_helpers.tpl delete mode 100644 kubeflow/helm/operators/mpi/templates/clusterrole.yaml delete mode 100644 kubeflow/helm/operators/mpi/templates/clusterrolebinding.yaml delete mode 100644 kubeflow/helm/operators/mpi/templates/configmap.yaml delete mode 100644 kubeflow/helm/operators/mpi/templates/deployment.yaml delete mode 100644 kubeflow/helm/operators/mpi/templates/hpa.yaml delete mode 100644 kubeflow/helm/operators/mpi/templates/serviceaccount.yaml delete mode 100644 kubeflow/helm/operators/mpi/values.yaml delete mode 100644 kubeflow/helm/operators/mpi/values.yaml.tpl delete mode 100644 kubeflow/helm/operators/mxnet/.helmignore delete mode 100644 kubeflow/helm/operators/mxnet/Chart.yaml delete mode 100644 kubeflow/helm/operators/mxnet/README.md delete mode 100644 kubeflow/helm/operators/mxnet/crds/mxnet_crds.yaml delete mode 100644 kubeflow/helm/operators/mxnet/deps.yaml delete mode 100644 kubeflow/helm/operators/mxnet/templates/_helpers.tpl delete mode 100644 kubeflow/helm/operators/mxnet/templates/clusterrole.yaml delete mode 100644 kubeflow/helm/operators/mxnet/templates/clusterrolebinding.yaml delete mode 100644 kubeflow/helm/operators/mxnet/templates/deployment.yaml delete mode 100644 kubeflow/helm/operators/mxnet/templates/hpa.yaml delete mode 100644 kubeflow/helm/operators/mxnet/templates/serviceaccount.yaml delete mode 100644 kubeflow/helm/operators/mxnet/values.yaml delete mode 100644 kubeflow/helm/operators/mxnet/values.yaml.tpl delete mode 100644 kubeflow/helm/operators/pytorch/.helmignore delete mode 100644 kubeflow/helm/operators/pytorch/Chart.yaml delete mode 100644 kubeflow/helm/operators/pytorch/README.md delete mode 100644 kubeflow/helm/operators/pytorch/crds/pytorch_crds.yaml delete mode 100644 kubeflow/helm/operators/pytorch/deps.yaml delete mode 100644 kubeflow/helm/operators/pytorch/templates/_helpers.tpl delete mode 100644 kubeflow/helm/operators/pytorch/templates/clusterrole.yaml delete mode 100644 kubeflow/helm/operators/pytorch/templates/clusterrolebinding.yaml delete mode 100644 kubeflow/helm/operators/pytorch/templates/deployment.yaml delete mode 100644 kubeflow/helm/operators/pytorch/templates/hpa.yaml delete mode 100644 kubeflow/helm/operators/pytorch/templates/service.yaml delete mode 100644 kubeflow/helm/operators/pytorch/templates/serviceaccount.yaml delete mode 100644 kubeflow/helm/operators/pytorch/values.yaml delete mode 100644 kubeflow/helm/operators/pytorch/values.yaml.tpl delete mode 100644 kubeflow/helm/operators/tensorflow/.helmignore delete mode 100644 kubeflow/helm/operators/tensorflow/Chart.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/README.md delete mode 100644 kubeflow/helm/operators/tensorflow/crds/tensorflow_crds.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/deps.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/templates/_helpers.tpl delete mode 100644 kubeflow/helm/operators/tensorflow/templates/clusterrole.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/templates/clusterrolebinding.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/templates/deployment.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/templates/hpa.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/templates/service.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/templates/serviceaccount.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/values.yaml delete mode 100644 kubeflow/helm/operators/tensorflow/values.yaml.tpl delete mode 100644 kubeflow/helm/operators/xgboost/.helmignore delete mode 100644 kubeflow/helm/operators/xgboost/Chart.yaml delete mode 100644 kubeflow/helm/operators/xgboost/README.md delete mode 100644 kubeflow/helm/operators/xgboost/crds/xgboost_crds.yaml delete mode 100644 kubeflow/helm/operators/xgboost/deps.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/_helpers.tpl delete mode 100644 kubeflow/helm/operators/xgboost/templates/clusterrole.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/clusterrolebinding.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/configmap.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/deployment.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/hpa.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/service.yaml delete mode 100644 kubeflow/helm/operators/xgboost/templates/serviceaccount.yaml delete mode 100644 kubeflow/helm/operators/xgboost/values.yaml delete mode 100644 kubeflow/helm/operators/xgboost/values.yaml.tpl diff --git a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml index d86805d74..35817034d 100644 --- a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml @@ -3,7 +3,6 @@ kind: AuthorizationPolicy metadata: labels: {{- include "central-dashboard.labels" . | nindent 4 }} name: {{ include "central-dashboard.fullname" . }} - namespace: kubeflow spec: action: ALLOW rules: diff --git a/kubeflow/helm/central-dashboard/templates/clusterrolebinding.yaml b/kubeflow/helm/central-dashboard/templates/clusterrolebinding.yaml index d9cb6e5d1..5a5c6f865 100644 --- a/kubeflow/helm/central-dashboard/templates/clusterrolebinding.yaml +++ b/kubeflow/helm/central-dashboard/templates/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "central-dashboard.serviceAccountName" . }} - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/central-dashboard/templates/configmap.yaml b/kubeflow/helm/central-dashboard/templates/configmap.yaml index fd0a3ff38..99f22ffb5 100644 --- a/kubeflow/helm/central-dashboard/templates/configmap.yaml +++ b/kubeflow/helm/central-dashboard/templates/configmap.yaml @@ -127,7 +127,6 @@ kind: ConfigMap metadata: labels: {{- include "central-dashboard.labels" . | nindent 4 }} name: {{ include "central-dashboard.fullname" . }}-config - namespace: kubeflow --- apiVersion: v1 data: @@ -141,4 +140,3 @@ kind: ConfigMap metadata: labels: {{- include "central-dashboard.labels" . | nindent 4 }} name: {{ include "central-dashboard.fullname" . }}-parameters - namespace: kubeflow diff --git a/kubeflow/helm/central-dashboard/templates/deployment.yaml b/kubeflow/helm/central-dashboard/templates/deployment.yaml index 6a0bd1a98..4837d5f58 100644 --- a/kubeflow/helm/central-dashboard/templates/deployment.yaml +++ b/kubeflow/helm/central-dashboard/templates/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "central-dashboard.fullname" . }} labels: {{- include "central-dashboard.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} diff --git a/kubeflow/helm/central-dashboard/templates/role.yaml b/kubeflow/helm/central-dashboard/templates/role.yaml index 2b6da5d46..2919b6550 100644 --- a/kubeflow/helm/central-dashboard/templates/role.yaml +++ b/kubeflow/helm/central-dashboard/templates/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "central-dashboard.labels" . | nindent 4 }} name: {{ include "central-dashboard.fullname" . }}-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/central-dashboard/templates/rolebinding.yaml b/kubeflow/helm/central-dashboard/templates/rolebinding.yaml index ef1970875..1d29f6b2e 100644 --- a/kubeflow/helm/central-dashboard/templates/rolebinding.yaml +++ b/kubeflow/helm/central-dashboard/templates/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "central-dashboard.labels" . | nindent 4 }} name: {{ include "central-dashboard.fullname" . }}-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "central-dashboard.serviceAccountName" . }} - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/central-dashboard/templates/service.yaml b/kubeflow/helm/central-dashboard/templates/service.yaml index 7224412e5..26b211ce5 100644 --- a/kubeflow/helm/central-dashboard/templates/service.yaml +++ b/kubeflow/helm/central-dashboard/templates/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "central-dashboard.fullname" . }} labels: {{- include "central-dashboard.labels" . | nindent 4 }} - namespace: kubeflow spec: type: ClusterIP ports: @@ -12,13 +11,5 @@ spec: targetPort: website protocol: TCP name: http-website - - port: 4180 - targetPort: 4180 - protocol: TCP - name: http-oauth - - port: 44180 - targetPort: 44180 - protocol: TCP - name: metrics-oauth selector: {{- include "central-dashboard.selectorLabels" . | nindent 4 }} diff --git a/kubeflow/helm/central-dashboard/templates/serviceaccount.yaml b/kubeflow/helm/central-dashboard/templates/serviceaccount.yaml index bac4885b8..f10a5b08b 100644 --- a/kubeflow/helm/central-dashboard/templates/serviceaccount.yaml +++ b/kubeflow/helm/central-dashboard/templates/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "central-dashboard.serviceAccountName" . }} - namespace: kubeflow labels: {{- include "central-dashboard.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/central-dashboard/templates/virtualservice.yaml b/kubeflow/helm/central-dashboard/templates/virtualservice.yaml index f67030b01..6dc87870d 100644 --- a/kubeflow/helm/central-dashboard/templates/virtualservice.yaml +++ b/kubeflow/helm/central-dashboard/templates/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: {{ include "central-dashboard.fullname" . }} - namespace: kubeflow labels: {{- include "central-dashboard.selectorLabels" . | nindent 4 }} {{- with .Values.virtualService.annotations }} diff --git a/kubeflow/helm/katib/templates/controller/certificate.yaml b/kubeflow/helm/katib/templates/controller/certificate.yaml index 7a7e2d4e3..d9c385d8a 100644 --- a/kubeflow/helm/katib/templates/controller/certificate.yaml +++ b/kubeflow/helm/katib/templates/controller/certificate.yaml @@ -3,7 +3,6 @@ kind: Certificate metadata: labels: {{- include "katib.labels" . | nindent 4 }} name: {{ include "katib.fullname" . }}-controller-certs - namespace: kubeflow spec: commonName: {{ include "katib.fullname" . }}-controller.kubeflow.svc dnsNames: diff --git a/kubeflow/helm/katib/templates/controller/clusterrolebinding.yaml b/kubeflow/helm/katib/templates/controller/clusterrolebinding.yaml index 3b4a0d218..e2a57292b 100644 --- a/kubeflow/helm/katib/templates/controller/clusterrolebinding.yaml +++ b/kubeflow/helm/katib/templates/controller/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "katib.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/katib/templates/controller/configmap.yaml b/kubeflow/helm/katib/templates/controller/configmap.yaml index 8b7240c8f..084e66af5 100644 --- a/kubeflow/helm/katib/templates/controller/configmap.yaml +++ b/kubeflow/helm/katib/templates/controller/configmap.yaml @@ -58,7 +58,6 @@ data: kind: ConfigMap metadata: name: katib-config - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} --- apiVersion: v1 @@ -137,4 +136,3 @@ metadata: labels: app: katib-trial-templates name: trial-template - namespace: kubeflow diff --git a/kubeflow/helm/katib/templates/controller/hpa.yaml b/kubeflow/helm/katib/templates/controller/hpa.yaml index 70162557c..daf2dcd07 100644 --- a/kubeflow/helm/katib/templates/controller/hpa.yaml +++ b/kubeflow/helm/katib/templates/controller/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.controller.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "katib.fullname" . }}-controller @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml index 4c35c1ad2..4dcfa10d8 100644 --- a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml +++ b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml @@ -12,7 +12,7 @@ webhooks: caBundle: Cg== service: name: {{ include "katib.fullname" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} path: /mutate-experiment failurePolicy: Ignore name: defaulter.experiment.katib.kubeflow.org @@ -33,7 +33,7 @@ webhooks: caBundle: Cg== service: name: {{ include "katib.fullname" . }}-controller-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} path: /mutate-pod failurePolicy: Ignore name: mutator.pod.katib.kubeflow.org diff --git a/kubeflow/helm/katib/templates/controller/service.yaml b/kubeflow/helm/katib/templates/controller/service.yaml index e0285ce40..841066cfd 100644 --- a/kubeflow/helm/katib/templates/controller/service.yaml +++ b/kubeflow/helm/katib/templates/controller/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "katib.fullname" . }}-controller - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml b/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml index 1722d88a1..94058c221 100644 --- a/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml +++ b/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml @@ -12,7 +12,7 @@ webhooks: caBundle: Cg== service: name: {{ include "katib.fullname" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} path: /validate-experiment failurePolicy: Ignore name: validator.experiment.katib.kubeflow.org diff --git a/kubeflow/helm/katib/templates/db-manager/authorizationpolicy.yaml b/kubeflow/helm/katib/templates/db-manager/authorizationpolicy.yaml index 18def503f..afd536cb9 100644 --- a/kubeflow/helm/katib/templates/db-manager/authorizationpolicy.yaml +++ b/kubeflow/helm/katib/templates/db-manager/authorizationpolicy.yaml @@ -2,7 +2,6 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: {{ include "katib.fullname" . }}-db-manager-allow-all - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} spec: action: ALLOW diff --git a/kubeflow/helm/katib/templates/db-manager/database.yaml b/kubeflow/helm/katib/templates/db-manager/database.yaml index c3784519b..8020a7810 100644 --- a/kubeflow/helm/katib/templates/db-manager/database.yaml +++ b/kubeflow/helm/katib/templates/db-manager/database.yaml @@ -2,9 +2,8 @@ apiVersion: mysql.presslabs.org/v1alpha1 kind: MysqlDatabase metadata: name: katib-database - namespace: kubeflow spec: database: {{ .Values.dbManager.config.database.name }} clusterRef: name: kubeflow-mysql-cluster - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/katib/templates/db-manager/hpa.yaml b/kubeflow/helm/katib/templates/db-manager/hpa.yaml index 4788dd79a..59a846c62 100644 --- a/kubeflow/helm/katib/templates/db-manager/hpa.yaml +++ b/kubeflow/helm/katib/templates/db-manager/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.dbManager.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "katib.fullname" . }}-db-manager @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.dbManager.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.dbManager.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.dbManager.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.dbManager.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.dbManager.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/katib/templates/db-manager/secrets.yaml b/kubeflow/helm/katib/templates/db-manager/secrets.yaml index 531b1f4d6..ab2fc1a71 100644 --- a/kubeflow/helm/katib/templates/db-manager/secrets.yaml +++ b/kubeflow/helm/katib/templates/db-manager/secrets.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Values.dbManager.config.secret.name }} - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} type: Opaque data: diff --git a/kubeflow/helm/katib/templates/db-manager/service.yaml b/kubeflow/helm/katib/templates/db-manager/service.yaml index 7e84983d1..7e32818a9 100644 --- a/kubeflow/helm/katib/templates/db-manager/service.yaml +++ b/kubeflow/helm/katib/templates/db-manager/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "katib.fullname" . }}-db-manager - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/katib/templates/db-manager/serviceaccount.yaml b/kubeflow/helm/katib/templates/db-manager/serviceaccount.yaml index f320620b8..5bc2c3d8f 100644 --- a/kubeflow/helm/katib/templates/db-manager/serviceaccount.yaml +++ b/kubeflow/helm/katib/templates/db-manager/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "katib.serviceAccountName" . }}-db-manager - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml index 605dbf7d0..9b802ba6a 100644 --- a/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml @@ -3,14 +3,13 @@ kind: AuthorizationPolicy metadata: labels: {{- include "katib.labels" . | nindent 4 }} name: {{ include "katib.fullname" . }}-web-app - namespace: kubeflow spec: action: ALLOW rules: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingressgateway-service-account + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "katib.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/katib/templates/web-app/clusterrolebinding.yaml b/kubeflow/helm/katib/templates/web-app/clusterrolebinding.yaml index 293bf110a..2f69e40a5 100644 --- a/kubeflow/helm/katib/templates/web-app/clusterrolebinding.yaml +++ b/kubeflow/helm/katib/templates/web-app/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "katib.serviceAccountName" . }}-web-app - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/katib/templates/web-app/deployment.yaml b/kubeflow/helm/katib/templates/web-app/deployment.yaml index cb4034a16..9ab33e1c2 100644 --- a/kubeflow/helm/katib/templates/web-app/deployment.yaml +++ b/kubeflow/helm/katib/templates/web-app/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "katib.fullname" . }}-web-app labels: {{- include "katib.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.webApp.autoscaling.enabled }} replicas: {{ .Values.webApp.replicaCount }} diff --git a/kubeflow/helm/katib/templates/web-app/hpa.yaml b/kubeflow/helm/katib/templates/web-app/hpa.yaml index 8343bae9c..a4b4734ae 100644 --- a/kubeflow/helm/katib/templates/web-app/hpa.yaml +++ b/kubeflow/helm/katib/templates/web-app/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webApp.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "katib.fullname" . }}-web-app @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.webApp.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/katib/templates/web-app/service.yaml b/kubeflow/helm/katib/templates/web-app/service.yaml index 5dd4850fb..dea7148ce 100644 --- a/kubeflow/helm/katib/templates/web-app/service.yaml +++ b/kubeflow/helm/katib/templates/web-app/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "katib.fullname" . }}-web-app labels: {{- include "katib.labels" . | nindent 4 }} - namespace: kubeflow spec: type: ClusterIP ports: diff --git a/kubeflow/helm/katib/templates/web-app/serviceaccount.yaml b/kubeflow/helm/katib/templates/web-app/serviceaccount.yaml index fdbb5983c..17b9475a6 100644 --- a/kubeflow/helm/katib/templates/web-app/serviceaccount.yaml +++ b/kubeflow/helm/katib/templates/web-app/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "katib.serviceAccountName" . }}-web-app - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/katib/templates/web-app/virtualservice.yaml b/kubeflow/helm/katib/templates/web-app/virtualservice.yaml index a222397eb..1071e18c3 100644 --- a/kubeflow/helm/katib/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/katib/templates/web-app/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "katib.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "katib.labels" . | nindent 4 }} {{- with .Values.webApp.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/katib/values.yaml b/kubeflow/helm/katib/values.yaml index ab0e49b55..a5ca45957 100644 --- a/kubeflow/helm/katib/values.yaml +++ b/kubeflow/helm/katib/values.yaml @@ -3,10 +3,16 @@ # Declare variables to be passed into your templates. global: - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" imagePullSecrets: [] nameOverride: "" @@ -104,7 +110,7 @@ controller: # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 - + resources: requests: cpu: 32m @@ -173,7 +179,7 @@ dbManager: maxReplicas: 100 targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 - + nodeSelector: {} tolerations: [] diff --git a/kubeflow/helm/mysql-cluster/templates/cluster.yaml b/kubeflow/helm/mysql-cluster/templates/cluster.yaml index 9b84edae7..817ce29b0 100644 --- a/kubeflow/helm/mysql-cluster/templates/cluster.yaml +++ b/kubeflow/helm/mysql-cluster/templates/cluster.yaml @@ -2,7 +2,6 @@ apiVersion: mysql.presslabs.org/v1alpha1 kind: MysqlCluster metadata: name: kubeflow-mysql-cluster - namespace: kubeflow spec: replicas: 2 secretName: kubeflow-mysql-cluster-root diff --git a/kubeflow/helm/mysql-cluster/templates/secrets.yaml b/kubeflow/helm/mysql-cluster/templates/secrets.yaml index 5bbd59fe2..401d03f2a 100644 --- a/kubeflow/helm/mysql-cluster/templates/secrets.yaml +++ b/kubeflow/helm/mysql-cluster/templates/secrets.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: kubeflow-mysql-cluster-root - namespace: kubeflow labels: {{- include "mysql-cluster.labels" . | nindent 4 }} type: Opaque data: diff --git a/kubeflow/helm/mysql-cluster/templates/serviceaccount.yaml b/kubeflow/helm/mysql-cluster/templates/serviceaccount.yaml index e0ef8960a..853b1d8a3 100644 --- a/kubeflow/helm/mysql-cluster/templates/serviceaccount.yaml +++ b/kubeflow/helm/mysql-cluster/templates/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "mysql-cluster.serviceAccountName" . }} - namespace: kubeflow labels: {{- include "mysql-cluster.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/notebooks/templates/controller/clusterrolebinding.yaml b/kubeflow/helm/notebooks/templates/controller/clusterrolebinding.yaml index 901027ef4..f294e924f 100644 --- a/kubeflow/helm/notebooks/templates/controller/clusterrolebinding.yaml +++ b/kubeflow/helm/notebooks/templates/controller/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "notebooks.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/notebooks/templates/controller/configmap.yaml b/kubeflow/helm/notebooks/templates/controller/configmap.yaml index 9c272eb04..45c522358 100644 --- a/kubeflow/helm/notebooks/templates/controller/configmap.yaml +++ b/kubeflow/helm/notebooks/templates/controller/configmap.yaml @@ -9,4 +9,3 @@ kind: ConfigMap metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-controller-config - namespace: kubeflow diff --git a/kubeflow/helm/notebooks/templates/controller/deployment.yaml b/kubeflow/helm/notebooks/templates/controller/deployment.yaml index 62c8b492f..43b67b3e7 100644 --- a/kubeflow/helm/notebooks/templates/controller/deployment.yaml +++ b/kubeflow/helm/notebooks/templates/controller/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "notebooks.fullname" . }}-controller labels: {{- include "notebooks.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.controller.autoscaling.enabled }} replicas: {{ .Values.controller.replicaCount }} diff --git a/kubeflow/helm/notebooks/templates/controller/hpa.yaml b/kubeflow/helm/notebooks/templates/controller/hpa.yaml index 69be1aea1..7cc2d85ed 100644 --- a/kubeflow/helm/notebooks/templates/controller/hpa.yaml +++ b/kubeflow/helm/notebooks/templates/controller/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.controller.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "notebooks.fullname" . }}-controller @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/notebooks/templates/controller/role.yaml b/kubeflow/helm/notebooks/templates/controller/role.yaml index b5155eb49..e42b7cc71 100644 --- a/kubeflow/helm/notebooks/templates/controller/role.yaml +++ b/kubeflow/helm/notebooks/templates/controller/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-controller-leader-election-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/notebooks/templates/controller/rolebinding.yaml b/kubeflow/helm/notebooks/templates/controller/rolebinding.yaml index 2b712c95a..81115875c 100644 --- a/kubeflow/helm/notebooks/templates/controller/rolebinding.yaml +++ b/kubeflow/helm/notebooks/templates/controller/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-controller-leader-election-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "notebooks.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/notebooks/templates/controller/service.yaml b/kubeflow/helm/notebooks/templates/controller/service.yaml index 6f8678f0e..17f783e20 100644 --- a/kubeflow/helm/notebooks/templates/controller/service.yaml +++ b/kubeflow/helm/notebooks/templates/controller/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "notebooks.fullname" . }}-controller - namespace: kubeflow labels: {{- include "notebooks.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/notebooks/templates/controller/serviceaccount.yaml b/kubeflow/helm/notebooks/templates/controller/serviceaccount.yaml index a65fb7018..bd97bfa12 100644 --- a/kubeflow/helm/notebooks/templates/controller/serviceaccount.yaml +++ b/kubeflow/helm/notebooks/templates/controller/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "notebooks.serviceAccountName" . }}-controller - namespace: kubeflow labels: {{- include "notebooks.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml index 5ebc24f36..3a64c33d0 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml @@ -3,7 +3,6 @@ kind: Certificate metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-pod-defaults-certs - namespace: kubeflow spec: commonName: {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc dnsNames: diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/clusterrolebinding.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/clusterrolebinding.yaml index 901f4cfe6..a72abac74 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/clusterrolebinding.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "notebooks.serviceAccountName" . }}-pod-defaults - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/deployment.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/deployment.yaml index 6c7e082fc..b361157ef 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/deployment.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "notebooks.fullname" . }}-pod-defaults labels: {{- include "notebooks.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.podDefaults.autoscaling.enabled }} replicas: {{ .Values.podDefaults.replicaCount }} diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml index 14cf45e91..6e38679d9 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml @@ -10,7 +10,7 @@ webhooks: caBundle: "" service: name: {{ include "notebooks.fullname" . }}-pod-defaults - namespace: kubeflow + namespace: {{ .Release.Namespace }} path: /apply-poddefault name: admission-webhook-deployment.kubeflow.org admissionReviewVersions: ["v1beta1"] diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/service.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/service.yaml index 84ae8a27d..cf3c6e3ea 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/service.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "notebooks.fullname" . }}-pod-defaults labels: {{- include "notebooks.labels" . | nindent 4 }} - namespace: kubeflow spec: type: ClusterIP ports: diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/serviceaccount.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/serviceaccount.yaml index 987d622a7..828f9a27e 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/serviceaccount.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "notebooks.serviceAccountName" . }}-pod-defaults - namespace: kubeflow labels: {{- include "notebooks.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml index 45986ee8b..65e78fd91 100644 --- a/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml @@ -3,14 +3,13 @@ kind: AuthorizationPolicy metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-web-app - namespace: kubeflow spec: action: ALLOW rules: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingressgateway-service-account + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "notebooks.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/notebooks/templates/web-app/clusterrolebinding.yaml b/kubeflow/helm/notebooks/templates/web-app/clusterrolebinding.yaml index 0248bcfe9..a31525857 100644 --- a/kubeflow/helm/notebooks/templates/web-app/clusterrolebinding.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "notebooks.serviceAccountName" . }}-web-app - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/notebooks/templates/web-app/configmap.yaml b/kubeflow/helm/notebooks/templates/web-app/configmap.yaml index 1ef13f602..c40a00ff1 100644 --- a/kubeflow/helm/notebooks/templates/web-app/configmap.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/configmap.yaml @@ -163,7 +163,6 @@ kind: ConfigMap metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-web-app-config - namespace: kubeflow --- apiVersion: v1 data: @@ -423,7 +422,6 @@ kind: ConfigMap metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-web-app-logos - namespace: kubeflow --- apiVersion: v1 data: @@ -435,4 +433,3 @@ kind: ConfigMap metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-web-app-parameters - namespace: kubeflow diff --git a/kubeflow/helm/notebooks/templates/web-app/deployment.yaml b/kubeflow/helm/notebooks/templates/web-app/deployment.yaml index 7bb188587..c8fb60ebf 100644 --- a/kubeflow/helm/notebooks/templates/web-app/deployment.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "notebooks.fullname" . }}-web-app labels: {{- include "notebooks.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.webApp.autoscaling.enabled }} replicas: {{ .Values.webApp.replicaCount }} diff --git a/kubeflow/helm/notebooks/templates/web-app/hpa.yaml b/kubeflow/helm/notebooks/templates/web-app/hpa.yaml index 4c56699d1..a6ed22704 100644 --- a/kubeflow/helm/notebooks/templates/web-app/hpa.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webApp.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "notebooks.fullname" . }}-web-app @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/notebooks/templates/web-app/role.yaml b/kubeflow/helm/notebooks/templates/web-app/role.yaml index 067caa0e9..831568819 100644 --- a/kubeflow/helm/notebooks/templates/web-app/role.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/role.yaml @@ -4,7 +4,6 @@ kind: Role metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-web-app-notebook-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/notebooks/templates/web-app/rolebinding.yaml b/kubeflow/helm/notebooks/templates/web-app/rolebinding.yaml index 04e114674..6fe24eaa0 100644 --- a/kubeflow/helm/notebooks/templates/web-app/rolebinding.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/rolebinding.yaml @@ -3,11 +3,10 @@ kind: RoleBinding metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-web-app-notebook-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ include "notebooks.fullname" . }}-web-app-notebook-role subjects: - kind: ServiceAccount - name: jupyter-notebook # this SA doesn't exist. Where is this role and rolebinding used? + name: jupyter-notebook # TODO: this SA doesn't exist. Where is this role and rolebinding used? diff --git a/kubeflow/helm/notebooks/templates/web-app/service.yaml b/kubeflow/helm/notebooks/templates/web-app/service.yaml index 9c6601096..5c8d291d4 100644 --- a/kubeflow/helm/notebooks/templates/web-app/service.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "notebooks.fullname" . }}-web-app labels: {{- include "notebooks.labels" . | nindent 4 }} - namespace: kubeflow spec: type: ClusterIP ports: diff --git a/kubeflow/helm/notebooks/templates/web-app/serviceaccount.yaml b/kubeflow/helm/notebooks/templates/web-app/serviceaccount.yaml index b37bb2b39..416372d6a 100644 --- a/kubeflow/helm/notebooks/templates/web-app/serviceaccount.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "notebooks.serviceAccountName" . }}-web-app - namespace: kubeflow labels: {{- include "notebooks.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml b/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml index 4da2cb9b3..8f91d0e9d 100644 --- a/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "notebooks.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "notebooks.labels" . | nindent 4 }} {{- with .Values.webApp.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index e544d175b..d8f3c0e1d 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -3,10 +3,16 @@ # Declare variables to be passed into your templates. global: - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" imagePullSecrets: [] nameOverride: "" @@ -28,7 +34,7 @@ webApp: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: v1.4 - + podAnnotations: sidecar.istio.io/inject: "true" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" @@ -244,7 +250,7 @@ controller: service: metrics: port: 8080 - + podAnnotations: sidecar.istio.io/inject: "true" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" @@ -263,7 +269,7 @@ controller: # readOnlyRootFilesystem: true # runAsNonRoot: true # runAsUser: 1000 - + resources: requests: cpu: 100m diff --git a/kubeflow/helm/operators/mpi/.helmignore b/kubeflow/helm/operators/mpi/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/kubeflow/helm/operators/mpi/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubeflow/helm/operators/mpi/Chart.yaml b/kubeflow/helm/operators/mpi/Chart.yaml deleted file mode 100644 index f62db5d88..000000000 --- a/kubeflow/helm/operators/mpi/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: mpi -description: A Helm chart for Kubernetes -type: application -version: 0.1.9 -appVersion: "v0.3.0" diff --git a/kubeflow/helm/operators/mpi/README.md b/kubeflow/helm/operators/mpi/README.md deleted file mode 100644 index 8b6046264..000000000 --- a/kubeflow/helm/operators/mpi/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# MPI Operator - -Installs the Kubeflow MPI Operator using Plural. diff --git a/kubeflow/helm/operators/mpi/crds/mpi_crds.yaml b/kubeflow/helm/operators/mpi/crds/mpi_crds.yaml deleted file mode 100644 index 5327de87b..000000000 --- a/kubeflow/helm/operators/mpi/crds/mpi_crds.yaml +++ /dev/null @@ -1,155 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mpi-operator - app.kubernetes.io/component: mpijob - app.kubernetes.io/name: mpi-operator - kustomize.component: mpi-operator - name: mpijobs.kubeflow.org -spec: - group: kubeflow.org - names: - kind: MPIJob - plural: mpijobs - shortNames: - - mj - - mpij - singular: mpijob - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - description: Only one of gpus, processingUnits, or replicas should be specified - oneOf: - - properties: - gpus: - description: Valid values are 1, 2, 4, or any multiple of 8 - oneOf: - - enum: - - 1 - - 2 - - 4 - type: integer - - minimum: 8 - multipleOf: 8 - type: integer - title: Total number of GPUs - gpusPerNode: - description: Defaults to the number of GPUs per worker - minimum: 1 - title: The maximum number of GPUs available per node - type: integer - slotsPerWorker: - description: Defaults to the number of processing units per worker - minimum: 1 - title: The number of slots per worker used in hostfile - type: integer - required: - - gpus - - properties: - processingResourceType: - description: Defaults to 'nvidia.com/gpu' - enum: - - nvidia.com/gpu - - cpu - title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu' - type: string - processingUnits: - description: Valid values are 1, 2, 4, or any multiple of 8 - oneOf: - - enum: - - 1 - - 2 - - 4 - type: integer - - minimum: 8 - multipleOf: 8 - type: integer - title: Total number of processing units - processingUnitsPerNode: - description: Defaults to the number of processing units per worker - minimum: 1 - title: The maximum number of processing units available per node - type: integer - slotsPerWorker: - description: Defaults to the number of processing units per worker - minimum: 1 - title: The number of slots per worker used in hostfile - type: integer - required: - - processingUnits - - properties: - processingResourceType: - description: Defaults to 'nvidia.com/gpu' - enum: - - nvidia.com/gpu - - cpu - title: The processing resource type, e.g. 'nvidia.com/gpu' or 'cpu' - type: string - replicas: - description: The processing resource limit should be specified for each replica - minimum: 1 - title: Total number of replicas - type: integer - slotsPerWorker: - description: Defaults to the number of processing units per worker - minimum: 1 - title: The number of slots per worker used in hostfile - type: integer - required: - - replicas - title: The MPIJob spec - served: false - storage: false - - name: v1alpha2 - schema: - openAPIV3Schema: - properties: - spec: - properties: - mpiReplicaSpecs: - properties: - Launcher: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - Worker: - properties: - replicas: - minimum: 1 - type: integer - slotsPerWorker: - minimum: 1 - type: integer - served: true - storage: false - - name: v1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - mpiReplicaSpecs: - properties: - Launcher: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - Worker: - properties: - replicas: - minimum: 1 - type: integer - slotsPerWorker: - minimum: 1 - type: integer - served: true - storage: true diff --git a/kubeflow/helm/operators/mpi/deps.yaml b/kubeflow/helm/operators/mpi/deps.yaml deleted file mode 100644 index f64a4f3f5..000000000 --- a/kubeflow/helm/operators/mpi/deps.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: plural.sh/v1alpha1 -kind: Dependencies -metadata: - application: true - description: Deploys kubeflow crafted for the target cloud -spec: - dependencies: - - type: helm - name: bootstrap - repo: bootstrap - version: '>= 0.5.1' - - type: terraform - name: aws - repo: kubeflow - version: '>= 0.1.0' - optional: true - - type: terraform - name: gcp - repo: kubeflow - version: '>= 0.1.0' - optional: true diff --git a/kubeflow/helm/operators/mpi/templates/_helpers.tpl b/kubeflow/helm/operators/mpi/templates/_helpers.tpl deleted file mode 100644 index eb97fe2d8..000000000 --- a/kubeflow/helm/operators/mpi/templates/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "mpi.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "mpi.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "mpi.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "mpi.labels" -}} -helm.sh/chart: {{ include "mpi.chart" . }} -{{ include "mpi.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "mpi.selectorLabels" -}} -app: {{ include "mpi.name" . }} -app.kubernetes.io/name: {{ include "mpi.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "mpi.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "mpi.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/mpi/templates/clusterrole.yaml b/kubeflow/helm/operators/mpi/templates/clusterrole.yaml deleted file mode 100644 index 3bec23570..000000000 --- a/kubeflow/helm/operators/mpi/templates/clusterrole.yaml +++ /dev/null @@ -1,142 +0,0 @@ -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mpi.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-mpijobs-admin -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mpi.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mpijobs-admin: "true" - name: kubeflow-mpijobs-edit -rules: - - apiGroups: - - kubeflow.org - resources: - - mpijobs - - mpijobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mpi.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: kubeflow-mpijobs-view -rules: - - apiGroups: - - kubeflow.org - resources: - - mpijobs - - mpijobs/status - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mpi.labels" . | nindent 4 }} - name: {{ include "mpi.fullname" . }}-cluster-role -rules: - - apiGroups: - - "" - resources: - - configmaps - - secrets - - services - verbs: - - create - - list - - watch - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - create - - get - - list - - watch - - delete - - update - - patch - - apiGroups: - - "" - resources: - - pods/exec - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - get - - update - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - list - - update - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - list - - update - - watch - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - get - - apiGroups: - - kubeflow.org - resources: - - mpijobs - - mpijobs/finalizers - - mpijobs/status - verbs: - - '*' - - apiGroups: - - scheduling.incubator.k8s.io - - scheduling.sigs.dev - resources: - - queues - - podgroups - verbs: - - '*' diff --git a/kubeflow/helm/operators/mpi/templates/clusterrolebinding.yaml b/kubeflow/helm/operators/mpi/templates/clusterrolebinding.yaml deleted file mode 100644 index e4abd2f3c..000000000 --- a/kubeflow/helm/operators/mpi/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "mpi.labels" . | nindent 4 }} - name: {{ include "mpi.fullname" . }}-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "mpi.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ include "mpi.serviceAccountName" . }} - namespace: kubeflow diff --git a/kubeflow/helm/operators/mpi/templates/configmap.yaml b/kubeflow/helm/operators/mpi/templates/configmap.yaml deleted file mode 100644 index 1d196f30c..000000000 --- a/kubeflow/helm/operators/mpi/templates/configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -data: - kubectl-delivery-image: mpioperator/kubectl-delivery:latest - lock-namespace: kubeflow -kind: ConfigMap -metadata: - labels: {{- include "mpi.labels" . | nindent 4 }} - kustomize.component: mpi-operator - name: {{ include "mpi.fullname" . }}-config - namespace: kubeflow diff --git a/kubeflow/helm/operators/mpi/templates/deployment.yaml b/kubeflow/helm/operators/mpi/templates/deployment.yaml deleted file mode 100644 index df2d3f540..000000000 --- a/kubeflow/helm/operators/mpi/templates/deployment.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "mpi.fullname" . }} - labels: - {{- include "mpi.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "mpi.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "mpi.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "mpi.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - -alsologtostderr - - --lock-namespace - - kubeflow - # ports: - # - name: http - # containerPort: 80 - # protocol: TCP - # livenessProbe: - # httpGet: - # path: / - # port: http - # readinessProbe: - # httpGet: - # path: / - # port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/operators/mpi/templates/hpa.yaml b/kubeflow/helm/operators/mpi/templates/hpa.yaml deleted file mode 100644 index 797c20dc5..000000000 --- a/kubeflow/helm/operators/mpi/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "mpi.fullname" . }} - labels: - {{- include "mpi.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "mpi.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/mpi/templates/serviceaccount.yaml b/kubeflow/helm/operators/mpi/templates/serviceaccount.yaml deleted file mode 100644 index 116534afa..000000000 --- a/kubeflow/helm/operators/mpi/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "mpi.serviceAccountName" . }} - namespace: kubeflow - labels: - {{- include "mpi.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/mpi/values.yaml b/kubeflow/helm/operators/mpi/values.yaml deleted file mode 100644 index 12b7f8606..000000000 --- a/kubeflow/helm/operators/mpi/values.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Default values for mpi. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: mpioperator/mpi-operator - pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. - tag: 0.3.0 - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: - sidecar.istio.io/inject: "true" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -resources: - requests: - cpu: 11m - memory: 53Mi - limits: - cpu: 11m - memory: 53Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/kubeflow/helm/operators/mpi/values.yaml.tpl b/kubeflow/helm/operators/mpi/values.yaml.tpl deleted file mode 100644 index 9e26dfeeb..000000000 --- a/kubeflow/helm/operators/mpi/values.yaml.tpl +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/kubeflow/helm/operators/mxnet/.helmignore b/kubeflow/helm/operators/mxnet/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/kubeflow/helm/operators/mxnet/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubeflow/helm/operators/mxnet/Chart.yaml b/kubeflow/helm/operators/mxnet/Chart.yaml deleted file mode 100644 index 0ffe8db10..000000000 --- a/kubeflow/helm/operators/mxnet/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: mxnet -description: A Helm chart for Kubernetes -type: application -version: 0.1.7 -appVersion: "1.1.0" diff --git a/kubeflow/helm/operators/mxnet/README.md b/kubeflow/helm/operators/mxnet/README.md deleted file mode 100644 index 7b512b31b..000000000 --- a/kubeflow/helm/operators/mxnet/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# MXNet - -Installs the Kubeflow MXNet Operator using Plural. diff --git a/kubeflow/helm/operators/mxnet/crds/mxnet_crds.yaml b/kubeflow/helm/operators/mxnet/crds/mxnet_crds.yaml deleted file mode 100644 index 6df1a81f2..000000000 --- a/kubeflow/helm/operators/mxnet/crds/mxnet_crds.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: mxnet-operator - app.kubernetes.io/component: mxnet - app.kubernetes.io/name: mxnet-operator - kustomize.component: mxnet-operator - name: mxjobs.kubeflow.org -spec: - group: kubeflow.org - names: - kind: MXJob - plural: mxjobs - singular: mxjob - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - mxReplicaSpecs: - properties: - Scheduler: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - Server: - properties: - replicas: - minimum: 1 - type: integer - Tuner: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - TunerServer: - properties: - replicas: - minimum: 1 - type: integer - TunerTracker: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - Worker: - properties: - replicas: - minimum: 1 - type: integer - version: v1 diff --git a/kubeflow/helm/operators/mxnet/deps.yaml b/kubeflow/helm/operators/mxnet/deps.yaml deleted file mode 100644 index f64a4f3f5..000000000 --- a/kubeflow/helm/operators/mxnet/deps.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: plural.sh/v1alpha1 -kind: Dependencies -metadata: - application: true - description: Deploys kubeflow crafted for the target cloud -spec: - dependencies: - - type: helm - name: bootstrap - repo: bootstrap - version: '>= 0.5.1' - - type: terraform - name: aws - repo: kubeflow - version: '>= 0.1.0' - optional: true - - type: terraform - name: gcp - repo: kubeflow - version: '>= 0.1.0' - optional: true diff --git a/kubeflow/helm/operators/mxnet/templates/_helpers.tpl b/kubeflow/helm/operators/mxnet/templates/_helpers.tpl deleted file mode 100644 index 95b3288c3..000000000 --- a/kubeflow/helm/operators/mxnet/templates/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "mxnet.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "mxnet.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "mxnet.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "mxnet.labels" -}} -helm.sh/chart: {{ include "mxnet.chart" . }} -{{ include "mxnet.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "mxnet.selectorLabels" -}} -app: {{ include "mxnet.name" . }} -app.kubernetes.io/name: {{ include "mxnet.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "mxnet.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "mxnet.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/mxnet/templates/clusterrole.yaml b/kubeflow/helm/operators/mxnet/templates/clusterrole.yaml deleted file mode 100644 index eab883e8a..000000000 --- a/kubeflow/helm/operators/mxnet/templates/clusterrole.yaml +++ /dev/null @@ -1,100 +0,0 @@ -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mxnet.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-mxjobs-admin -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mxnet.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-mxjobs-admin: "true" - name: kubeflow-mxjobs-edit -rules: - - apiGroups: - - kubeflow.org - resources: - - mxjobs - - mxjobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mxnet.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: kubeflow-mxjobs-view -rules: - - apiGroups: - - kubeflow.org - resources: - - mxjobs - - mxjobs/status - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "mxnet.labels" . | nindent 4 }} - name: {{ include "mxnet.fullname" . }}-cluster-role -rules: - - apiGroups: - - kubeflow.org - resources: - - mxjobs - verbs: - - '*' - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - '*' - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - '*' - - apiGroups: - - batch - resources: - - jobs - verbs: - - '*' - - apiGroups: - - "" - resources: - - configmaps - - pods - - services - - endpoints - - persistentvolumeclaims - - events - verbs: - - '*' - - apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - '*' diff --git a/kubeflow/helm/operators/mxnet/templates/clusterrolebinding.yaml b/kubeflow/helm/operators/mxnet/templates/clusterrolebinding.yaml deleted file mode 100644 index 89a2f09c1..000000000 --- a/kubeflow/helm/operators/mxnet/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "mxnet.labels" . | nindent 4 }} - name: {{ include "mxnet.fullname" . }}-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "mxnet.fullname" . }}-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "mxnet.serviceAccountName" . }} - namespace: kubeflow diff --git a/kubeflow/helm/operators/mxnet/templates/deployment.yaml b/kubeflow/helm/operators/mxnet/templates/deployment.yaml deleted file mode 100644 index 7caa979e8..000000000 --- a/kubeflow/helm/operators/mxnet/templates/deployment.yaml +++ /dev/null @@ -1,60 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "mxnet.fullname" . }} - labels: - {{- include "mxnet.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "mxnet.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "mxnet.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "mxnet.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /opt/kubeflow/mxnet-operator.v1 - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/operators/mxnet/templates/hpa.yaml b/kubeflow/helm/operators/mxnet/templates/hpa.yaml deleted file mode 100644 index 90727bd13..000000000 --- a/kubeflow/helm/operators/mxnet/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "mxnet.fullname" . }} - labels: - {{- include "mxnet.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "mxnet.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/mxnet/templates/serviceaccount.yaml b/kubeflow/helm/operators/mxnet/templates/serviceaccount.yaml deleted file mode 100644 index 704cd9aa1..000000000 --- a/kubeflow/helm/operators/mxnet/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "mxnet.serviceAccountName" . }} - namespace: kubeflow - labels: - {{- include "mxnet.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/mxnet/values.yaml b/kubeflow/helm/operators/mxnet/values.yaml deleted file mode 100644 index 2374fe88e..000000000 --- a/kubeflow/helm/operators/mxnet/values.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Default values for mxnet. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: kubeflow/mxnet-operator - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: v1.1.0 - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: - sidecar.istio.io/inject: "true" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -resources: - requests: - cpu: 11m - memory: 53Mi - limits: - cpu: 11m - memory: 53Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/kubeflow/helm/operators/mxnet/values.yaml.tpl b/kubeflow/helm/operators/mxnet/values.yaml.tpl deleted file mode 100644 index 9e26dfeeb..000000000 --- a/kubeflow/helm/operators/mxnet/values.yaml.tpl +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/kubeflow/helm/operators/pytorch/.helmignore b/kubeflow/helm/operators/pytorch/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/kubeflow/helm/operators/pytorch/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubeflow/helm/operators/pytorch/Chart.yaml b/kubeflow/helm/operators/pytorch/Chart.yaml deleted file mode 100644 index 1951c37c3..000000000 --- a/kubeflow/helm/operators/pytorch/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: pytorch -description: A Helm chart for Kubernetes -type: application -version: 0.1.7 -appVersion: "0.7.0" diff --git a/kubeflow/helm/operators/pytorch/README.md b/kubeflow/helm/operators/pytorch/README.md deleted file mode 100644 index 1a050d4c1..000000000 --- a/kubeflow/helm/operators/pytorch/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# PyTorch - -Installs the Kubeflow PyTorch Operator using Plural. diff --git a/kubeflow/helm/operators/pytorch/crds/pytorch_crds.yaml b/kubeflow/helm/operators/pytorch/crds/pytorch_crds.yaml deleted file mode 100644 index 34ea42381..000000000 --- a/kubeflow/helm/operators/pytorch/crds/pytorch_crds.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: pytorch-operator - app.kubernetes.io/component: pytorch - app.kubernetes.io/name: pytorch-operator - kustomize.component: pytorch-operator - name: pytorchjobs.kubeflow.org -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[-1:].type - name: State - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: kubeflow.org - names: - kind: PyTorchJob - plural: pytorchjobs - singular: pytorchjob - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - pytorchReplicaSpecs: - properties: - Master: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - Worker: - properties: - replicas: - minimum: 1 - type: integer - versions: - - name: v1 - served: true - storage: true diff --git a/kubeflow/helm/operators/pytorch/deps.yaml b/kubeflow/helm/operators/pytorch/deps.yaml deleted file mode 100644 index f64a4f3f5..000000000 --- a/kubeflow/helm/operators/pytorch/deps.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: plural.sh/v1alpha1 -kind: Dependencies -metadata: - application: true - description: Deploys kubeflow crafted for the target cloud -spec: - dependencies: - - type: helm - name: bootstrap - repo: bootstrap - version: '>= 0.5.1' - - type: terraform - name: aws - repo: kubeflow - version: '>= 0.1.0' - optional: true - - type: terraform - name: gcp - repo: kubeflow - version: '>= 0.1.0' - optional: true diff --git a/kubeflow/helm/operators/pytorch/templates/_helpers.tpl b/kubeflow/helm/operators/pytorch/templates/_helpers.tpl deleted file mode 100644 index 87fb3386e..000000000 --- a/kubeflow/helm/operators/pytorch/templates/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "pytorch.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "pytorch.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "pytorch.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "pytorch.labels" -}} -helm.sh/chart: {{ include "pytorch.chart" . }} -{{ include "pytorch.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "pytorch.selectorLabels" -}} -app: {{ include "pytorch.name" . }} -app.kubernetes.io/name: {{ include "pytorch.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "pytorch.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "pytorch.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/pytorch/templates/clusterrole.yaml b/kubeflow/helm/operators/pytorch/templates/clusterrole.yaml deleted file mode 100644 index e23b14b3c..000000000 --- a/kubeflow/helm/operators/pytorch/templates/clusterrole.yaml +++ /dev/null @@ -1,83 +0,0 @@ -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pytorch.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-pytorchjobs-admin -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pytorch.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pytorchjobs-admin: "true" - name: kubeflow-pytorchjobs-edit -rules: - - apiGroups: - - kubeflow.org - resources: - - pytorchjobs - - pytorchjobs/status - - pytorchjobs/finalizers - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pytorch.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: kubeflow-pytorchjobs-view -rules: - - apiGroups: - - kubeflow.org - resources: - - pytorchjobs - - pytorchjobs/status - - pytorchjobs/finalizers - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pytorch.labels" . | nindent 4 }} - name: {{ include "pytorch.fullname" . }}-cluster-role -rules: - - apiGroups: - - kubeflow.org - resources: - - pytorchjobs - - pytorchjobs/status - - pytorchjobs/finalizers - verbs: - - '*' - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - '*' - - apiGroups: - - "" - resources: - - pods - - services - - endpoints - - events - verbs: - - '*' diff --git a/kubeflow/helm/operators/pytorch/templates/clusterrolebinding.yaml b/kubeflow/helm/operators/pytorch/templates/clusterrolebinding.yaml deleted file mode 100644 index 34da46360..000000000 --- a/kubeflow/helm/operators/pytorch/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "pytorch.labels" . | nindent 4 }} - name: {{ include "pytorch.fullname" . }}-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "pytorch.fullname" . }}-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "pytorch.serviceAccountName" . }} - namespace: kubeflow diff --git a/kubeflow/helm/operators/pytorch/templates/deployment.yaml b/kubeflow/helm/operators/pytorch/templates/deployment.yaml deleted file mode 100644 index f93246fdc..000000000 --- a/kubeflow/helm/operators/pytorch/templates/deployment.yaml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "pytorch.fullname" . }} - labels: - {{- include "pytorch.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "pytorch.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "pytorch.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "pytorch.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /pytorch-operator.v1 - - --alsologtostderr - - -v=1 - - --monitoring-port=8443 - ports: - - name: metrics - containerPort: 8443 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: metrics - readinessProbe: - httpGet: - path: /metrics - port: metrics - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/operators/pytorch/templates/hpa.yaml b/kubeflow/helm/operators/pytorch/templates/hpa.yaml deleted file mode 100644 index 8cc077336..000000000 --- a/kubeflow/helm/operators/pytorch/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "pytorch.fullname" . }} - labels: - {{- include "pytorch.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "pytorch.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/pytorch/templates/service.yaml b/kubeflow/helm/operators/pytorch/templates/service.yaml deleted file mode 100644 index 18b767f54..000000000 --- a/kubeflow/helm/operators/pytorch/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "pytorch.fullname" . }} - namespace: kubeflow - labels: - {{- include "pytorch.labels" . | nindent 4 }} - annotations: - prometheus.io/path: /metrics - prometheus.io/port: {{ .Values.service.port | quote }} - prometheus.io/scrape: "true" -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.port }} - targetPort: metrics - protocol: TCP - name: http-metrics - selector: - {{- include "pytorch.selectorLabels" . | nindent 4 }} diff --git a/kubeflow/helm/operators/pytorch/templates/serviceaccount.yaml b/kubeflow/helm/operators/pytorch/templates/serviceaccount.yaml deleted file mode 100644 index c8e80ecff..000000000 --- a/kubeflow/helm/operators/pytorch/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "pytorch.serviceAccountName" . }} - namespace: kubeflow - labels: - {{- include "pytorch.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/pytorch/values.yaml b/kubeflow/helm/operators/pytorch/values.yaml deleted file mode 100644 index 8add824d2..000000000 --- a/kubeflow/helm/operators/pytorch/values.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Default values for pytorch. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: gcr.io/kubeflow-images-public/pytorch-operator - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: vmaster-g518f9c76 - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: - sidecar.istio.io/inject: "true" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - port: 8443 - -resources: - requests: - cpu: 11m - memory: 53Mi - limits: - cpu: 11m - memory: 53Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/kubeflow/helm/operators/pytorch/values.yaml.tpl b/kubeflow/helm/operators/pytorch/values.yaml.tpl deleted file mode 100644 index 9e26dfeeb..000000000 --- a/kubeflow/helm/operators/pytorch/values.yaml.tpl +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/kubeflow/helm/operators/tensorflow/.helmignore b/kubeflow/helm/operators/tensorflow/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/kubeflow/helm/operators/tensorflow/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubeflow/helm/operators/tensorflow/Chart.yaml b/kubeflow/helm/operators/tensorflow/Chart.yaml deleted file mode 100644 index 025a391ff..000000000 --- a/kubeflow/helm/operators/tensorflow/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: tensorflow -description: A Helm chart for Kubernetes -type: application -version: 0.1.7 -appVersion: "1.1.0" diff --git a/kubeflow/helm/operators/tensorflow/README.md b/kubeflow/helm/operators/tensorflow/README.md deleted file mode 100644 index eb82e692d..000000000 --- a/kubeflow/helm/operators/tensorflow/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# TensorFlow - -Installs the Kubeflow TensorFlow Operator using Plural. diff --git a/kubeflow/helm/operators/tensorflow/crds/tensorflow_crds.yaml b/kubeflow/helm/operators/tensorflow/crds/tensorflow_crds.yaml deleted file mode 100644 index 64c642def..000000000 --- a/kubeflow/helm/operators/tensorflow/crds/tensorflow_crds.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - labels: - app: tf-job-operator - app.kubernetes.io/component: tfjob - app.kubernetes.io/name: tf-job-operator - kustomize.component: tf-job-operator - name: tfjobs.kubeflow.org -spec: - additionalPrinterColumns: - - JSONPath: .status.conditions[-1:].type - name: State - type: string - - JSONPath: .metadata.creationTimestamp - name: Age - type: date - group: kubeflow.org - names: - kind: TFJob - plural: tfjobs - singular: tfjob - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - properties: - tfReplicaSpecs: - properties: - Chief: - properties: - replicas: - maximum: 1 - minimum: 1 - type: integer - Evaluator: - properties: - replicas: - minimum: 0 - type: integer - PS: - properties: - replicas: - minimum: 1 - type: integer - Worker: - properties: - replicas: - minimum: 1 - type: integer - versions: - - name: v1 - served: true - storage: true diff --git a/kubeflow/helm/operators/tensorflow/deps.yaml b/kubeflow/helm/operators/tensorflow/deps.yaml deleted file mode 100644 index f64a4f3f5..000000000 --- a/kubeflow/helm/operators/tensorflow/deps.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: plural.sh/v1alpha1 -kind: Dependencies -metadata: - application: true - description: Deploys kubeflow crafted for the target cloud -spec: - dependencies: - - type: helm - name: bootstrap - repo: bootstrap - version: '>= 0.5.1' - - type: terraform - name: aws - repo: kubeflow - version: '>= 0.1.0' - optional: true - - type: terraform - name: gcp - repo: kubeflow - version: '>= 0.1.0' - optional: true diff --git a/kubeflow/helm/operators/tensorflow/templates/_helpers.tpl b/kubeflow/helm/operators/tensorflow/templates/_helpers.tpl deleted file mode 100644 index acb003201..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "tensorflow.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "tensorflow.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "tensorflow.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "tensorflow.labels" -}} -helm.sh/chart: {{ include "tensorflow.chart" . }} -{{ include "tensorflow.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "tensorflow.selectorLabels" -}} -app: {{ include "tensorflow.name" . }} -app.kubernetes.io/name: {{ include "tensorflow.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "tensorflow.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "tensorflow.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/tensorflow/templates/clusterrole.yaml b/kubeflow/helm/operators/tensorflow/templates/clusterrole.yaml deleted file mode 100644 index d87035de3..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/clusterrole.yaml +++ /dev/null @@ -1,88 +0,0 @@ -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "tensorflow.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-tfjobs-admin -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "tensorflow.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-tfjobs-admin: "true" - name: kubeflow-tfjobs-edit -rules: - - apiGroups: - - kubeflow.org - resources: - - tfjobs - - tfjobs/status - verbs: - - get - - list - - watch - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "tensorflow.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: kubeflow-tfjobs-view -rules: - - apiGroups: - - kubeflow.org - resources: - - tfjobs - - tfjobs/status - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "tensorflow.labels" . | nindent 4 }} - name: {{ include "tensorflow.fullname" . }}-cluster-role -rules: - - apiGroups: - - kubeflow.org - resources: - - tfjobs - - tfjobs/status - - tfjobs/finalizers - verbs: - - '*' - - apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - '*' - - apiGroups: - - "" - resources: - - pods - - services - - endpoints - - events - verbs: - - '*' - - apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - '*' diff --git a/kubeflow/helm/operators/tensorflow/templates/clusterrolebinding.yaml b/kubeflow/helm/operators/tensorflow/templates/clusterrolebinding.yaml deleted file mode 100644 index cd44d1a12..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "tensorflow.labels" . | nindent 4 }} - name: {{ include "tensorflow.fullname" . }}-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "tensorflow.fullname" . }}-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "tensorflow.serviceAccountName" . }} - namespace: kubeflow diff --git a/kubeflow/helm/operators/tensorflow/templates/deployment.yaml b/kubeflow/helm/operators/tensorflow/templates/deployment.yaml deleted file mode 100644 index b89c40c88..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/deployment.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "tensorflow.fullname" . }} - labels: - {{- include "tensorflow.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "tensorflow.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "tensorflow.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "tensorflow.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - -monitoring-port=8443 - ports: - - name: metrics - containerPort: 8443 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: metrics - readinessProbe: - httpGet: - path: /metrics - port: metrics - resources: - {{- toYaml .Values.resources | nindent 12 }} - env: - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/operators/tensorflow/templates/hpa.yaml b/kubeflow/helm/operators/tensorflow/templates/hpa.yaml deleted file mode 100644 index c5db42005..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "tensorflow.fullname" . }} - labels: - {{- include "tensorflow.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "tensorflow.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/tensorflow/templates/service.yaml b/kubeflow/helm/operators/tensorflow/templates/service.yaml deleted file mode 100644 index 354619175..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "tensorflow.fullname" . }} - namespace: kubeflow - labels: - {{- include "tensorflow.labels" . | nindent 4 }} - annotations: - prometheus.io/path: /metrics - prometheus.io/port: {{ .Values.service.port | quote }} - prometheus.io/scrape: "true" -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.port }} - targetPort: metrics - protocol: TCP - name: http-metrics - selector: - {{- include "tensorflow.selectorLabels" . | nindent 4 }} diff --git a/kubeflow/helm/operators/tensorflow/templates/serviceaccount.yaml b/kubeflow/helm/operators/tensorflow/templates/serviceaccount.yaml deleted file mode 100644 index 29457752f..000000000 --- a/kubeflow/helm/operators/tensorflow/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "tensorflow.serviceAccountName" . }} - namespace: kubeflow - labels: - {{- include "tensorflow.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/tensorflow/values.yaml b/kubeflow/helm/operators/tensorflow/values.yaml deleted file mode 100644 index 5ba257f2f..000000000 --- a/kubeflow/helm/operators/tensorflow/values.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Default values for tensorflow. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: public.ecr.aws/j1r0q0g6/training/tf-operator - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: cd2fc1ff397b1f349f68524f4abd5013a32e3033 - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: - sidecar.istio.io/inject: "true" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - port: 8443 - -resources: - requests: - cpu: 11m - memory: 53Mi - limits: - cpu: 11m - memory: 53Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/kubeflow/helm/operators/tensorflow/values.yaml.tpl b/kubeflow/helm/operators/tensorflow/values.yaml.tpl deleted file mode 100644 index 9e26dfeeb..000000000 --- a/kubeflow/helm/operators/tensorflow/values.yaml.tpl +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/kubeflow/helm/operators/xgboost/.helmignore b/kubeflow/helm/operators/xgboost/.helmignore deleted file mode 100644 index 0e8a0eb36..000000000 --- a/kubeflow/helm/operators/xgboost/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/kubeflow/helm/operators/xgboost/Chart.yaml b/kubeflow/helm/operators/xgboost/Chart.yaml deleted file mode 100644 index 7f50f892e..000000000 --- a/kubeflow/helm/operators/xgboost/Chart.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v2 -name: xgboost -description: A Helm chart for Kubernetes -type: application -version: 0.1.7 -appVersion: "0.2.0" diff --git a/kubeflow/helm/operators/xgboost/README.md b/kubeflow/helm/operators/xgboost/README.md deleted file mode 100644 index af2343a0a..000000000 --- a/kubeflow/helm/operators/xgboost/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# XGBoost - -Installs the Kubeflow XGBoost Operator using Plural. diff --git a/kubeflow/helm/operators/xgboost/crds/xgboost_crds.yaml b/kubeflow/helm/operators/xgboost/crds/xgboost_crds.yaml deleted file mode 100644 index c98b55c1b..000000000 --- a/kubeflow/helm/operators/xgboost/crds/xgboost_crds.yaml +++ /dev/null @@ -1,3640 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: (devel) - creationTimestamp: null - labels: - app.kubernetes.io/component: xgboostjob - app.kubernetes.io/name: xgboost-operator - name: xgboostjobs.xgboostjob.kubeflow.org -spec: - group: xgboostjob.kubeflow.org - names: - kind: XGBoostJob - listKind: XGBoostJobList - plural: xgboostjobs - singular: xgboostjob - scope: "" - validation: - openAPIV3Schema: - description: XGBoostJob is the Schema for the xgboostjobs API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: XGBoostJobSpec defines the desired state of XGBoostJob - properties: - activeDeadlineSeconds: - description: Specifies the duration in seconds relative to the startTime that the job may be active before the system tries to terminate it; value must be positive integer. - format: int64 - type: integer - backoffLimit: - description: Optional number of retries before marking this job failed. - format: int32 - type: integer - cleanPodPolicy: - description: CleanPodPolicy defines the policy to kill pods after the job completes. Default to Running. - type: string - schedulingPolicy: - description: SchedulingPolicy defines the policy related to scheduling, e.g. gang-scheduling - properties: - minAvailable: - format: int32 - type: integer - type: object - ttlSecondsAfterFinished: - description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since reconcile gets called periodically. Default to infinite. - format: int32 - type: integer - xgbReplicaSpecs: - additionalProperties: - description: ReplicaSpec is a description of the replica - properties: - replicas: - description: Replicas is the desired number of replicas of the given template. If unspecified, defaults to 1. - format: int32 - type: integer - restartPolicy: - description: Restart policy for all replicas within the job. One of Always, OnFailure, Never and ExitCode. Default to Never. - type: string - template: - description: Template is the object that describes the pod that will be created for this replica. RestartPolicy in PodTemplateSpec will be overide by RestartPolicy in ReplicaSpec - properties: - metadata: - description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' - type: object - spec: - description: 'Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - properties: - activeDeadlineSeconds: - description: Optional duration in seconds the pod may be active on the node relative to StartTime before the system will actively try to mark it failed and kill associated containers. Value must be a positive integer. - format: int64 - type: integer - affinity: - description: If specified, the pod's scheduling constraints - properties: - nodeAffinity: - description: Describes node affinity scheduling rules for the pod. - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. - items: - description: An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op). - properties: - preference: - description: A node selector term, associated with the corresponding weight. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - weight: - description: Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100. - format: int32 - type: integer - required: - - preference - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node. - properties: - nodeSelectorTerms: - description: Required. A list of node selector terms. The terms are ORed. - items: - description: A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm. - properties: - matchExpressions: - description: A list of node selector requirements by node's labels. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchFields: - description: A list of node selector requirements by node's fields. - items: - description: A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: The label key that the selector applies to. - type: string - operator: - description: Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt. - type: string - values: - description: An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - type: object - type: array - required: - - nodeSelectorTerms - type: object - type: object - podAffinity: - description: Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. - items: - description: The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: Required. A pod affinity term, associated with the corresponding weight. - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: weight associated with matching the corresponding podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. - items: - description: Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running - properties: - labelSelector: - description: A label query over a set of resources, in this case pods. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containers: - description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. - items: - description: A single application container that you want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - type: string - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - properties: - limits: - additionalProperties: - type: string - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - type: string - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters specified here will be merged to the generated DNS configuration based on DNSPolicy. - properties: - nameservers: - description: A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. - items: - type: string - type: array - options: - description: A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. - items: - description: PodDNSConfigOption defines DNS resolver options of a pod. - properties: - name: - description: Required. - type: string - value: - type: string - type: object - type: array - searches: - description: A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. - items: - type: string - type: array - type: object - dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', 'Default' or 'None'. DNS parameters given in DNSConfig will be merged with the policy selected with DNSPolicy. To have DNS options set along with hostNetwork, you have to specify DNS policy explicitly to 'ClusterFirstWithHostNet'. - type: string - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' - type: boolean - ephemeralContainers: - description: List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is alpha-level and is only honored by servers that enable the EphemeralContainers feature. - items: - description: An EphemeralContainer is a container that may be added temporarily to an existing pod for user-initiated activities such as debugging. Ephemeral containers have no resource or scheduling guarantees, and they will not be restarted when they exit or when a pod is removed or restarted. If an ephemeral container causes a pod to exceed its resource allocation, the pod may be evicted. Ephemeral containers may not be added by directly updating the pod spec. They must be added via the pod's ephemeralcontainers subresource, and they will appear in the pod spec once added. This is an alpha feature enabled by the EphemeralContainers feature flag. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - type: string - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Lifecycle is not allowed for ephemeral containers. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - type: object - type: object - livenessProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the ephemeral container specified as a DNS_LABEL. This name must be unique among all containers, init containers and ephemeral containers. - type: string - ports: - description: Ports are not allowed for ephemeral containers. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - readinessProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. - properties: - limits: - additionalProperties: - type: string - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - type: string - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: SecurityContext is not allowed for ephemeral containers. - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag. - type: string - type: object - type: object - startupProbe: - description: Probes are not allowed for ephemeral containers. - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - targetContainerName: - description: If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set then the ephemeral container is run in whatever namespaces are shared for the pod. Note that the container runtime must support this feature. - type: string - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - hostAliases: - description: HostAliases is an optional list of hosts and IPs that will be injected into the pod's hosts file if specified. This is only valid for non-hostNetwork pods. - items: - description: HostAlias holds the mapping between IP and hostnames that will be injected as an entry in the pod's hosts file. - properties: - hostnames: - description: Hostnames for the above IP address. - items: - type: string - type: array - ip: - description: IP address of the host file entry. - type: string - type: object - type: array - hostIPC: - description: 'Use the host''s ipc namespace. Optional: Default to false.' - type: boolean - hostNetwork: - description: Host networking requested for this pod. Use the host's network namespace. If this option is set, the ports that will be used must be specified. Default to false. - type: boolean - hostPID: - description: 'Use the host''s pid namespace. Optional: Default to false.' - type: boolean - hostname: - description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined value. - type: string - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - type: array - initContainers: - description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' - items: - description: A single application container that you want to run within a pod. - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - items: - type: string - type: array - env: - description: List of environment variables to set in the container. Cannot be updated. - items: - description: EnvVar represents an environment variable present in a Container. - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - type: string - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - items: - description: EnvFromSource represents the source of a set of ConfigMaps - properties: - configMapRef: - description: The ConfigMap to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - type: object - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - type: object - type: object - type: array - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - lifecycle: - description: Actions that the management system should take in response to container lifecycle events. Cannot be updated. - properties: - postStart: - description: 'PostStart is called immediately after a container is created. If the handler fails, the container is terminated and restarted according to its restart policy. Other management of the container blocks until the hook completes. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - type: object - preStop: - description: 'PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. The reason for termination is passed to the handler. The Pod''s termination grace period countdown begins before the PreStop hooked is executed. Regardless of the outcome of the handler, the container will eventually terminate within the Pod''s termination grace period. Other management of the container blocks until the hook completes or until the termination grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - type: object - type: object - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - items: - description: ContainerPort represents a network port in a single container. - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - format: int32 - type: integer - hostIP: - description: What host IP to bind the external port to. - type: string - hostPort: - description: Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. - format: int32 - type: integer - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - required: - - containerPort - type: object - type: array - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - properties: - limits: - additionalProperties: - type: string - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - requests: - additionalProperties: - type: string - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' - type: object - type: object - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - properties: - allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN' - type: boolean - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - properties: - add: - description: Added capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - drop: - description: Removed capabilities - items: - description: Capability represent POSIX capabilities type - type: string - type: array - type: object - privileged: - description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. - type: boolean - procMount: - description: procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. - type: string - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag. - type: string - type: object - type: object - startupProbe: - description: 'StartupProbe indicates that the Pod has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. This can be used to provide different probe parameters at the beginning of a Pod''s lifecycle, when it might take a long time to load data or warm a cache, than during steady-state operation. This cannot be updated. This is an alpha feature enabled by the StartupProbe feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: string - - type: integer - description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - periodSeconds: - description: How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - format: int32 - type: integer - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - port: - anyOf: - - type: string - - type: integer - description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - required: - - port - type: object - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - format: int32 - type: integer - type: object - stdin: - description: Whether this container should allocate a buffer for stdin in the container runtime. If this is not set, reads from stdin in the container will always result in EOF. Default is false. - type: boolean - stdinOnce: - description: Whether the container runtime should close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach sessions. If stdinOnce is set to true, stdin is opened on container start, is empty until the first client attaches to stdin, and then remains open and accepts data until the client disconnects, at which time stdin is closed and remains closed until the container is restarted. If this flag is false, a container processes that reads from stdin will never receive an EOF. Default is false - type: boolean - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - tty: - description: Whether this container should allocate a TTY for itself, also requires 'stdin' to be true. Default is false. - type: boolean - volumeDevices: - description: volumeDevices is the list of block devices to be used by the container. This is a beta feature. - items: - description: volumeDevice describes a mapping of a raw block device within a container. - properties: - devicePath: - description: devicePath is the path inside of the container that the device will be mapped to. - type: string - name: - description: name must match the name of a persistentVolumeClaim in the pod - type: string - required: - - devicePath - - name - type: object - type: array - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - items: - description: VolumeMount describes a mounting of a Volume within a container. - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - mountPropagation: - description: mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - subPathExpr: - description: Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. - type: string - required: - - mountPath - - name - type: object - type: array - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - required: - - name - type: object - type: array - nodeName: - description: NodeName is a request to schedule this pod onto a specific node. If it is non-empty, the scheduler simply schedules this pod onto that node, assuming that it fits resource requirements. - type: string - nodeSelector: - additionalProperties: - type: string - description: 'NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' - type: object - overhead: - additionalProperties: - type: string - description: 'Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md This field is alpha-level as of Kubernetes v1.16, and is only honored by servers that enable the PodOverhead feature.' - type: object - preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset. This field is alpha-level and is only honored by servers that enable the NonPreemptingPriority feature. - type: string - priority: - description: The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority. - format: int32 - type: integer - priorityClassName: - description: If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. - type: string - readinessGates: - description: 'If specified, all readiness gates will be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' - items: - description: PodReadinessGate contains the reference to a pod condition - properties: - conditionType: - description: ConditionType refers to a condition in the pod's condition list with matching type. - type: string - required: - - conditionType - type: object - type: array - restartPolicy: - description: 'Restart policy for all containers within the pod. One of Always, OnFailure, Never. Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' - type: string - runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object in the node.k8s.io group, which should be used to run this pod. If no RuntimeClass resource matches the named class, the pod will not be run. If unset or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md This is a beta feature as of Kubernetes v1.14.' - type: string - schedulerName: - description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. - type: string - securityContext: - description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty. See type description for default values of each field.' - properties: - fsGroup: - description: "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- \n If unset, the Kubelet will not modify the ownership and permissions of any volume." - format: int64 - type: integer - runAsGroup: - description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. - format: int64 - type: integer - runAsNonRoot: - description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. - format: int64 - type: integer - seLinuxOptions: - description: The SELinux context to be applied to all containers. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. - properties: - level: - description: Level is SELinux level label that applies to the container. - type: string - role: - description: Role is a SELinux role label that applies to the container. - type: string - type: - description: Type is a SELinux type label that applies to the container. - type: string - user: - description: User is a SELinux user label that applies to the container. - type: string - type: object - supplementalGroups: - description: A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. - items: - format: int64 - type: integer - type: array - sysctls: - description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. - items: - description: Sysctl defines a kernel parameter to be set - properties: - name: - description: Name of a property to set - type: string - value: - description: Value of a property to set - type: string - required: - - name - - value - type: object - type: array - windowsOptions: - description: The Windows specific settings applied to all containers. If unspecified, the options within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - properties: - gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. - type: string - runAsUserName: - description: The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag. - type: string - type: object - type: object - serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated alias for ServiceAccountName. Deprecated: Use serviceAccountName instead.' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - shareProcessNamespace: - description: 'Share a single process namespace between all of the containers in a pod. When this is set containers will be able to view and signal processes from other containers in the same pod, and the first process in each container will not be assigned PID 1. HostPID and ShareProcessNamespace cannot both be set. Optional: Default to false. This field is beta-level and may be disabled with the PodShareProcessNamespace feature.' - type: boolean - subdomain: - description: If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all. - type: string - terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. Defaults to 30 seconds. - format: int64 - type: integer - tolerations: - description: If specified, the pod's tolerations. - items: - description: The pod this Toleration is attached to tolerates any taint that matches the triple using the matching operator . - properties: - effect: - description: Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - topologySpreadConstraints: - description: TopologySpreadConstraints describes how a group of pods ought to spread across topology domains. Scheduler will schedule pods in a way which abides by the constraints. This field is alpha-level and is only honored by clusters that enables the EvenPodsSpread feature. All topologySpreadConstraints are ANDed. - items: - description: TopologySpreadConstraint specifies how to spread matching pods among the given topology. - properties: - labelSelector: - description: LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - maxSkew: - description: 'MaxSkew describes the degree to which pods may be unevenly distributed. It''s the maximum permitted difference between the number of matching pods in any two topology domains of a given topology type. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. It''s a required field. Default value is 1 and 0 is not allowed.' - format: int32 - type: integer - topologyKey: - description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into each bucket. It's a required field. - type: string - whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal with a pod if it doesn''t satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it - ScheduleAnyway tells the scheduler to still schedule it It''s considered as "Unsatisfiable" if and only if placing incoming pod on any topology violates "MaxSkew". For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won''t make it *more* imbalanced. It''s a required field.' - type: string - required: - - maxSkew - - topologyKey - - whenUnsatisfiable - type: object - type: array - volumes: - description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. - properties: - awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - properties: - fsType: - description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' - type: string - partition: - description: 'The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty).' - format: int32 - type: integer - readOnly: - description: 'Specify "true" to force and set the ReadOnly property in VolumeMounts to "true". If omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: boolean - volumeID: - description: 'Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' - type: string - required: - - volumeID - type: object - azureDisk: - description: AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. - properties: - cachingMode: - description: 'Host Caching mode: None, Read Only, Read Write.' - type: string - diskName: - description: The Name of the data disk in the blob storage - type: string - diskURI: - description: The URI the data disk in the blob storage - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - kind: - description: 'Expected values Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. - type: boolean - required: - - diskName - - diskURI - type: object - azureFile: - description: AzureFile represents an Azure File Service mount on the host and bind mount to the pod. - properties: - readOnly: - description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretName: - description: the name of secret that contains Azure Storage Account Name and Key - type: string - shareName: - description: Share Name - type: string - required: - - secretName - - shareName - type: object - cephfs: - description: CephFS represents a Ceph FS mount on the host that shares a pod's lifetime - properties: - monitors: - description: 'Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - items: - type: string - type: array - path: - description: 'Optional: Used as the mounted root, rather than the full Ceph tree, default is /' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: boolean - secretFile: - description: 'Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - secretRef: - description: 'Optional: SecretRef is reference to the authentication secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - user: - description: 'Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' - type: string - required: - - monitors - type: object - cinder: - description: 'Cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - properties: - fsType: - description: 'Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - readOnly: - description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: boolean - secretRef: - description: 'Optional: points to a secret object containing parameters used to connect to OpenStack.' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - volumeID: - description: 'volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' - type: string - required: - - volumeID - type: object - configMap: - description: ConfigMap represents a configMap that should populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - type: object - csi: - description: CSI (Container Storage Interface) represents storage that is handled by an external CSI driver (Alpha feature). - properties: - driver: - description: Driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. - type: string - fsType: - description: Filesystem type to mount. Ex. "ext4", "xfs", "ntfs". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply. - type: string - nodePublishSecretRef: - description: NodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - readOnly: - description: Specifies a read-only configuration for the volume. Defaults to false (read/write). - type: boolean - volumeAttributes: - additionalProperties: - type: string - description: VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. - type: object - required: - - driver - type: object - downwardAPI: - description: DownwardAPI represents downward API about the pod that should populate this volume - properties: - defaultMode: - description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - items: - description: Items is a list of downward API volume file - items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - type: string - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - emptyDir: - description: 'EmptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - properties: - medium: - description: 'What type of storage medium should back this directory. The default is "" which means to use the node''s default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' - type: string - sizeLimit: - description: 'Total amount of local storage required for this EmptyDir volume. The size limit is also applicable for memory medium. The maximum usage on memory medium EmptyDir would be the minimum value between the SizeLimit specified here and the sum of memory limits of all containers in a pod. The default is nil which means that the limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' - type: string - type: object - fc: - description: FC represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. - properties: - fsType: - description: 'Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine' - type: string - lun: - description: 'Optional: FC target lun number' - format: int32 - type: integer - readOnly: - description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.' - type: boolean - targetWWNs: - description: 'Optional: FC target worldwide names (WWNs)' - items: - type: string - type: array - wwids: - description: 'Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.' - items: - type: string - type: array - type: object - flexVolume: - description: FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. - properties: - driver: - description: Driver is the name of the driver to use for this volume. - type: string - fsType: - description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". The default filesystem depends on FlexVolume script. - type: string - options: - additionalProperties: - type: string - description: 'Optional: Extra command options if any.' - type: object - readOnly: - description: 'Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.' - type: boolean - secretRef: - description: 'Optional: SecretRef is reference to the secret object containing sensitive information to pass to the plugin scripts. This may be empty if no secret object is specified. If the secret object contains more than one secret, all secrets are passed to the plugin scripts.' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - required: - - driver - type: object - flocker: - description: Flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running - properties: - datasetName: - description: Name of the dataset stored as metadata -> name on the dataset for Flocker should be considered as deprecated - type: string - datasetUUID: - description: UUID of the dataset. This is unique identifier of a Flocker dataset - type: string - type: object - gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - properties: - fsType: - description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' - type: string - partition: - description: 'The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as "1". Similarly, the volume partition for /dev/sda is "0" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - format: int32 - type: integer - pdName: - description: 'Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' - type: boolean - required: - - pdName - type: object - gitRepo: - description: 'GitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod''s container.' - properties: - directory: - description: Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name. - type: string - repository: - description: Repository URL - type: string - revision: - description: Commit hash for the specified revision. - type: string - required: - - repository - type: object - glusterfs: - description: 'Glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' - properties: - endpoints: - description: 'EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - path: - description: 'Path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: string - readOnly: - description: 'ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' - type: boolean - required: - - endpoints - - path - type: object - hostPath: - description: 'HostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath --- TODO(jonesdl) We need to restrict who can use host directory mounts and who can/can not mount host directories as read/write.' - properties: - path: - description: 'Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - type: - description: 'Type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' - type: string - required: - - path - type: object - iscsi: - description: 'ISCSI represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' - properties: - chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP authentication - type: boolean - chapAuthSession: - description: whether support iSCSI Session CHAP authentication - type: boolean - fsType: - description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' - type: string - initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection. - type: string - iqn: - description: Target iSCSI Qualified Name. - type: string - iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). - type: string - lun: - description: iSCSI Target Lun number. - format: int32 - type: integer - portals: - description: iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). - items: - type: string - type: array - readOnly: - description: ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. - type: boolean - secretRef: - description: CHAP Secret for iSCSI target and initiator authentication - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - targetPortal: - description: iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). - type: string - required: - - iqn - - lun - - targetPortal - type: object - name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - nfs: - description: 'NFS represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - properties: - path: - description: 'Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - readOnly: - description: 'ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: boolean - server: - description: 'Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' - type: string - required: - - path - - server - type: object - persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - properties: - claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' - type: string - readOnly: - description: Will force the ReadOnly setting in VolumeMounts. Default false. - type: boolean - required: - - claimName - type: object - photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - pdID: - description: ID that identifies Photon Controller persistent disk - type: string - required: - - pdID - type: object - portworxVolume: - description: PortworxVolume represents a portworx volume attached and mounted on kubelets host machine - properties: - fsType: - description: FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. - type: boolean - volumeID: - description: VolumeID uniquely identifies a Portworx volume - type: string - required: - - volumeID - type: object - projected: - description: Items for all in one resources secrets, configmaps, and downward API - properties: - defaultMode: - description: Mode bits to use on created files by default. Must be a value between 0 and 0777. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. - format: int32 - type: integer - sources: - description: list of volume projections - items: - description: Projection that may be projected along with other supported volume types - properties: - configMap: - description: information about the configMap data to project - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - type: object - downwardAPI: - description: information about the downwardAPI data to project - properties: - items: - description: Items is a list of DownwardAPIVolume file - items: - description: DownwardAPIVolumeFile represents information to create the file containing the pod field - properties: - fieldRef: - description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' - properties: - apiVersion: - description: Version of the schema the FieldPath is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the specified API version. - type: string - required: - - fieldPath - type: object - mode: - description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' - type: string - resourceFieldRef: - description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' - properties: - containerName: - description: 'Container name: required for volumes, optional for env vars' - type: string - divisor: - description: Specifies the output format of the exposed resources, defaults to "1" - type: string - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - required: - - path - type: object - type: array - type: object - secret: - description: information about the secret data to project - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - type: object - serviceAccountToken: - description: information about the serviceAccountToken data to project - properties: - audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. - format: int64 - type: integer - path: - description: Path is the path relative to the mount point of the file to project the token into. - type: string - required: - - path - type: object - type: object - type: array - required: - - sources - type: object - quobyte: - description: Quobyte represents a Quobyte mount on the host that shares a pod's lifetime - properties: - group: - description: Group to map volume access to Default is no group - type: string - readOnly: - description: ReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. - type: boolean - registry: - description: Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes - type: string - tenant: - description: Tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin - type: string - user: - description: User to map volume access to Defaults to serivceaccount user - type: string - volume: - description: Volume is a string that references an already created Quobyte volume by name. - type: string - required: - - registry - - volume - type: object - rbd: - description: 'RBD represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' - properties: - fsType: - description: 'Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' - type: string - image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - keyring: - description: 'Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - monitors: - description: 'A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - items: - type: string - type: array - pool: - description: 'The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - readOnly: - description: 'ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: boolean - secretRef: - description: 'SecretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - user: - description: 'The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' - type: string - required: - - image - - monitors - type: object - scaleIO: - description: ScaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Default is "xfs". - type: string - gateway: - description: The host address of the ScaleIO API Gateway. - type: string - protectionDomain: - description: The name of the ScaleIO Protection Domain for the configured storage. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - sslEnabled: - description: Flag to enable/disable SSL communication with Gateway, default false - type: boolean - storageMode: - description: Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. - type: string - storagePool: - description: The ScaleIO Storage Pool associated with the protection domain. - type: string - system: - description: The name of the storage system as configured in ScaleIO. - type: string - volumeName: - description: The name of a volume already created in the ScaleIO system that is associated with this volume source. - type: string - required: - - gateway - - secretRef - - system - type: object - secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - properties: - defaultMode: - description: 'Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - items: - description: Maps a string key to a path within a volume. - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - format: int32 - type: integer - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - required: - - key - - path - type: object - type: array - optional: - description: Specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - type: object - storageos: - description: StorageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - readOnly: - description: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. - type: boolean - secretRef: - description: SecretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - type: object - volumeName: - description: VolumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. - type: string - volumeNamespace: - description: VolumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created. - type: string - type: object - vsphereVolume: - description: VsphereVolume represents a vSphere volume attached and mounted on kubelets host machine - properties: - fsType: - description: Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - type: string - storagePolicyID: - description: Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. - type: string - storagePolicyName: - description: Storage Policy Based Management (SPBM) profile name. - type: string - volumePath: - description: Path that identifies vSphere volume vmdk - type: string - required: - - volumePath - type: object - required: - - name - type: object - type: array - required: - - containers - type: object - type: object - type: object - type: object - required: - - xgbReplicaSpecs - type: object - status: - description: XGBoostJobStatus defines the observed state of XGBoostJob - properties: - completionTime: - description: Represents time when the job was completed. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. - format: date-time - type: string - conditions: - description: Conditions is an array of current observed job conditions. - items: - description: JobCondition describes the state of the job at a certain point. - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - lastUpdateTime: - description: The last time this condition was updated. - format: date-time - type: string - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of job condition. - type: string - required: - - status - - type - type: object - type: array - lastReconcileTime: - description: Represents last time when the job was reconciled. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. - format: date-time - type: string - replicaStatuses: - additionalProperties: - description: ReplicaStatus represents the current observed state of the replica. - properties: - active: - description: The number of actively running pods. - format: int32 - type: integer - failed: - description: The number of pods which reached phase Failed. - format: int32 - type: integer - succeeded: - description: The number of pods which reached phase Succeeded. - format: int32 - type: integer - type: object - description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, specifies the status of each replica. - type: object - startTime: - description: Represents time when the job was acknowledged by the job controller. It is not guaranteed to be set in happens-before order across separate operations. It is represented in RFC3339 form and is in UTC. - format: date-time - type: string - required: - - conditions - - replicaStatuses - type: object - type: object - version: v1 - versions: - - name: v1 - served: true - storage: true -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/operators/xgboost/deps.yaml b/kubeflow/helm/operators/xgboost/deps.yaml deleted file mode 100644 index f64a4f3f5..000000000 --- a/kubeflow/helm/operators/xgboost/deps.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: plural.sh/v1alpha1 -kind: Dependencies -metadata: - application: true - description: Deploys kubeflow crafted for the target cloud -spec: - dependencies: - - type: helm - name: bootstrap - repo: bootstrap - version: '>= 0.5.1' - - type: terraform - name: aws - repo: kubeflow - version: '>= 0.1.0' - optional: true - - type: terraform - name: gcp - repo: kubeflow - version: '>= 0.1.0' - optional: true diff --git a/kubeflow/helm/operators/xgboost/templates/_helpers.tpl b/kubeflow/helm/operators/xgboost/templates/_helpers.tpl deleted file mode 100644 index 8356705d8..000000000 --- a/kubeflow/helm/operators/xgboost/templates/_helpers.tpl +++ /dev/null @@ -1,64 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "xgboost.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "xgboost.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "xgboost.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "xgboost.labels" -}} -helm.sh/chart: {{ include "xgboost.chart" . }} -{{ include "xgboost.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "xgboost.selectorLabels" -}} -app: {{ include "xgboost.name" . }} -app.kubernetes.io/name: {{ include "xgboost.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "xgboost.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "xgboost.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/xgboost/templates/clusterrole.yaml b/kubeflow/helm/operators/xgboost/templates/clusterrole.yaml deleted file mode 100644 index b77a459ac..000000000 --- a/kubeflow/helm/operators/xgboost/templates/clusterrole.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "xgboost.labels" . | nindent 4 }} - name: {{ include "xgboost.fullname" . }}-cluster-role -rules: - - apiGroups: - - apps - resources: - - deployments - - deployments/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - xgboostjob.kubeflow.org - resources: - - xgboostjobs - - xgboostjobs/status - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - - validatingwebhookconfigurations - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - events - - namespaces - - persistentvolumeclaims - - pods - - secrets - - services - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - create - - update - - patch - - delete diff --git a/kubeflow/helm/operators/xgboost/templates/clusterrolebinding.yaml b/kubeflow/helm/operators/xgboost/templates/clusterrolebinding.yaml deleted file mode 100644 index 85abfb61b..000000000 --- a/kubeflow/helm/operators/xgboost/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "xgboost.labels" . | nindent 4 }} - name: {{ include "xgboost.fullname" . }}-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "xgboost.fullname" . }}-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "xgboost.serviceAccountName" . }} - namespace: kubeflow diff --git a/kubeflow/helm/operators/xgboost/templates/configmap.yaml b/kubeflow/helm/operators/xgboost/templates/configmap.yaml deleted file mode 100644 index a6ae2a803..000000000 --- a/kubeflow/helm/operators/xgboost/templates/configmap.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - labels: {{- include "xgboost.labels" . | nindent 4 }} - name: {{ include "xgboost.fullname" . }}-config - namespace: kubeflow diff --git a/kubeflow/helm/operators/xgboost/templates/deployment.yaml b/kubeflow/helm/operators/xgboost/templates/deployment.yaml deleted file mode 100644 index 475ae457c..000000000 --- a/kubeflow/helm/operators/xgboost/templates/deployment.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "xgboost.fullname" . }} - labels: - {{- include "xgboost.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "xgboost.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "xgboost.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "xgboost.serviceAccountName" . }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - /root/manager - - -mode=in-cluster - ports: - - name: metrics - containerPort: 8080 - protocol: TCP - livenessProbe: - httpGet: - path: /metrics - port: metrics - readinessProbe: - httpGet: - path: /metrics - port: metrics - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/operators/xgboost/templates/hpa.yaml b/kubeflow/helm/operators/xgboost/templates/hpa.yaml deleted file mode 100644 index 46a505722..000000000 --- a/kubeflow/helm/operators/xgboost/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "xgboost.fullname" . }} - labels: - {{- include "xgboost.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "xgboost.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/xgboost/templates/service.yaml b/kubeflow/helm/operators/xgboost/templates/service.yaml deleted file mode 100644 index 6a64f29c6..000000000 --- a/kubeflow/helm/operators/xgboost/templates/service.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "xgboost.fullname" . }} - namespace: kubeflow - labels: - {{- include "xgboost.labels" . | nindent 4 }} - annotations: - prometheus.io/path: /metrics - prometheus.io/port: {{ .Values.service.port | quote }} - prometheus.io/scrape: "true" -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.port }} - targetPort: metrics - protocol: TCP - name: http-metrics - selector: - {{- include "xgboost.selectorLabels" . | nindent 4 }} diff --git a/kubeflow/helm/operators/xgboost/templates/serviceaccount.yaml b/kubeflow/helm/operators/xgboost/templates/serviceaccount.yaml deleted file mode 100644 index 01565429b..000000000 --- a/kubeflow/helm/operators/xgboost/templates/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "xgboost.serviceAccountName" . }} - namespace: kubeflow - labels: - {{- include "xgboost.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/operators/xgboost/values.yaml b/kubeflow/helm/operators/xgboost/values.yaml deleted file mode 100644 index cd8fe4b9c..000000000 --- a/kubeflow/helm/operators/xgboost/values.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Default values for xgboost. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -replicaCount: 1 - -image: - repository: kubeflow/xgboost-operator - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: v0.2.0 - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: - sidecar.istio.io/inject: "true" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - port: 8080 - -resources: - requests: - cpu: 11m - memory: 53Mi - limits: - cpu: 11m - memory: 53Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/kubeflow/helm/operators/xgboost/values.yaml.tpl b/kubeflow/helm/operators/xgboost/values.yaml.tpl deleted file mode 100644 index 9e26dfeeb..000000000 --- a/kubeflow/helm/operators/xgboost/values.yaml.tpl +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml index 17d57b6de..cd67e0d38 100644 --- a/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml @@ -3,7 +3,6 @@ kind: AuthorizationPolicy metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-api-server - namespace: kubeflow spec: rules: - from: diff --git a/kubeflow/helm/pipelines/templates/api-server/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/api-server/clusterrolebinding.yaml index 23f8c772d..c0521f7da 100644 --- a/kubeflow/helm/pipelines/templates/api-server/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-api-server - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/api-server/configmap.yaml b/kubeflow/helm/pipelines/templates/api-server/configmap.yaml index 364dae920..509434d7b 100644 --- a/kubeflow/helm/pipelines/templates/api-server/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/configmap.yaml @@ -11,4 +11,3 @@ kind: ConfigMap metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-api-server-parameters - namespace: kubeflow diff --git a/kubeflow/helm/pipelines/templates/api-server/deployment.yaml b/kubeflow/helm/pipelines/templates/api-server/deployment.yaml index 7bb9dca15..74592d2fb 100644 --- a/kubeflow/helm/pipelines/templates/api-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-api-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml index 920e8da84..f2c196287 100644 --- a/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml @@ -3,7 +3,6 @@ kind: DestinationRule metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-api-server - namespace: kubeflow spec: host: {{ include "pipelines.fullname" . }}-api-server.kubeflow.svc.{{ .Values.global.clusterDomain }} trafficPolicy: diff --git a/kubeflow/helm/pipelines/templates/api-server/role.yaml b/kubeflow/helm/pipelines/templates/api-server/role.yaml index 99e9ed37d..850f0bfe6 100644 --- a/kubeflow/helm/pipelines/templates/api-server/role.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-api-server-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/pipelines/templates/api-server/rolebinding.yaml b/kubeflow/helm/pipelines/templates/api-server/rolebinding.yaml index 866849006..7bd41acb9 100644 --- a/kubeflow/helm/pipelines/templates/api-server/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-api-server-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-api-server - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/api-server/service.yaml b/kubeflow/helm/pipelines/templates/api-server/service.yaml index 038b6ff9a..1f8c6d3af 100644 --- a/kubeflow/helm/pipelines/templates/api-server/service.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-api-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} annotations: @@ -27,7 +26,6 @@ apiVersion: v1 kind: Service metadata: name: ml-pipeline - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} annotations: @@ -46,4 +44,4 @@ spec: protocol: TCP name: grpc-api-server selector: - {{- include "pipelines.apiServerSelectorLabels" . | nindent 4 }} \ No newline at end of file + {{- include "pipelines.apiServerSelectorLabels" . | nindent 4 }} diff --git a/kubeflow/helm/pipelines/templates/api-server/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/api-server/serviceaccount.yaml index 3a169c4b9..f5673d4d3 100644 --- a/kubeflow/helm/pipelines/templates/api-server/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-api-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrolebinding.yaml index 7e3888e41..3f11d76fe 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-argo-workflow-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml index 14dadc470..303fc5bc5 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml @@ -14,7 +14,6 @@ kind: ConfigMap metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-argo-workflow-controller - namespace: kubeflow --- apiVersion: v1 data: @@ -33,4 +32,3 @@ metadata: annotations: workflows.argoproj.io/default-artifact-repository: default-v1 name: artifact-repositories - namespace: kubeflow diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml index 10f9a03f7..d4ed2baec 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-argo-workflow-controller - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/role.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/role.yaml index f843b439b..6f2a18818 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/role.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-argo-workflow-controller-role - namespace: kubeflow rules: - apiGroups: - coordination.k8s.io diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/rolebinding.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/rolebinding.yaml index 6666ad5f3..e478c2d23 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-argo-workflow-controller-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-argo-workflow-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/service.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/service.yaml index c5be8e6f5..ae3294128 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/service.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-argo-workflow-controller - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/serviceaccount.yaml index a284a4f66..1b712d215 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-argo-workflow-controller - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml index a6c24cd5e..3b337c022 100644 --- a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml index 5b367987e..5cb259f7a 100644 --- a/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-cache-deployer - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml index 8e91abdf0..2cd93a8bc 100644 --- a/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml +++ b/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-cache-deployer-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml index 7c777345a..e0addcb35 100644 --- a/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-cache-deployer-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml index aebba16e6..5b4d5236e 100644 --- a/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/cache/server/authorizationpolicy.yaml index 92748dfdf..5b25683da 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/authorizationpolicy.yaml @@ -3,7 +3,6 @@ kind: AuthorizationPolicy metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-cache-server - namespace: kubeflow spec: rules: - {} diff --git a/kubeflow/helm/pipelines/templates/cache/server/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/server/clusterrolebinding.yaml index d141234ca..41eb9b22a 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-cache-server - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml index ff6d91c43..29c4b8d07 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-cache-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/cache/server/role.yaml b/kubeflow/helm/pipelines/templates/cache/server/role.yaml index 9733f7865..24abe16f1 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/role.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-cache-server-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/pipelines/templates/cache/server/rolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/server/rolebinding.yaml index 89b326f85..d7dcec16e 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-cache-server-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-cache-server - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/service.yaml b/kubeflow/helm/pipelines/templates/cache/server/service.yaml index 7e6d15f55..895389e01 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/service.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-cache-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/cache/server/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/cache/server/serviceaccount.yaml index af7827f48..5372008aa 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-cache-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/configmap.yaml b/kubeflow/helm/pipelines/templates/configmap.yaml index 551ee5163..f629a6678 100644 --- a/kubeflow/helm/pipelines/templates/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/configmap.yaml @@ -25,4 +25,3 @@ metadata: app.kubernetes.io/name: kubeflow-pipelines application-crd-id: kubeflow-pipelines name: pipeline-install-config - namespace: kubeflow diff --git a/kubeflow/helm/pipelines/templates/database/database-user.yaml b/kubeflow/helm/pipelines/templates/database/database-user.yaml index c69fc6853..39238c606 100644 --- a/kubeflow/helm/pipelines/templates/database/database-user.yaml +++ b/kubeflow/helm/pipelines/templates/database/database-user.yaml @@ -2,13 +2,12 @@ apiVersion: mysql.presslabs.org/v1alpha1 kind: MysqlUser metadata: name: pipelines-mysql-user - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: user: {{ .Values.config.databases.connection.username }} clusterRef: name: kubeflow-mysql-cluster - namespace: kubeflow + namespace: {{ .Release.Namespace }} password: name: pipelines-db-user key: PASSWORD diff --git a/kubeflow/helm/pipelines/templates/database/databases.yaml b/kubeflow/helm/pipelines/templates/database/databases.yaml index c09934524..15b27c04b 100644 --- a/kubeflow/helm/pipelines/templates/database/databases.yaml +++ b/kubeflow/helm/pipelines/templates/database/databases.yaml @@ -2,34 +2,31 @@ apiVersion: mysql.presslabs.org/v1alpha1 kind: MysqlDatabase metadata: name: pipelines-database - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: database: {{ .Values.config.databases.pipelineDB }} clusterRef: name: kubeflow-mysql-cluster - namespace: kubeflow + namespace: {{ .Release.Namespace }} --- apiVersion: mysql.presslabs.org/v1alpha1 kind: MysqlDatabase metadata: name: pipelines-cache-database - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: database: {{ .Values.config.databases.cacheDB }} clusterRef: name: kubeflow-mysql-cluster - namespace: kubeflow + namespace: {{ .Release.Namespace }} --- apiVersion: mysql.presslabs.org/v1alpha1 kind: MysqlDatabase metadata: name: pipelines-metadata-database - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: database: {{ .Values.config.databases.metadataDB }} clusterRef: name: kubeflow-mysql-cluster - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/database/secrets.yaml b/kubeflow/helm/pipelines/templates/database/secrets.yaml index 7139e4975..103482f75 100644 --- a/kubeflow/helm/pipelines/templates/database/secrets.yaml +++ b/kubeflow/helm/pipelines/templates/database/secrets.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Secret metadata: name: pipelines-db-user - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} type: Opaque data: diff --git a/kubeflow/helm/pipelines/templates/metadata/envoy/configmap.yaml b/kubeflow/helm/pipelines/templates/metadata/envoy/configmap.yaml index 1ee736666..f23b66c1e 100644 --- a/kubeflow/helm/pipelines/templates/metadata/envoy/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/envoy/configmap.yaml @@ -49,4 +49,3 @@ kind: ConfigMap metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-metadata-envoy-config - namespace: kubeflow diff --git a/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml b/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml index d0091dd25..d1bc0bd08 100644 --- a/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-metadata-envoy - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/metadata/envoy/service.yaml b/kubeflow/helm/pipelines/templates/metadata/envoy/service.yaml index a5cbc24cb..85dd9bc2f 100644 --- a/kubeflow/helm/pipelines/templates/metadata/envoy/service.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/envoy/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-metadata-envoy - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/metadata/envoy/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/metadata/envoy/serviceaccount.yaml index 563d25c8f..bbeff7761 100644 --- a/kubeflow/helm/pipelines/templates/metadata/envoy/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/envoy/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-metadata-envoy - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/authorizationpolicy.yaml index e2af45e64..b46b9d511 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/authorizationpolicy.yaml @@ -3,7 +3,6 @@ kind: AuthorizationPolicy metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-metadata-grpc-server - namespace: kubeflow spec: action: ALLOW rules: diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml index 2b2477480..7594ecb6e 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-metadata-grpc-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml index 2ef3eea28..9e261332d 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml @@ -3,7 +3,6 @@ kind: DestinationRule metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-metadata-grpc-server - namespace: kubeflow spec: host: {{ include "pipelines.fullname" . }}-metadata-grpc-server.kubeflow.svc.{{ .Values.global.clusterDomain }} trafficPolicy: diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml index 70a164fd0..0f261ea06 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-metadata-grpc-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/serviceaccount.yaml index b3be26eb9..2921299da 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-metadata-grpc-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml index 181210e70..f838b528d 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: {{ include "pipelines.fullname" . }}-metadata-grpc-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.metadata.grpc.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/clusterrolebinding.yaml index 40607fb0d..b88fc9a02 100644 --- a/kubeflow/helm/pipelines/templates/metadata/writer/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/writer/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-metadata-writer - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml index 5afc4cd6f..2fae96466 100644 --- a/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-metadata-writer - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/role.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/role.yaml index 7f1c53367..2ae7cc83c 100644 --- a/kubeflow/helm/pipelines/templates/metadata/writer/role.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/writer/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-metadata-writer-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/rolebinding.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/rolebinding.yaml index aeb20a09f..aa736866a 100644 --- a/kubeflow/helm/pipelines/templates/metadata/writer/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/writer/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-metadata-writer-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-metadata-writer - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/serviceaccount.yaml index 9444ebef3..4211dedea 100644 --- a/kubeflow/helm/pipelines/templates/metadata/writer/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/writer/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-metadata-writer - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/clusterrolebinding.yaml index be8c80a8a..34205fb70 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-persistence-agent - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml index 0a183ae1e..c9fb008de 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-persistence-agent - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml index c67191c4c..b782cbc08 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-persistence-agent-role - namespace: kubeflow rules: - apiGroups: - argoproj.io diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/rolebinding.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/rolebinding.yaml index 4dfb7910a..be7a225a1 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-persistence-agent-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-persistence-agent - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/serviceaccount.yaml index 91c6f352f..ec56533d7 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-persistence-agent - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/role.yaml b/kubeflow/helm/pipelines/templates/role.yaml index 86e363714..4a7336026 100644 --- a/kubeflow/helm/pipelines/templates/role.yaml +++ b/kubeflow/helm/pipelines/templates/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: pipeline-runner - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/pipelines/templates/rolebinding.yaml b/kubeflow/helm/pipelines/templates/rolebinding.yaml index 40d54fe79..940e5194a 100644 --- a/kubeflow/helm/pipelines/templates/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: pipeline-runner-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: pipeline-runner - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/clusterrolebinding.yaml index 1d0128271..a0abccff2 100644 --- a/kubeflow/helm/pipelines/templates/scheduled-workflow/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-scheduled-workflow - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml index 5b2f8b5b6..34e488834 100644 --- a/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-scheduled-workflow - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/role.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/role.yaml index 7eb03b46d..f0d76a5a6 100644 --- a/kubeflow/helm/pipelines/templates/scheduled-workflow/role.yaml +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-scheduled-workflow-role - namespace: kubeflow rules: - apiGroups: - argoproj.io diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/rolebinding.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/rolebinding.yaml index a93075631..f967d2909 100644 --- a/kubeflow/helm/pipelines/templates/scheduled-workflow/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-scheduled-workflow-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-scheduled-workflow - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/serviceaccount.yaml index 9e3264382..e82e5284a 100644 --- a/kubeflow/helm/pipelines/templates/scheduled-workflow/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-scheduled-workflow - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/serviceaccount.yaml index c7f947c41..77278f66a 100644 --- a/kubeflow/helm/pipelines/templates/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/serviceaccount.yaml @@ -3,18 +3,15 @@ kind: ServiceAccount metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: kubeflow-pipelines-container-builder - namespace: kubeflow --- apiVersion: v1 kind: ServiceAccount metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: pipeline-runner - namespace: kubeflow --- apiVersion: v1 kind: ServiceAccount metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: kubeflow-pipelines-viewer - namespace: kubeflow diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/clusterrolebinding.yaml index 758cacab5..9e93bdb74 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-viewer-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml index b9eb26ad5..694434926 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-viewer-controller - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/role.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/role.yaml index 6ba6fc048..383bfaba1 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/role.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-viewer-controller-role - namespace: kubeflow rules: - apiGroups: - '*' diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/rolebinding.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/rolebinding.yaml index 0b24b8030..f66e96702 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-viewer-controller-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-viewer-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/serviceaccount.yaml index cfdd7ab7c..50b4f343e 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-viewer-controller - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml index af3216432..b5cb07627 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml @@ -3,7 +3,6 @@ kind: AuthorizationPolicy metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-visualization-server - namespace: kubeflow spec: rules: - from: diff --git a/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml b/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml index 80b2f35d2..0e095c2fd 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-visualization-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml index 207c7f18a..0aeb547b0 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml @@ -3,7 +3,6 @@ kind: DestinationRule metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-visualization-server - namespace: kubeflow spec: host: {{ include "pipelines.fullname" . }}-visualization-server.kubeflow.svc.{{ .Values.global.clusterDomain }} trafficPolicy: diff --git a/kubeflow/helm/pipelines/templates/visualization-server/service.yaml b/kubeflow/helm/pipelines/templates/visualization-server/service.yaml index 4b2b3c297..6d2f89d54 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/service.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-visualization-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/visualization-server/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/visualization-server/serviceaccount.yaml index 0a2b47c47..e1b574fce 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-visualization-server - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml index 1b8826da2..3eb63cc48 100644 --- a/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml @@ -4,13 +4,13 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-web-app - namespace: kubeflow spec: + action: ALLOW rules: - from: - source: - namespaces: - - {{ .Values.global.istioNamespace }} + principals: + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "pipelines.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/pipelines/templates/web-app/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/web-app/clusterrolebinding.yaml index 88625ea11..58da38293 100644 --- a/kubeflow/helm/pipelines/templates/web-app/clusterrolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/clusterrolebinding.yaml @@ -11,4 +11,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-web-app - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/web-app/configmap.yaml b/kubeflow/helm/pipelines/templates/web-app/configmap.yaml index 12de3051c..358e1803c 100644 --- a/kubeflow/helm/pipelines/templates/web-app/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/configmap.yaml @@ -24,7 +24,6 @@ kind: ConfigMap metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-web-app-parameters - namespace: kubeflow --- apiVersion: v1 data: @@ -65,4 +64,3 @@ data: kind: ConfigMap metadata: name: {{ include "pipelines.fullname" . }}-web-app-viewer-template - namespace: kubeflow diff --git a/kubeflow/helm/pipelines/templates/web-app/deployment.yaml b/kubeflow/helm/pipelines/templates/web-app/deployment.yaml index 83631a785..ee77889e9 100644 --- a/kubeflow/helm/pipelines/templates/web-app/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/deployment.yaml @@ -2,7 +2,6 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "pipelines.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml b/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml index cd30de448..c8a914c98 100644 --- a/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml @@ -3,7 +3,6 @@ kind: DestinationRule metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-web-app - namespace: kubeflow spec: host: {{ include "pipelines.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} trafficPolicy: diff --git a/kubeflow/helm/pipelines/templates/web-app/hpa.yaml b/kubeflow/helm/pipelines/templates/web-app/hpa.yaml index f74e2d2d3..a7171f655 100644 --- a/kubeflow/helm/pipelines/templates/web-app/hpa.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "pipelines.fullname" . }} @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/web-app/role.yaml b/kubeflow/helm/pipelines/templates/web-app/role.yaml index 2445834ce..3b1012abe 100644 --- a/kubeflow/helm/pipelines/templates/web-app/role.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-web-app-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/pipelines/templates/web-app/rolebinding.yaml b/kubeflow/helm/pipelines/templates/web-app/rolebinding.yaml index ad949d1ad..0bfb5332a 100644 --- a/kubeflow/helm/pipelines/templates/web-app/rolebinding.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-web-app-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "pipelines.serviceAccountName" . }}-web-app - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/web-app/service.yaml b/kubeflow/helm/pipelines/templates/web-app/service.yaml index e25bbd21f..d17b44395 100644 --- a/kubeflow/helm/pipelines/templates/web-app/service.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "pipelines.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/pipelines/templates/web-app/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/web-app/serviceaccount.yaml index e459a85fb..6840c5333 100644 --- a/kubeflow/helm/pipelines/templates/web-app/serviceaccount.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "pipelines.serviceAccountName" . }}-web-app - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml index 108e11d92..f82e2c6ce 100644 --- a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: {{ include "pipelines.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "pipelines.labels" . | nindent 4 }} {{- with .Values.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/pipelines/values.yaml b/kubeflow/helm/pipelines/values.yaml index 996c63cc7..f096773b2 100644 --- a/kubeflow/helm/pipelines/values.yaml +++ b/kubeflow/helm/pipelines/values.yaml @@ -3,13 +3,16 @@ # Declare variables to be passed into your templates. global: - domain: kubeflow.kubeflow-aws.com - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" - oidcIssuer: https://oidc.plural.sh/ - jwksURI: https://oidc.plural.sh/.well-known/jwks.json + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" replicaCount: 1 diff --git a/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml b/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml index d85efe0f3..3c91adc01 100644 --- a/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml @@ -3,14 +3,13 @@ kind: AuthorizationPolicy metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} name: {{ include "profile-controller.fullname" . }}-kfam - namespace: kubeflow spec: action: ALLOW rules: - from: - source: principals: - - cluster.local/ns/kubeflow/sa/{{ .Release.Name }}-central-dashboard + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Release.Name }}-central-dashboard #TODO: make this more robust selector: matchLabels: {{- include "profile-controller.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/profile-controller/templates/clusterrolebinding.yaml b/kubeflow/helm/profile-controller/templates/clusterrolebinding.yaml index 9f462c63b..c67b668e3 100644 --- a/kubeflow/helm/profile-controller/templates/clusterrolebinding.yaml +++ b/kubeflow/helm/profile-controller/templates/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "profile-controller.serviceAccountName" . }} - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/profile-controller/templates/configmap.yaml b/kubeflow/helm/profile-controller/templates/configmap.yaml index 42aad8f02..63eddd1f9 100644 --- a/kubeflow/helm/profile-controller/templates/configmap.yaml +++ b/kubeflow/helm/profile-controller/templates/configmap.yaml @@ -5,7 +5,6 @@ kind: ConfigMap metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} name: {{ include "profile-controller.fullname" . }}-config - namespace: kubeflow --- apiVersion: v1 data: @@ -17,4 +16,3 @@ kind: ConfigMap metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} name: {{ include "profile-controller.fullname" . }}-templates - namespace: kubeflow diff --git a/kubeflow/helm/profile-controller/templates/deployment.yaml b/kubeflow/helm/profile-controller/templates/deployment.yaml index 7356e99bd..b0836ebde 100644 --- a/kubeflow/helm/profile-controller/templates/deployment.yaml +++ b/kubeflow/helm/profile-controller/templates/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "profile-controller.fullname" . }} labels: {{- include "profile-controller.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.autoscaling.enabled }} replicas: {{ .Values.replicaCount }} diff --git a/kubeflow/helm/profile-controller/templates/hpa.yaml b/kubeflow/helm/profile-controller/templates/hpa.yaml index 394eacd23..a7b4a8b91 100644 --- a/kubeflow/helm/profile-controller/templates/hpa.yaml +++ b/kubeflow/helm/profile-controller/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "profile-controller.fullname" . }} @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/profile-controller/templates/role.yaml b/kubeflow/helm/profile-controller/templates/role.yaml index bae3b7b0f..925bd9860 100644 --- a/kubeflow/helm/profile-controller/templates/role.yaml +++ b/kubeflow/helm/profile-controller/templates/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} name: {{ include "profile-controller.fullname" . }}-leader-election-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/profile-controller/templates/rolebinding.yaml b/kubeflow/helm/profile-controller/templates/rolebinding.yaml index eae2ef441..cbc698179 100644 --- a/kubeflow/helm/profile-controller/templates/rolebinding.yaml +++ b/kubeflow/helm/profile-controller/templates/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} name: {{ include "profile-controller.fullname" . }}-leader-election-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "profile-controller.serviceAccountName" . }} - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/profile-controller/templates/service.yaml b/kubeflow/helm/profile-controller/templates/service.yaml index 7bd99fc63..7d32d859d 100644 --- a/kubeflow/helm/profile-controller/templates/service.yaml +++ b/kubeflow/helm/profile-controller/templates/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "profile-controller.fullname" . }}-kfam - namespace: kubeflow labels: {{- include "profile-controller.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/profile-controller/templates/serviceaccount.yaml b/kubeflow/helm/profile-controller/templates/serviceaccount.yaml index 595745672..639ec4dc2 100644 --- a/kubeflow/helm/profile-controller/templates/serviceaccount.yaml +++ b/kubeflow/helm/profile-controller/templates/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "profile-controller.serviceAccountName" . }} - namespace: kubeflow labels: {{- include "profile-controller.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/profile-controller/templates/virtualservice.yaml b/kubeflow/helm/profile-controller/templates/virtualservice.yaml index cbf6c477a..efc1ce81f 100644 --- a/kubeflow/helm/profile-controller/templates/virtualservice.yaml +++ b/kubeflow/helm/profile-controller/templates/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "profile-controller.fullname" . }}-kfam - namespace: kubeflow labels: {{- include "profile-controller.labels" . | nindent 4 }} {{- with .Values.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/profile-controller/values.yaml b/kubeflow/helm/profile-controller/values.yaml index 578e8f8d5..a738b061d 100644 --- a/kubeflow/helm/profile-controller/values.yaml +++ b/kubeflow/helm/profile-controller/values.yaml @@ -5,12 +5,16 @@ replicaCount: 1 global: - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" - oidcIssuer: https://oidc.plural.sh/ - jwksURI: https://oidc.plural.sh/.well-known/jwks.json + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" image: repository: ghcr.io/pluralsh/kubeflow-profile-controller diff --git a/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml index ea9f3defe..6240a6287 100644 --- a/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml @@ -3,14 +3,13 @@ kind: AuthorizationPolicy metadata: labels: {{- include "serving.labels" . | nindent 4 }} name: {{ include "serving.fullname" . }}-web-app - namespace: kubeflow spec: action: ALLOW rules: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingressgateway-service-account + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "serving.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/serving/templates/web-app/clusterrolebinding.yaml b/kubeflow/helm/serving/templates/web-app/clusterrolebinding.yaml index 67a7c90bd..09e59c6b4 100644 --- a/kubeflow/helm/serving/templates/web-app/clusterrolebinding.yaml +++ b/kubeflow/helm/serving/templates/web-app/clusterrolebinding.yaml @@ -9,5 +9,5 @@ roleRef: name: {{ include "serving.fullname" . }}-web-app-cluster-role subjects: - kind: ServiceAccount - namespace: kubeflow + namespace: {{ .Release.Namespace }} name: {{ include "serving.serviceAccountName" . }}-web-app diff --git a/kubeflow/helm/serving/templates/web-app/configmap.yaml b/kubeflow/helm/serving/templates/web-app/configmap.yaml index c54c4cfed..3b9c09566 100644 --- a/kubeflow/helm/serving/templates/web-app/configmap.yaml +++ b/kubeflow/helm/serving/templates/web-app/configmap.yaml @@ -5,4 +5,3 @@ kind: ConfigMap metadata: labels: {{- include "serving.labels" . | nindent 4 }} name: {{ include "serving.fullname" . }}-web-app-parameters - namespace: kubeflow diff --git a/kubeflow/helm/serving/templates/web-app/deployment.yaml b/kubeflow/helm/serving/templates/web-app/deployment.yaml index f80ee7a38..ea7fac5d7 100644 --- a/kubeflow/helm/serving/templates/web-app/deployment.yaml +++ b/kubeflow/helm/serving/templates/web-app/deployment.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "serving.fullname" . }}-web-app labels: {{- include "serving.labels" . | nindent 4 }} - namespace: kubeflow spec: {{- if not .Values.webApp.autoscaling.enabled }} replicas: {{ .Values.webApp.replicaCount }} diff --git a/kubeflow/helm/serving/templates/web-app/hpa.yaml b/kubeflow/helm/serving/templates/web-app/hpa.yaml index 0fefbfb51..3883ca4cf 100644 --- a/kubeflow/helm/serving/templates/web-app/hpa.yaml +++ b/kubeflow/helm/serving/templates/web-app/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webApp.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "serving.fullname" . }}-web-app @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/serving/templates/web-app/service.yaml b/kubeflow/helm/serving/templates/web-app/service.yaml index a2a8fd03c..01b87364d 100644 --- a/kubeflow/helm/serving/templates/web-app/service.yaml +++ b/kubeflow/helm/serving/templates/web-app/service.yaml @@ -4,7 +4,6 @@ metadata: name: {{ include "serving.fullname" . }}-web-app labels: {{- include "serving.labels" . | nindent 4 }} - namespace: kubeflow spec: type: ClusterIP ports: diff --git a/kubeflow/helm/serving/templates/web-app/serviceaccount.yaml b/kubeflow/helm/serving/templates/web-app/serviceaccount.yaml index e38d4c639..3638cf7a7 100644 --- a/kubeflow/helm/serving/templates/web-app/serviceaccount.yaml +++ b/kubeflow/helm/serving/templates/web-app/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "serving.serviceAccountName" . }}-web-app - namespace: kubeflow labels: {{- include "serving.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/serving/templates/web-app/virtualservice.yaml b/kubeflow/helm/serving/templates/web-app/virtualservice.yaml index f13f81803..f56aa4374 100644 --- a/kubeflow/helm/serving/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/serving/templates/web-app/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "serving.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "serving.labels" . | nindent 4 }} {{- with .Values.webApp.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/serving/values.yaml b/kubeflow/helm/serving/values.yaml index 69be8e0f4..cc7ed45dd 100644 --- a/kubeflow/helm/serving/values.yaml +++ b/kubeflow/helm/serving/values.yaml @@ -3,10 +3,16 @@ # Declare variables to be passed into your templates. global: - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" imagePullSecrets: [] nameOverride: "" diff --git a/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml b/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml index 0754be9f6..bc4b4361a 100644 --- a/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml @@ -10,7 +10,7 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "tensorboards.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -24,4 +24,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "tensorboards.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/tensorboards/templates/controller/configmap.yaml b/kubeflow/helm/tensorboards/templates/controller/configmap.yaml index dd3ba7af5..faa412c96 100644 --- a/kubeflow/helm/tensorboards/templates/controller/configmap.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/configmap.yaml @@ -8,5 +8,4 @@ data: kind: ConfigMap metadata: name: {{ include "tensorboards.fullname" . }}-controller-config - namespace: kubeflow labels: {{- include "tensorboards.labels" . | nindent 4 }} diff --git a/kubeflow/helm/tensorboards/templates/controller/hpa.yaml b/kubeflow/helm/tensorboards/templates/controller/hpa.yaml index 9d3b66d40..a002a6ae9 100644 --- a/kubeflow/helm/tensorboards/templates/controller/hpa.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.controller.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "tensorboards.fullname" . }}-controller @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/tensorboards/templates/controller/role.yaml b/kubeflow/helm/tensorboards/templates/controller/role.yaml index a075af8d2..4098425be 100644 --- a/kubeflow/helm/tensorboards/templates/controller/role.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} name: {{ include "tensorboards.fullname" . }}-controller-leader-election-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/tensorboards/templates/controller/rolebinding.yaml b/kubeflow/helm/tensorboards/templates/controller/rolebinding.yaml index 1fcc5a541..c3155afff 100644 --- a/kubeflow/helm/tensorboards/templates/controller/rolebinding.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} name: {{ include "tensorboards.fullname" . }}-controller-leader-election-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "tensorboards.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/tensorboards/templates/controller/service.yaml b/kubeflow/helm/tensorboards/templates/controller/service.yaml index a246e0d6f..271520dd7 100644 --- a/kubeflow/helm/tensorboards/templates/controller/service.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "tensorboards.fullname" . }}-controller - namespace: kubeflow labels: {{- include "tensorboards.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/tensorboards/templates/controller/serviceaccount.yaml b/kubeflow/helm/tensorboards/templates/controller/serviceaccount.yaml index 6eef63b7f..8abfe082b 100644 --- a/kubeflow/helm/tensorboards/templates/controller/serviceaccount.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "tensorboards.serviceAccountName" . }}-controller - namespace: kubeflow labels: {{- include "tensorboards.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml index d30fa623b..9a9b48b3a 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml @@ -3,14 +3,13 @@ kind: AuthorizationPolicy metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} name: {{ include "tensorboards.fullname" . }}-web-app - namespace: kubeflow spec: action: ALLOW rules: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingressgateway-service-account + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "tensorboards.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/clusterrolebinding.yaml b/kubeflow/helm/tensorboards/templates/web-app/clusterrolebinding.yaml index 4cbbdb998..13dea4963 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/clusterrolebinding.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "tensorboards.serviceAccountName" . }}-web-app - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml b/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml index 82f29cdc9..8346f9f51 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml @@ -7,4 +7,3 @@ kind: ConfigMap metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} name: {{ include "tensorboards.fullname" . }}-web-app-parameters - namespace: kubeflow diff --git a/kubeflow/helm/tensorboards/templates/web-app/hpa.yaml b/kubeflow/helm/tensorboards/templates/web-app/hpa.yaml index e7d8153a4..04bd2a5af 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/hpa.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webApp.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "tensorboards.fullname" . }}-web-app @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/service.yaml b/kubeflow/helm/tensorboards/templates/web-app/service.yaml index 37c3a49f2..76b721f2e 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/service.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "tensorboards.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "tensorboards.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/tensorboards/templates/web-app/serviceaccount.yaml b/kubeflow/helm/tensorboards/templates/web-app/serviceaccount.yaml index 8deedefd1..e939864a5 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/serviceaccount.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "tensorboards.serviceAccountName" . }}-web-app - namespace: kubeflow labels: {{- include "tensorboards.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml b/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml index 810c347ef..63a42dac0 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "tensorboards.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "tensorboards.labels" . | nindent 4 }} {{- with .Values.webApp.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/tensorboards/values.yaml b/kubeflow/helm/tensorboards/values.yaml index 7db4e3a0e..e4b96df6a 100644 --- a/kubeflow/helm/tensorboards/values.yaml +++ b/kubeflow/helm/tensorboards/values.yaml @@ -3,10 +3,16 @@ # Declare variables to be passed into your templates. global: - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" imagePullSecrets: [] nameOverride: "" diff --git a/kubeflow/helm/training-operator/templates/hpa.yaml b/kubeflow/helm/training-operator/templates/hpa.yaml index 37edbd701..a0532dd52 100644 --- a/kubeflow/helm/training-operator/templates/hpa.yaml +++ b/kubeflow/helm/training-operator/templates/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "training-operator.fullname" . }} @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/training-operator/values.yaml b/kubeflow/helm/training-operator/values.yaml index 8cc2e86c9..0521fe9c1 100644 --- a/kubeflow/helm/training-operator/values.yaml +++ b/kubeflow/helm/training-operator/values.yaml @@ -2,6 +2,18 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +global: + domain: "" + istioIngressServiceAccount: kubeflow-gateway + clusterDomain: cluster.local + userIDHeader: kubeflow-userid + userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" + replicaCount: 1 image: diff --git a/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml b/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml index 5f8d96859..0a58ec19d 100644 --- a/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml +++ b/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml @@ -10,7 +10,7 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "volumes.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -24,4 +24,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "volumes.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/volumes/templates/controller/configmap.yaml b/kubeflow/helm/volumes/templates/controller/configmap.yaml index ce8722e58..90f1409fe 100644 --- a/kubeflow/helm/volumes/templates/controller/configmap.yaml +++ b/kubeflow/helm/volumes/templates/controller/configmap.yaml @@ -8,5 +8,4 @@ data: kind: ConfigMap metadata: name: {{ include "volumes.fullname" . }}-controller-config - namespace: kubeflow labels: {{- include "volumes.labels" . | nindent 4 }} diff --git a/kubeflow/helm/volumes/templates/controller/hpa.yaml b/kubeflow/helm/volumes/templates/controller/hpa.yaml index 30ab96e63..3ba7d8f84 100644 --- a/kubeflow/helm/volumes/templates/controller/hpa.yaml +++ b/kubeflow/helm/volumes/templates/controller/hpa.yaml @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.controller.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/volumes/templates/controller/role.yaml b/kubeflow/helm/volumes/templates/controller/role.yaml index af5b894dd..9c65e465f 100644 --- a/kubeflow/helm/volumes/templates/controller/role.yaml +++ b/kubeflow/helm/volumes/templates/controller/role.yaml @@ -3,7 +3,6 @@ kind: Role metadata: labels: {{- include "volumes.labels" . | nindent 4 }} name: {{ include "volumes.fullname" . }}-controller-leader-election-role - namespace: kubeflow rules: - apiGroups: - "" diff --git a/kubeflow/helm/volumes/templates/controller/rolebinding.yaml b/kubeflow/helm/volumes/templates/controller/rolebinding.yaml index 02947cdf7..23a068e53 100644 --- a/kubeflow/helm/volumes/templates/controller/rolebinding.yaml +++ b/kubeflow/helm/volumes/templates/controller/rolebinding.yaml @@ -3,7 +3,6 @@ kind: RoleBinding metadata: labels: {{- include "volumes.labels" . | nindent 4 }} name: {{ include "volumes.fullname" . }}-controller-leader-election-role-binding - namespace: kubeflow roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -11,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "volumes.serviceAccountName" . }}-controller - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/volumes/templates/controller/service.yaml b/kubeflow/helm/volumes/templates/controller/service.yaml index 9d270db28..dc01341c4 100644 --- a/kubeflow/helm/volumes/templates/controller/service.yaml +++ b/kubeflow/helm/volumes/templates/controller/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "volumes.fullname" . }}-controller - namespace: kubeflow labels: {{- include "volumes.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/volumes/templates/controller/serviceaccount.yaml b/kubeflow/helm/volumes/templates/controller/serviceaccount.yaml index 32fbfcb42..a13ef129d 100644 --- a/kubeflow/helm/volumes/templates/controller/serviceaccount.yaml +++ b/kubeflow/helm/volumes/templates/controller/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "volumes.serviceAccountName" . }}-controller - namespace: kubeflow labels: {{- include "volumes.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml index 23d8418e2..5884932a3 100644 --- a/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml @@ -3,14 +3,13 @@ kind: AuthorizationPolicy metadata: labels: {{- include "volumes.labels" . | nindent 4 }} name: {{ include "volumes.fullname" . }}-web-app - namespace: kubeflow spec: action: ALLOW rules: - from: - source: principals: - - cluster.local/ns/{{ .Values.global.istioNamespace }}/sa/istio-ingressgateway-service-account + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} selector: matchLabels: {{- include "volumes.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/volumes/templates/web-app/clusterrolebinding.yaml b/kubeflow/helm/volumes/templates/web-app/clusterrolebinding.yaml index 6cbef1242..f68f074d8 100644 --- a/kubeflow/helm/volumes/templates/web-app/clusterrolebinding.yaml +++ b/kubeflow/helm/volumes/templates/web-app/clusterrolebinding.yaml @@ -10,4 +10,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "volumes.serviceAccountName" . }}-web-app - namespace: kubeflow + namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/volumes/templates/web-app/configmap.yaml b/kubeflow/helm/volumes/templates/web-app/configmap.yaml index 1ace8714a..3644db239 100644 --- a/kubeflow/helm/volumes/templates/web-app/configmap.yaml +++ b/kubeflow/helm/volumes/templates/web-app/configmap.yaml @@ -13,7 +13,6 @@ kind: ConfigMap metadata: labels: {{- include "volumes.labels" . | nindent 4 }} name: {{ include "volumes.fullname" . }}-web-app-config - namespace: kubeflow --- apiVersion: v1 data: @@ -24,4 +23,3 @@ kind: ConfigMap metadata: labels: {{- include "volumes.labels" . | nindent 4 }} name: {{ include "volumes.fullname" . }}-web-app-parameters - namespace: kubeflow diff --git a/kubeflow/helm/volumes/templates/web-app/hpa.yaml b/kubeflow/helm/volumes/templates/web-app/hpa.yaml index 9e805f256..082ce19c9 100644 --- a/kubeflow/helm/volumes/templates/web-app/hpa.yaml +++ b/kubeflow/helm/volumes/templates/web-app/hpa.yaml @@ -1,5 +1,5 @@ {{- if .Values.webApp.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 +apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "volumes.fullname" . }}-web-app @@ -17,12 +17,16 @@ spec: - type: Resource resource: name: cpu - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetCPUUtilizationPercentage }} {{- end }} {{- if .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory - targetAverageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} + target: + type: Utilization + averageUtilization: {{ .Values.webApp.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/volumes/templates/web-app/service.yaml b/kubeflow/helm/volumes/templates/web-app/service.yaml index 05197b76b..e1e3c1660 100644 --- a/kubeflow/helm/volumes/templates/web-app/service.yaml +++ b/kubeflow/helm/volumes/templates/web-app/service.yaml @@ -2,7 +2,6 @@ apiVersion: v1 kind: Service metadata: name: {{ include "volumes.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "volumes.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/volumes/templates/web-app/serviceaccount.yaml b/kubeflow/helm/volumes/templates/web-app/serviceaccount.yaml index eafeca64b..e668d9d22 100644 --- a/kubeflow/helm/volumes/templates/web-app/serviceaccount.yaml +++ b/kubeflow/helm/volumes/templates/web-app/serviceaccount.yaml @@ -3,7 +3,6 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "volumes.serviceAccountName" . }}-web-app - namespace: kubeflow labels: {{- include "volumes.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml b/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml index 801e245b7..3eb2a53e3 100644 --- a/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml @@ -2,7 +2,6 @@ apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: {{ include "volumes.fullname" . }}-web-app - namespace: kubeflow labels: {{- include "volumes.labels" . | nindent 4 }} {{- with .Values.webApp.virtualService.annotations }} annotations: diff --git a/kubeflow/helm/volumes/values.yaml b/kubeflow/helm/volumes/values.yaml index 320afa9c0..ae00ee8db 100644 --- a/kubeflow/helm/volumes/values.yaml +++ b/kubeflow/helm/volumes/values.yaml @@ -3,10 +3,16 @@ # Declare variables to be passed into your templates. global: - istioNamespace: istio + domain: "" + istioIngressServiceAccount: kubeflow-gateway clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" + oidc: + issuer: "" + jwksURI: "" + authEndpoint: "" + tokenEndpoint: "" imagePullSecrets: [] nameOverride: "" @@ -29,7 +35,7 @@ webApp: pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: 0.5.2 # newer version with snapshot support causes error due to missing snapshot class - + podAnnotations: sidecar.istio.io/inject: "true" cluster-autoscaler.kubernetes.io/safe-to-evict: "true" From 9741948323d288fe3a2c774557fcbb7b578c6b96 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 14 Sep 2023 16:59:02 +0200 Subject: [PATCH 05/32] cleanup virtual service hosts Signed-off-by: David van der Spek --- .../helm/central-dashboard/templates/virtualservice.yaml | 3 +++ kubeflow/helm/central-dashboard/values.yaml | 2 ++ kubeflow/helm/katib/templates/web-app/virtualservice.yaml | 1 + kubeflow/helm/katib/values.yaml | 5 +++-- .../helm/notebooks/templates/web-app/virtualservice.yaml | 1 + kubeflow/helm/notebooks/values.yaml | 4 ++-- .../templates/metadata/grpc-server/virtualservice.yaml | 1 + .../helm/pipelines/templates/web-app/virtualservice.yaml | 1 + kubeflow/helm/pipelines/values.yaml | 8 ++++---- .../helm/profile-controller/templates/virtualservice.yaml | 1 + kubeflow/helm/profile-controller/values.yaml | 4 ++-- .../helm/serving/templates/web-app/virtualservice.yaml | 1 + kubeflow/helm/serving/values.yaml | 4 ++-- .../tensorboards/templates/web-app/virtualservice.yaml | 1 + kubeflow/helm/tensorboards/values.yaml | 4 ++-- .../helm/volumes/templates/web-app/virtualservice.yaml | 1 + kubeflow/helm/volumes/values.yaml | 4 ++-- 17 files changed, 30 insertions(+), 16 deletions(-) diff --git a/kubeflow/helm/central-dashboard/templates/virtualservice.yaml b/kubeflow/helm/central-dashboard/templates/virtualservice.yaml index 6dc87870d..c935884ba 100644 --- a/kubeflow/helm/central-dashboard/templates/virtualservice.yaml +++ b/kubeflow/helm/central-dashboard/templates/virtualservice.yaml @@ -15,6 +15,9 @@ spec: {{- end }} hosts: - {{ .Values.global.domain }} + {{- range .Values.virtualService.hosts }} + - {{ . | quote }} + {{- end }} http: - match: - uri: diff --git a/kubeflow/helm/central-dashboard/values.yaml b/kubeflow/helm/central-dashboard/values.yaml index bba7c5a32..fc97cc5c6 100644 --- a/kubeflow/helm/central-dashboard/values.yaml +++ b/kubeflow/helm/central-dashboard/values.yaml @@ -81,6 +81,8 @@ virtualService: annotations: {} gateways: - kubeflow-gateway + # hosts to add additional to the value of global.domain + hosts: [] resources: requests: diff --git a/kubeflow/helm/katib/templates/web-app/virtualservice.yaml b/kubeflow/helm/katib/templates/web-app/virtualservice.yaml index 1071e18c3..58d0f3552 100644 --- a/kubeflow/helm/katib/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/katib/templates/web-app/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.webApp.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/katib/values.yaml b/kubeflow/helm/katib/values.yaml index a5ca45957..5fdb96d6a 100644 --- a/kubeflow/helm/katib/values.yaml +++ b/kubeflow/helm/katib/values.yaml @@ -57,8 +57,9 @@ webApp: prefix: /katib gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] + resources: requests: cpu: 32m diff --git a/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml b/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml index 8f91d0e9d..152002799 100644 --- a/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.webApp.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index d8f3c0e1d..5a30ae34a 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -58,8 +58,8 @@ webApp: prefix: /jupyter gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] resources: requests: diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml index f838b528d..9576aaa47 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.metadata.grpc.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml index f82e2c6ce..7a39be60c 100644 --- a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/pipelines/values.yaml b/kubeflow/helm/pipelines/values.yaml index f096773b2..606474256 100644 --- a/kubeflow/helm/pipelines/values.yaml +++ b/kubeflow/helm/pipelines/values.yaml @@ -72,8 +72,8 @@ virtualService: prefix: /pipeline gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] apiServer: image: @@ -188,8 +188,8 @@ metadata: prefix: /ml_metadata gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] writer: image: repository: gcr.io/ml-pipeline/metadata-writer diff --git a/kubeflow/helm/profile-controller/templates/virtualservice.yaml b/kubeflow/helm/profile-controller/templates/virtualservice.yaml index efc1ce81f..c3739786b 100644 --- a/kubeflow/helm/profile-controller/templates/virtualservice.yaml +++ b/kubeflow/helm/profile-controller/templates/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/profile-controller/values.yaml b/kubeflow/helm/profile-controller/values.yaml index a738b061d..ea164483d 100644 --- a/kubeflow/helm/profile-controller/values.yaml +++ b/kubeflow/helm/profile-controller/values.yaml @@ -103,8 +103,8 @@ virtualService: prefix: /kfam gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] resources: requests: diff --git a/kubeflow/helm/serving/templates/web-app/virtualservice.yaml b/kubeflow/helm/serving/templates/web-app/virtualservice.yaml index f56aa4374..f2e46e568 100644 --- a/kubeflow/helm/serving/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/serving/templates/web-app/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.webApp.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/serving/values.yaml b/kubeflow/helm/serving/values.yaml index cc7ed45dd..273ec0bed 100644 --- a/kubeflow/helm/serving/values.yaml +++ b/kubeflow/helm/serving/values.yaml @@ -58,8 +58,8 @@ webApp: prefix: /models gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] resources: requests: diff --git a/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml b/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml index 63a42dac0..a3593463c 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.webApp.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/tensorboards/values.yaml b/kubeflow/helm/tensorboards/values.yaml index e4b96df6a..a9491611b 100644 --- a/kubeflow/helm/tensorboards/values.yaml +++ b/kubeflow/helm/tensorboards/values.yaml @@ -58,8 +58,8 @@ webApp: prefix: /tensorboards gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] resources: requests: diff --git a/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml b/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml index 3eb2a53e3..55a23fd12 100644 --- a/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml @@ -13,6 +13,7 @@ spec: - {{ . | quote }} {{- end }} hosts: + - {{ .Values.global.domain }} {{- range .Values.webApp.virtualService.hosts }} - {{ . | quote }} {{- end }} diff --git a/kubeflow/helm/volumes/values.yaml b/kubeflow/helm/volumes/values.yaml index ae00ee8db..9942cbf60 100644 --- a/kubeflow/helm/volumes/values.yaml +++ b/kubeflow/helm/volumes/values.yaml @@ -59,8 +59,8 @@ webApp: prefix: /volumes gateways: - kubeflow-gateway - hosts: - - '*' + # hosts to add additional to the value of global.domain + hosts: [] resources: requests: From f37b9b5b0d612cc89794faa3e2451f28c6789233 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 14 Sep 2023 17:28:10 +0200 Subject: [PATCH 06/32] fix passing auth header for downstream validation Signed-off-by: David van der Spek --- kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml index 548c7ab95..f34da456d 100644 --- a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml +++ b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml @@ -91,7 +91,8 @@ spec: {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} jwtRules: - forwardOriginalToken: true - fromHeaders: + outputPayloadToHeader: Authorization # TODO: needed so the requestauth resource in user namespace works + fromHeaders: # TODO: possibly add this to profile controller setup - name: cookie prefix: IdToken= issuer: {{ .Values.global.oidc.issuer }} From f1254e5368601a3dbf88cc3b68c4dbcc51e967e9 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 14 Sep 2023 17:46:53 +0200 Subject: [PATCH 07/32] add some comments + oidc scopes Signed-off-by: David van der Spek --- kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml | 2 +- kubeflow/helm/gateway/values.yaml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml index f34da456d..98b42b2e5 100644 --- a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml +++ b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml @@ -91,7 +91,7 @@ spec: {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} jwtRules: - forwardOriginalToken: true - outputPayloadToHeader: Authorization # TODO: needed so the requestauth resource in user namespace works + outputPayloadToHeader: Authorization # TODO: needed so the requestauth resource in user namespace works. Overwrites what `forward_bearer_token` sets in the envoy filter. Should the auth token or JWT be passed in the authorization header? fromHeaders: # TODO: possibly add this to profile controller setup - name: cookie prefix: IdToken= diff --git a/kubeflow/helm/gateway/values.yaml b/kubeflow/helm/gateway/values.yaml index 70c32834d..5754956fd 100644 --- a/kubeflow/helm/gateway/values.yaml +++ b/kubeflow/helm/gateway/values.yaml @@ -15,6 +15,9 @@ fullnameOverride: "" provider: "" +# TODO: investigate XSRF filter in envoy +# TODO: check if we should be passing the access token through in the Authorization header or just the JWT + oidc: clientID: "" clientSecret: "" @@ -22,6 +25,8 @@ oidc: scopes: - openid - profile + - offline + - offline_access gateway: name: kubeflow-gateway From f1cb50a57126b36431eefc4309b21b474be0a58f Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 12:10:45 +0200 Subject: [PATCH 08/32] upgrade central dashboard + some general fixes Signed-off-by: David van der Spek --- kubeflow/helm/central-dashboard/Chart.yaml | 2 +- .../central-dashboard/templates/_helpers.tpl | 2 +- .../templates/clusterrole.yaml | 325 ------------------ .../templates/configmap.yaml | 23 +- .../templates/deployment.yaml | 5 + .../templates/kubeflow-cluster-roles.yaml | 324 +++++++++++++++++ kubeflow/helm/central-dashboard/values.yaml | 7 +- .../helm/central-dashboard/values.yaml.tpl | 9 +- kubeflow/helm/katib/templates/_helpers.tpl | 4 +- .../helm/notebooks/templates/_helpers.tpl | 4 +- .../profile-controller/templates/_helpers.tpl | 2 +- kubeflow/helm/serving/templates/_helpers.tpl | 1 - .../helm/tensorboards/templates/_helpers.tpl | 3 +- kubeflow/helm/volumes/templates/_helpers.tpl | 3 +- 14 files changed, 364 insertions(+), 350 deletions(-) diff --git a/kubeflow/helm/central-dashboard/Chart.yaml b/kubeflow/helm/central-dashboard/Chart.yaml index 5523ce308..24e228655 100644 --- a/kubeflow/helm/central-dashboard/Chart.yaml +++ b/kubeflow/helm/central-dashboard/Chart.yaml @@ -3,7 +3,7 @@ name: central-dashboard description: A Helm chart for Kubernetes type: application version: 0.1.37 -appVersion: "1.4.0" +appVersion: "v1.8.0-rc.0" # dependencies: # - name: profile-controller # version: 0.1.2 diff --git a/kubeflow/helm/central-dashboard/templates/_helpers.tpl b/kubeflow/helm/central-dashboard/templates/_helpers.tpl index c1bd8bff9..06c412160 100644 --- a/kubeflow/helm/central-dashboard/templates/_helpers.tpl +++ b/kubeflow/helm/central-dashboard/templates/_helpers.tpl @@ -37,6 +37,7 @@ Common labels helm.sh/chart: {{ include "central-dashboard.chart" . }} {{ include "central-dashboard.selectorLabels" . }} {{- if .Chart.AppVersion }} +version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -49,7 +50,6 @@ Selector labels app: {{ include "central-dashboard.name" . }} app.kubernetes.io/name: {{ include "central-dashboard.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* diff --git a/kubeflow/helm/central-dashboard/templates/clusterrole.yaml b/kubeflow/helm/central-dashboard/templates/clusterrole.yaml index b3fd5b4ee..5cdac2c63 100644 --- a/kubeflow/helm/central-dashboard/templates/clusterrole.yaml +++ b/kubeflow/helm/central-dashboard/templates/clusterrole.yaml @@ -14,328 +14,3 @@ rules: - get - list - watch ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - name: kubeflow-admin -rules: [] ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-edit -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-kubernetes-admin -rules: - - apiGroups: - - authorization.k8s.io - resources: - - localsubjectaccessreviews - verbs: - - create - - apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - - roles - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - name: kubeflow-kubernetes-edit -rules: - - apiGroups: - - "" - resources: - - pods/attach - - pods/exec - - pods/portforward - - pods/proxy - - secrets - - services/proxy - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - impersonate - - apiGroups: - - "" - resources: - - pods - - pods/attach - - pods/exec - - pods/portforward - - pods/proxy - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - persistentvolumeclaims - - replicationcontrollers - - replicationcontrollers/scale - - secrets - - serviceaccounts - - services - - services/proxy - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - apps - resources: - - daemonsets - - deployments - - deployments/rollback - - deployments/scale - - replicasets - - replicasets/scale - - statefulsets - - statefulsets/scale - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - deployments/rollback - - deployments/scale - - ingresses - - networkpolicies - - replicasets - - replicasets/scale - - replicationcontrollers/scale - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - create - - delete - - deletecollection - - patch - - update - - apiGroups: - - networking.k8s.io - resources: - - ingresses - - networkpolicies - verbs: - - create - - delete - - deletecollection - - patch - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: kubeflow-kubernetes-view -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - persistentvolumeclaims - - persistentvolumeclaims/status - - pods - - replicationcontrollers - - replicationcontrollers/scale - - serviceaccounts - - services - - services/status - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - bindings - - events - - limitranges - - namespaces/status - - pods/log - - pods/status - - replicationcontrollers/status - - resourcequotas - - resourcequotas/status - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - controllerrevisions - - daemonsets - - daemonsets/status - - deployments - - deployments/scale - - deployments/status - - replicasets - - replicasets/scale - - replicasets/status - - statefulsets - - statefulsets/scale - - statefulsets/status - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - - horizontalpodautoscalers/status - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - cronjobs - - cronjobs/status - - jobs - - jobs/status - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - daemonsets/status - - deployments - - deployments/scale - - deployments/status - - ingresses - - ingresses/status - - networkpolicies - - replicasets - - replicasets/scale - - replicasets/status - - replicationcontrollers/scale - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - - poddisruptionbudgets/status - verbs: - - get - - list - - watch - - apiGroups: - - networking.k8s.io - resources: - - ingresses - - ingresses/status - - networkpolicies - verbs: - - get - - list - - watch ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "central-dashboard.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - name: kubeflow-view -rules: [] diff --git a/kubeflow/helm/central-dashboard/templates/configmap.yaml b/kubeflow/helm/central-dashboard/templates/configmap.yaml index 99f22ffb5..ba388d7c3 100644 --- a/kubeflow/helm/central-dashboard/templates/configmap.yaml +++ b/kubeflow/helm/central-dashboard/templates/configmap.yaml @@ -26,6 +26,14 @@ data: "text": "Tensorboards", "icon": "assessment" {{ end }} + {{ if eq .Values.kubeflowComponents.serving.enabled true }} + }, + { + "type": "item", + "link": "/models/", + "text": "Endpoints", + "icon": "kubeflow:models" + {{ end }} {{ if eq .Values.kubeflowComponents.katib.enabled true }} }, { @@ -72,14 +80,6 @@ data: "text": "Executions", "icon": "av:play-arrow" {{ end }} - {{ if eq .Values.kubeflowComponents.serving.enabled true }} - }, - { - "type": "item", - "link": "/models/", - "text": "Models", - "icon": "kubeflow:models" - {{ end }} } ], "externalLinks": [ ], @@ -136,6 +136,13 @@ data: PROFILES_KFAM_SERVICE_HOST: {{ .Values.config.profileControllerService }} PROFILES_KFAM_SERVICE_PORT: {{ .Values.config.kfamPort | quote }} DASHBOARD_CONFIGMAP: {{ include "central-dashboard.fullname" . }}-config + LOGOUT_URL: {{ .Values.config.logoutURL | quote }} + {{- if .Values.config.prometheusURL }} + PROMETHEUS_URL: {{ .Values.config.prometheusURL | quote }} + {{- end }} + {{- if .Values.config.metricsDashboard }} + METRICS_DASHBOARD: {{ .Values.config.metricsDashboard | quote }} + {{- end }} kind: ConfigMap metadata: labels: {{- include "central-dashboard.labels" . | nindent 4 }} diff --git a/kubeflow/helm/central-dashboard/templates/deployment.yaml b/kubeflow/helm/central-dashboard/templates/deployment.yaml index 4837d5f58..3323a3210 100644 --- a/kubeflow/helm/central-dashboard/templates/deployment.yaml +++ b/kubeflow/helm/central-dashboard/templates/deployment.yaml @@ -36,6 +36,11 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace ports: - name: website containerPort: 8082 diff --git a/kubeflow/helm/central-dashboard/templates/kubeflow-cluster-roles.yaml b/kubeflow/helm/central-dashboard/templates/kubeflow-cluster-roles.yaml index 462f29737..87a525167 100644 --- a/kubeflow/helm/central-dashboard/templates/kubeflow-cluster-roles.yaml +++ b/kubeflow/helm/central-dashboard/templates/kubeflow-cluster-roles.yaml @@ -1,3 +1,327 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "central-dashboard.labels" . | nindent 4 }} + name: kubeflow-admin +rules: [] +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "central-dashboard.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-edit +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "central-dashboard.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: kubeflow-kubernetes-admin +rules: + - apiGroups: + - authorization.k8s.io + resources: + - localsubjectaccessreviews + verbs: + - create + - apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "central-dashboard.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-kubernetes-edit +rules: + - apiGroups: + - "" + resources: + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + - secrets + - services/proxy + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - impersonate + - apiGroups: + - "" + resources: + - pods + - pods/attach + - pods/exec + - pods/portforward + - pods/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - replicationcontrollers + - replicationcontrollers/scale + - secrets + - serviceaccounts + - services + - services/proxy + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - replicasets + - replicasets/scale + - statefulsets + - statefulsets/scale + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - deployments/rollback + - deployments/scale + - ingresses + - networkpolicies + - replicasets + - replicasets/scale + - replicationcontrollers/scale + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - networkpolicies + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "central-dashboard.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: kubeflow-kubernetes-view +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - persistentvolumeclaims + - persistentvolumeclaims/status + - pods + - replicationcontrollers + - replicationcontrollers/scale + - serviceaccounts + - services + - services/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - bindings + - events + - limitranges + - namespaces/status + - pods/log + - pods/status + - replicationcontrollers/status + - resourcequotas + - resourcequotas/status + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - controllerrevisions + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - replicasets + - replicasets/scale + - replicasets/status + - statefulsets + - statefulsets/scale + - statefulsets/status + verbs: + - get + - list + - watch + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + - horizontalpodautoscalers/status + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - cronjobs/status + - jobs + - jobs/status + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - daemonsets + - daemonsets/status + - deployments + - deployments/scale + - deployments/status + - ingresses + - ingresses/status + - networkpolicies + - replicasets + - replicasets/scale + - replicasets/status + - replicationcontrollers/scale + verbs: + - get + - list + - watch + - apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/status + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingresses/status + - networkpolicies + verbs: + - get + - list + - watch +--- +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "central-dashboard.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: kubeflow-view +rules: [] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/kubeflow/helm/central-dashboard/values.yaml b/kubeflow/helm/central-dashboard/values.yaml index fc97cc5c6..177839e00 100644 --- a/kubeflow/helm/central-dashboard/values.yaml +++ b/kubeflow/helm/central-dashboard/values.yaml @@ -33,10 +33,10 @@ kubeflowComponents: replicaCount: 1 image: - repository: public.ecr.aws/j1r0q0g6/notebooks/central-dashboard + repository: docker.io/kubeflownotebookswg/centraldashboard # TODO: switch to Angular version once it's decent pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v1.4 + tag: v1.8.0-rc.0 imagePullSecrets: [] nameOverride: "" @@ -74,6 +74,9 @@ service: config: profileControllerService: kubeflow-profile-controller-kfam.kubeflow.svc.cluster.local kfamPort: 8082 + logoutURL: /logout + prometheusURL: "" # TODO: we need to add support for adding headers for compatibility with in-cluster Mimir. For Trace Shield we would need either basic auth or proper OAuth2 + metricsDashboard: "" # TODO: based on https://github.com/kubeflow/kubeflow/pull/7116 this allows you to add a link to a Grafana dashboard or something registrationFlow: enabled: true diff --git a/kubeflow/helm/central-dashboard/values.yaml.tpl b/kubeflow/helm/central-dashboard/values.yaml.tpl index 72a2d2f05..af0438295 100644 --- a/kubeflow/helm/central-dashboard/values.yaml.tpl +++ b/kubeflow/helm/central-dashboard/values.yaml.tpl @@ -1,7 +1,14 @@ -{{ $hostname := .Values.hostname }} +{{- $hostname := .Values.hostname -}} +{{- $monitoringNamespace := namespace "monitoring" -}} + global: application: links: - description: kubeflow dashboard ui url: {{ $hostname }} domain: {{ $hostname }} + +{{- if chartInstalled "monitoring" "monitoring" }} +config: + prometheusURL: http://monitoring-prometheus.{{ $monitoringNamespace }}:9090 +{{- end }} diff --git a/kubeflow/helm/katib/templates/_helpers.tpl b/kubeflow/helm/katib/templates/_helpers.tpl index b11aabf68..7ea541b2b 100644 --- a/kubeflow/helm/katib/templates/_helpers.tpl +++ b/kubeflow/helm/katib/templates/_helpers.tpl @@ -37,6 +37,7 @@ Common labels helm.sh/chart: {{ include "katib.chart" . }} {{ include "katib.selectorLabels" . }} {{- if .Chart.AppVersion }} +version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -49,7 +50,6 @@ Selector labels app: {{ include "katib.name" . }} app.kubernetes.io/name: {{ include "katib.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* @@ -59,7 +59,6 @@ Controller selector labels app: {{ include "katib.name" . }}-controller app.kubernetes.io/name: {{ include "katib.name" . }}-controller app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* @@ -69,7 +68,6 @@ DB Manager selector labels app: {{ include "katib.name" . }}-db-manager app.kubernetes.io/name: {{ include "katib.name" . }}-db-manager app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* diff --git a/kubeflow/helm/notebooks/templates/_helpers.tpl b/kubeflow/helm/notebooks/templates/_helpers.tpl index e3dbcb725..6163d6edf 100644 --- a/kubeflow/helm/notebooks/templates/_helpers.tpl +++ b/kubeflow/helm/notebooks/templates/_helpers.tpl @@ -37,6 +37,7 @@ Common labels helm.sh/chart: {{ include "notebooks.chart" . }} {{ include "notebooks.selectorLabels" . }} {{- if .Chart.AppVersion }} +version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -49,7 +50,6 @@ Selector labels app: {{ include "notebooks.name" . }} app.kubernetes.io/name: {{ include "notebooks.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* @@ -59,7 +59,6 @@ Controller selector labels app: {{ include "notebooks.name" . }}-controller app.kubernetes.io/name: {{ include "notebooks.name" . }}-controller app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* @@ -69,7 +68,6 @@ Pod Defaults selector labels app: {{ include "notebooks.name" . }}-pod-defaults app.kubernetes.io/name: {{ include "notebooks.name" . }}-pod-defaults app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* diff --git a/kubeflow/helm/profile-controller/templates/_helpers.tpl b/kubeflow/helm/profile-controller/templates/_helpers.tpl index 59f985a0a..238fbc23d 100644 --- a/kubeflow/helm/profile-controller/templates/_helpers.tpl +++ b/kubeflow/helm/profile-controller/templates/_helpers.tpl @@ -37,6 +37,7 @@ Common labels helm.sh/chart: {{ include "profile-controller.chart" . }} {{ include "profile-controller.selectorLabels" . }} {{- if .Chart.AppVersion }} +version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -49,7 +50,6 @@ Selector labels app: {{ include "profile-controller.name" . }} app.kubernetes.io/name: {{ include "profile-controller.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* diff --git a/kubeflow/helm/serving/templates/_helpers.tpl b/kubeflow/helm/serving/templates/_helpers.tpl index 965803229..2ec794cd4 100644 --- a/kubeflow/helm/serving/templates/_helpers.tpl +++ b/kubeflow/helm/serving/templates/_helpers.tpl @@ -59,7 +59,6 @@ Controller selector labels app: {{ include "serving.name" . }}-controller app.kubernetes.io/name: {{ include "serving.name" . }}-controller app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* diff --git a/kubeflow/helm/tensorboards/templates/_helpers.tpl b/kubeflow/helm/tensorboards/templates/_helpers.tpl index e7b3491dd..997b43aeb 100644 --- a/kubeflow/helm/tensorboards/templates/_helpers.tpl +++ b/kubeflow/helm/tensorboards/templates/_helpers.tpl @@ -37,6 +37,7 @@ Common labels helm.sh/chart: {{ include "tensorboards.chart" . }} {{ include "tensorboards.selectorLabels" . }} {{- if .Chart.AppVersion }} +version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -49,7 +50,6 @@ Selector labels app: {{ include "tensorboards.name" . }} app.kubernetes.io/name: {{ include "tensorboards.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* @@ -59,7 +59,6 @@ Controller selector labels app: {{ include "tensorboards.name" . }}-controller app.kubernetes.io/name: {{ include "tensorboards.name" . }}-controller app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* diff --git a/kubeflow/helm/volumes/templates/_helpers.tpl b/kubeflow/helm/volumes/templates/_helpers.tpl index 1971f39b9..ccf8531fd 100644 --- a/kubeflow/helm/volumes/templates/_helpers.tpl +++ b/kubeflow/helm/volumes/templates/_helpers.tpl @@ -37,6 +37,7 @@ Common labels helm.sh/chart: {{ include "volumes.chart" . }} {{ include "volumes.selectorLabels" . }} {{- if .Chart.AppVersion }} +version: {{ .Chart.AppVersion | quote }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} @@ -49,7 +50,6 @@ Selector labels app: {{ include "volumes.name" . }} app.kubernetes.io/name: {{ include "volumes.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* @@ -59,7 +59,6 @@ Controller selector labels app: {{ include "volumes.name" . }}-controller app.kubernetes.io/name: {{ include "volumes.name" . }}-controller app.kubernetes.io/instance: {{ .Release.Name }} -version: {{ .Chart.AppVersion | quote }} {{- end }} {{/* From 9e7f32496fdd1027a1a8aab83380e62511b1083f Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 13:44:15 +0200 Subject: [PATCH 09/32] upgrade notebooks + don't hardcode namespace in istio Signed-off-by: David van der Spek --- .../templates/virtualservice.yaml | 2 +- .../templates/controller/certificate.yaml | 6 +- .../templates/web-app/virtualservice.yaml | 2 +- .../helm/notebooks/crds/notebooks_crds.yaml | 12120 +--------------- .../helm/notebooks/crds/poddefaults_crd.yaml | 2176 +-- .../templates/controller/cluster-role.yaml | 50 + .../templates/controller/configmap.yaml | 9 +- ...rrole.yaml => kubeflow-cluster-roles.yaml} | 50 - .../templates/pod-defaults/certificate.yaml | 6 +- .../templates/pod-defaults/cluster-role.yaml | 18 + ...rrole.yaml => kubeflow-cluster-roles.yaml} | 19 - .../templates/web-app/cluster-role.yaml | 57 + .../templates/web-app/configmap.yaml | 1 + .../templates/web-app/destination-rule.yaml | 14 + ...rrole.yaml => kubeflow-cluster-roles.yaml} | 59 - .../notebooks/templates/web-app/role.yaml | 47 +- .../templates/web-app/virtualservice.yaml | 2 +- kubeflow/helm/notebooks/values.yaml | 12 +- .../templates/api-server/destinationrule.yaml | 2 +- .../metadata/grpc-server/destinationrule.yaml | 2 +- .../metadata/grpc-server/virtualservice.yaml | 2 +- .../visualization-server/destinationrule.yaml | 2 +- .../templates/web-app/configmap.yaml | 2 +- .../templates/web-app/destinationrule.yaml | 2 +- .../templates/web-app/virtualservice.yaml | 2 +- .../templates/virtualservice.yaml | 2 +- .../templates/web-app/virtualservice.yaml | 2 +- .../templates/web-app/virtualservice.yaml | 2 +- .../templates/web-app/virtualservice.yaml | 2 +- 29 files changed, 1436 insertions(+), 13236 deletions(-) create mode 100644 kubeflow/helm/notebooks/templates/controller/cluster-role.yaml rename kubeflow/helm/notebooks/templates/controller/{clusterrole.yaml => kubeflow-cluster-roles.yaml} (62%) create mode 100644 kubeflow/helm/notebooks/templates/pod-defaults/cluster-role.yaml rename kubeflow/helm/notebooks/templates/pod-defaults/{clusterrole.yaml => kubeflow-cluster-roles.yaml} (77%) create mode 100644 kubeflow/helm/notebooks/templates/web-app/cluster-role.yaml create mode 100644 kubeflow/helm/notebooks/templates/web-app/destination-rule.yaml rename kubeflow/helm/notebooks/templates/web-app/{clusterrole.yaml => kubeflow-cluster-roles.yaml} (56%) diff --git a/kubeflow/helm/central-dashboard/templates/virtualservice.yaml b/kubeflow/helm/central-dashboard/templates/virtualservice.yaml index c935884ba..c8e809c9d 100644 --- a/kubeflow/helm/central-dashboard/templates/virtualservice.yaml +++ b/kubeflow/helm/central-dashboard/templates/virtualservice.yaml @@ -26,6 +26,6 @@ spec: uri: / route: - destination: - host: {{ include "central-dashboard.fullname" . }}.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "central-dashboard.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.service.port }} diff --git a/kubeflow/helm/katib/templates/controller/certificate.yaml b/kubeflow/helm/katib/templates/controller/certificate.yaml index d9c385d8a..74ae62787 100644 --- a/kubeflow/helm/katib/templates/controller/certificate.yaml +++ b/kubeflow/helm/katib/templates/controller/certificate.yaml @@ -4,10 +4,10 @@ metadata: labels: {{- include "katib.labels" . | nindent 4 }} name: {{ include "katib.fullname" . }}-controller-certs spec: - commonName: {{ include "katib.fullname" . }}-controller.kubeflow.svc + commonName: {{ include "katib.fullname" . }}-controller.{{ .Release.Namespace }}.svc dnsNames: - - {{ include "katib.fullname" . }}-controller.kubeflow.svc - - {{ include "katib.fullname" . }}-controller.kubeflow.svc.cluster.local + - {{ include "katib.fullname" . }}-controller.{{ .Release.Namespace }}.svc + - {{ include "katib.fullname" . }}-controller.{{ .Release.Namespace }}.svc.cluster.local isCA: true issuerRef: kind: ClusterIssuer diff --git a/kubeflow/helm/katib/templates/web-app/virtualservice.yaml b/kubeflow/helm/katib/templates/web-app/virtualservice.yaml index 58d0f3552..407fc90f0 100644 --- a/kubeflow/helm/katib/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/katib/templates/web-app/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: {{ .Values.webApp.virtualService.prefix }}/ route: - destination: - host: {{ include "katib.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "katib.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.webApp.service.port }} diff --git a/kubeflow/helm/notebooks/crds/notebooks_crds.yaml b/kubeflow/helm/notebooks/crds/notebooks_crds.yaml index 632c68dff..09f0309e4 100644 --- a/kubeflow/helm/notebooks/crds/notebooks_crds.yaml +++ b/kubeflow/helm/notebooks/crds/notebooks_crds.yaml @@ -17,97 +17,39 @@ spec: - name: v1 schema: openAPIV3Schema: - description: Notebook is the Schema for the notebooks API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: NotebookSpec defines the desired state of Notebook properties: template: - description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster - Important: Run "make" to regenerate code after modifying this file' properties: spec: - description: PodSpec is a description of a pod. properties: activeDeadlineSeconds: - description: Optional duration in seconds the pod may be active - on the node relative to StartTime before the system will - actively try to mark it failed and kill associated containers. - Value must be a positive integer. format: int64 type: integer affinity: - description: If specified, the pod's scheduling constraints properties: nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if - the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term - matches all objects with implicit weight 0 (i.e. - it's a no-op). A null preferred scheduling term - matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated - with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements - by node's labels. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -117,35 +59,13 @@ spec: type: object type: array matchFields: - description: A list of node selector requirements - by node's fields. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -156,9 +76,6 @@ spec: type: array type: object weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in the - range 1-100. format: int32 type: integer required: @@ -167,53 +84,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - affinity requirements specified by this field cease - to be met at some point during pod execution (e.g. - due to an update), the system may or may not try - to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them - are ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements - by node's labels. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -223,35 +105,13 @@ spec: type: object type: array matchFields: - description: A list of node selector requirements - by node's fields. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -267,67 +127,22 @@ spec: type: object type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if - the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum - are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of - resources, in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -339,59 +154,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - This field is beta-level and is only honored - when PodAffinityNamespaceSelector feature - is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -403,45 +177,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching - the corresponding podAffinityTerm, in the - range 1-100. format: int32 type: integer required: @@ -450,59 +197,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - affinity requirements specified by this field cease - to be met at some point during pod execution (e.g. - due to a pod label update), the system may or may - not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes - corresponding to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the given - namespace(s)) that this pod should be co-located - (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node - whose value of the label with key - matches that of any node on which a pod of the - set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -514,54 +220,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -573,34 +243,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. type: string required: - topologyKey @@ -608,67 +257,22 @@ spec: type: array type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, - etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating through - the elements of this field and adding "weight" to - the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum - are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of - resources, in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -680,59 +284,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - This field is beta-level and is only honored - when PodAffinityNamespaceSelector feature - is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -744,45 +307,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching - the corresponding podAffinityTerm, in the - range 1-100. format: int32 type: integer required: @@ -791,59 +327,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - anti-affinity requirements specified by this field - cease to be met at some point during pod execution - (e.g. due to a pod label update), the system may - or may not try to eventually evict the pod from - its node. When there are multiple elements, the - lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the given - namespace(s)) that this pod should be co-located - (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node - whose value of the label with key - matches that of any node on which a pod of the - set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -855,54 +350,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -914,34 +373,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. type: string required: - topologyKey @@ -950,157 +388,69 @@ spec: type: object type: object automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether - a service account token should be automatically mounted. type: boolean containers: - description: List of containers belonging to the pod. Containers - cannot currently be added or removed. There must be at least - one container in a Pod. Cannot be updated. items: - description: A single application container that you want - to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -1111,116 +461,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -1228,103 +513,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -1332,44 +563,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -1377,74 +589,37 @@ spec: type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -1452,133 +627,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. type: string ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -1589,74 +693,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if - the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -1664,90 +731,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: limits: additionalProperties: @@ -1756,8 +779,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -1766,275 +787,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields - of SecurityContext override the equivalent fields - of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has - successfully initialized. If specified, no other probes - are executed until this completes successfully. If - this probe fails, the Pod will be restarted, just - as if the livenessProbe failed. This can be used to - provide different probe parameters at the beginning - of a Pod''s lifecycle, when it might take a long time - to load data or warm a cache, than during steady-state - operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -2042,148 +889,61 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -2191,44 +951,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -2236,230 +971,97 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters - specified here will be merged to the generated DNS configuration - based on DNSPolicy. properties: nameservers: - description: A list of DNS name server IP addresses. This - will be appended to the base nameservers generated from - DNSPolicy. Duplicated nameservers will be removed. items: type: string type: array options: - description: A list of DNS resolver options. This will - be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options - given in Options will override those that appear in - the base DNSPolicy. items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. properties: name: - description: Required. type: string value: type: string type: object type: array searches: - description: A list of DNS search domains for host-name - lookup. This will be appended to the base search paths - generated from DNSPolicy. Duplicated search paths will - be removed. items: type: string type: array type: object dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". - Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', - 'Default' or 'None'. DNS parameters given in DNSConfig will - be merged with the policy selected with DNSPolicy. To have - DNS options set along with hostNetwork, you have to specify - DNS policy explicitly to 'ClusterFirstWithHostNet'. type: string enableServiceLinks: - description: 'EnableServiceLinks indicates whether information - about services should be injected into pod''s environment - variables, matching the syntax of Docker links. Optional: - Defaults to true.' type: boolean ephemeralContainers: - description: List of ephemeral containers run in this pod. - Ephemeral containers may be run in an existing pod to perform - user-initiated actions such as debugging. This list cannot - be specified when creating a pod, and it cannot be modified - by updating the pod spec. In order to add an ephemeral container - to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters that - haven't disabled the EphemeralContainers feature gate. items: - description: "An EphemeralContainer is a temporary container - that you may add to an existing Pod for user-initiated - activities such as debugging. Ephemeral containers have - no resource or scheduling guarantees, and they will not - be restarted when they exit or when a Pod is removed or - restarted. The kubelet may evict a Pod if an ephemeral - container causes the Pod to exceed its resource allocation. - \n To add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers may - not be removed or restarted. \n This is a beta feature - available on clusters that haven't disabled the EphemeralContainers - feature gate." properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -2470,112 +1072,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Lifecycle is not allowed for ephemeral - containers. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -2583,103 +1124,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -2687,44 +1174,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -2732,72 +1200,37 @@ spec: type: object type: object livenessProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -2805,126 +1238,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the ephemeral container specified - as a DNS_LABEL. This name must be unique among all - containers, init containers and ephemeral containers. type: string ports: - description: Ports are not allowed for ephemeral containers. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -2935,72 +1304,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -3008,91 +1342,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: Resources are not allowed for ephemeral - containers. Ephemeral containers use spare resources - already allocated to the pod. properties: limits: additionalProperties: @@ -3101,8 +1390,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -3111,267 +1398,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Optional: SecurityContext defines the - security options the ephemeral container should be - run with. If set, the fields of SecurityContext override - the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -3379,159 +1500,63 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean targetContainerName: - description: "If set, the name of the container from - PodSpec that this ephemeral container targets. The - ephemeral container will be run in the namespaces - (IPC, PID, etc) of this container. If not set then - the ephemeral container uses the namespaces configured - in the Pod spec. \n The container runtime must implement - support for this feature. If the runtime does not - support namespace targeting then the result of setting - this field is undefined." type: string terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -3539,45 +1564,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Subpath mounts are not allowed for ephemeral - containers. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -3585,228 +1584,99 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array hostAliases: - description: HostAliases is an optional list of hosts and - IPs that will be injected into the pod's hosts file if specified. - This is only valid for non-hostNetwork pods. items: - description: HostAlias holds the mapping between IP and - hostnames that will be injected as an entry in the pod's - hosts file. properties: hostnames: - description: Hostnames for the above IP address. items: type: string type: array ip: - description: IP address of the host file entry. type: string type: object type: array hostIPC: - description: 'Use the host''s ipc namespace. Optional: Default - to false.' type: boolean hostNetwork: - description: Host networking requested for this pod. Use the - host's network namespace. If this option is set, the ports - that will be used must be specified. Default to false. type: boolean hostPID: - description: 'Use the host''s pid namespace. Optional: Default - to false.' type: boolean hostname: - description: Specifies the hostname of the Pod If not specified, - the pod's hostname will be set to a system-defined value. type: string imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references - to secrets in the same namespace to use for pulling any - of the images used by this PodSpec. If specified, these - secrets will be passed to individual puller implementations - for them to use. For example, in the case of docker, only - DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object type: array initContainers: - description: 'List of initialization containers belonging - to the pod. Init containers are executed in order prior - to containers being started. If any init container fails, - the pod is considered to have failed and is handled according - to its restartPolicy. The name for an init container or - normal container must be unique among all containers. Init - containers may not have Lifecycle actions, Readiness probes, - Liveness probes, or Startup probes. The resourceRequirements - of an init container are taken into account during scheduling - by finding the highest request/limit for each resource type, - and then using the max of of that value or the sum of the - normal containers. Limits are applied to init containers - in a similar fashion. Init containers cannot currently be - added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' items: - description: A single application container that you want - to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -3817,116 +1687,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -3934,103 +1739,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -4038,44 +1789,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -4083,74 +1815,37 @@ spec: type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -4158,133 +1853,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. type: string ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -4295,74 +1919,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if - the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -4370,90 +1957,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: limits: additionalProperties: @@ -4462,8 +2005,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -4472,275 +2013,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields - of SecurityContext override the equivalent fields - of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has - successfully initialized. If specified, no other probes - are executed until this completes successfully. If - this probe fails, the Pod will be restarted, just - as if the livenessProbe failed. This can be used to - provide different probe parameters at the beginning - of a Pod''s lifecycle, when it might take a long time - to load data or warm a cache, than during steady-state - operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -4748,148 +2115,61 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -4897,44 +2177,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -4942,55 +2197,21 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array nodeName: - description: NodeName is a request to schedule this pod onto - a specific node. If it is non-empty, the scheduler simply - schedules this pod onto that node, assuming that it fits - resource requirements. type: string nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node''s labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object x-kubernetes-map-type: atomic os: - description: "Specifies the OS of the containers in the pod. - Some pod and container fields are restricted if this is - set. \n If the OS field is set to linux, the following fields - must be unset: -securityContext.windowsOptions \n If the - OS field is set to windows, following fields must be unset: - - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This is - an alpha field and requires the IdentifyPodOS feature" properties: name: - description: 'Name is the name of the operating system. - The currently supported values are linux and windows. - Additional value may be defined in future and can be - one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration - Clients should expect to handle additional values and - treat unrecognized values in this field as os: null' type: string required: - name @@ -5002,213 +2223,75 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead associated - with running a pod for a given RuntimeClass. This field - will be autopopulated at admission time by the RuntimeClass - admission controller. If the RuntimeClass admission controller - is enabled, overhead must not be set in Pod create requests. - The RuntimeClass admission controller will reject Pod create - requests which have the overhead already set. If RuntimeClass - is configured and selected in the PodSpec, Overhead will - be set to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. More - info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md - This field is beta-level as of Kubernetes v1.18, and is - only honored by servers that enable the PodOverhead feature.' type: object preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting - pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field is - beta-level, gated by the NonPreemptingPriority feature-gate. type: string priority: - description: The priority value. Various system components - use this field to find the priority of the pod. When Priority - Admission Controller is enabled, it prevents users from - setting this field. The admission controller populates this - field from PriorityClassName. The higher the value, the - higher the priority. format: int32 type: integer priorityClassName: - description: If specified, indicates the pod's priority. "system-node-critical" - and "system-cluster-critical" are two special keywords which - indicate the highest priorities with the former being the - highest priority. Any other name must be defined by creating - a PriorityClass object with that name. If not specified, - the pod priority will be default or zero if there is no - default. type: string readinessGates: - description: 'If specified, all readiness gates will be evaluated - for pod readiness. A pod is ready when all its containers - are ready AND all conditions specified in the readiness - gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: - description: PodReadinessGate contains the reference to - a pod condition properties: conditionType: - description: ConditionType refers to a condition in - the pod's condition list with matching type. type: string required: - conditionType type: object type: array restartPolicy: - description: 'Restart policy for all containers within the - pod. One of Always, OnFailure, Never. Default to Always. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object - in the node.k8s.io group, which should be used to run this - pod. If no RuntimeClass resource matches the named class, - the pod will not be run. If unset or empty, the "legacy" - RuntimeClass will be used, which is an implicit class with - an empty definition that uses the default runtime handler. - More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class - This is a beta feature as of Kubernetes v1.14.' type: string schedulerName: - description: If specified, the pod will be dispatched by specified - scheduler. If not specified, the pod will be dispatched - by default scheduler. type: string securityContext: - description: 'SecurityContext holds pod-level security attributes - and common container settings. Optional: Defaults to empty. See - type description for default values of each field.' properties: fsGroup: - description: "A special supplemental group that applies - to all containers in a pod. Some volume types allow - the Kubelet to change the ownership of that volume to - be owned by the pod: \n 1. The owning GID will be the - FSGroup 2. The setgid bit is set (new files created - in the volume will be owned by FSGroup) 3. The permission - bits are OR'd with rw-rw---- \n If unset, the Kubelet - will not modify the ownership and permissions of any - volume. Note that this field cannot be set when spec.os.name - is windows." format: int64 type: integer fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of - changing ownership and permission of the volume before - being exposed inside Pod. This field will only apply - to volume types which support fsGroup based ownership(and - permissions). It will have no effect on ephemeral volume - types such as: secret, configmaps and emptydir. Valid - values are "OnRootMismatch" and "Always". If not specified, - "Always" is used. Note that this field cannot be set - when spec.os.name is windows.' type: string runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if it - does. If unset or false, no such validation will be - performed. May also be set in SecurityContext. If set - in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot be set - when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to all - containers. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies - to the container. type: string role: - description: Role is a SELinux role label that applies - to the container. type: string type: - description: Type is a SELinux type label that applies - to the container. type: string user: - description: User is a SELinux user label that applies - to the container. type: string type: object seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set when - spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. The - profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's - configured seccomp profile location. Must only be - set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n Localhost - - a profile defined in a file on the node should - be used. RuntimeDefault - the container runtime - default profile should be used. Unconfined - no - profile should be applied." type: string required: - type type: object supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's - primary GID. If unspecified, no groups will be added - to any container. Note that this field cannot be set - when spec.os.name is windows. items: format: int64 type: integer type: array sysctls: - description: Sysctls hold a list of namespaced sysctls - used for the pod. Pods with unsupported sysctls (by - the container runtime) might fail to launch. Note that - this field cannot be set when spec.os.name is windows. items: - description: Sysctl defines a kernel parameter to be - set properties: name: - description: Name of a property to set type: string value: - description: Value of a property to set type: string required: - name @@ -5216,174 +2299,59 @@ spec: type: object type: array windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options within a - container's SecurityContext will be used. If set in - both SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of - the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored by - components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the Pod. - All of a Pod's containers must have the same effective - HostProcess value (it is not allowed to have a mix - of HostProcess containers and non-HostProcess containers). In - addition, if HostProcess is true then HostNetwork - must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set - in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. type: string type: object type: object serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated alias - for ServiceAccountName. Deprecated: Use serviceAccountName - instead.' type: string serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount - to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string setHostnameAsFQDN: - description: If true the pod's hostname will be configured - as the pod's FQDN, rather than the leaf name (the default). - In Linux containers, this means setting the FQDN in the - hostname field of the kernel (the nodename field of struct - utsname). In Windows containers, this means setting the - registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no effect. - Default to false. type: boolean shareProcessNamespace: - description: 'Share a single process namespace between all - of the containers in a pod. When this is set containers - will be able to view and signal processes from other containers - in the same pod, and the first process in each container - will not be assigned PID 1. HostPID and ShareProcessNamespace - cannot both be set. Optional: Default to false.' type: boolean subdomain: - description: If specified, the fully qualified Pod hostname - will be "...svc.". If not specified, the pod will not have a domainname - at all. type: string terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to - terminate gracefully. May be decreased in delete request. - Value must be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity to - shut down). If this value is nil, the default grace period - will be used instead. The grace period is the duration in - seconds after the processes running in the pod are sent - a termination signal and the time when the processes are - forcibly halted with a kill signal. Set this value longer - than the expected cleanup time for your process. Defaults - to 30 seconds. format: int64 type: integer tolerations: - description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. type: string type: object type: array topologySpreadConstraints: - description: TopologySpreadConstraints describes how a group - of pods ought to spread across topology domains. Scheduler - will schedule pods in a way which abides by the constraints. - All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. properties: labelSelector: - description: LabelSelector is used to find matching - pods. Pods that match this label selector are counted - to determine the number of pods in their corresponding - topology domain. properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. items: type: string type: array @@ -5395,59 +2363,14 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. type: object type: object maxSkew: - description: 'MaxSkew describes the degree to which - pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, - it is the maximum permitted difference between the - number of matching pods in the target topology and - the global minimum. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same labelSelector - spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be scheduled - to zone3 to become 1/1/1; scheduling it onto zone1(zone2) - would make the ActualSkew(2-0) on zone1(zone2) violate - MaxSkew(1). - if MaxSkew is 2, incoming pod can be - scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default value - is 1 and 0 is not allowed.' format: int32 type: integer topologyKey: - description: TopologyKey is the key of node labels. - Nodes that have a label with this key and identical - values are considered to be in the same topology. - We consider each as a "bucket", and try - to put balanced number of pods into each bucket. It's - a required field. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal - with a pod if it doesn''t satisfy the spread constraint. - - DoNotSchedule (default) tells the scheduler not - to schedule it. - ScheduleAnyway tells the scheduler - to schedule the pod in any location, but giving higher - precedence to topologies that would help reduce the - skew. A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible node - assignment for that pod would violate "MaxSkew" on - some topology. For example, in a 3-zone cluster, MaxSkew - is set to 1, and pods with the same labelSelector - spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P - | P | P | If WhenUnsatisfiable is set to DoNotSchedule, - incoming pod can only be scheduled to zone2(zone3) - to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) - satisfies MaxSkew(1). In other words, the cluster - can still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' type: string required: - maxSkew @@ -5460,233 +2383,104 @@ spec: - whenUnsatisfiable x-kubernetes-list-type: map volumes: - description: 'List of volumes that can be mounted by containers - belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS - Disk resource that is attached to a kubelet''s host - machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and set the - ReadOnly property in VolumeMounts to "true". If - omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read Only, - Read Write.' type: string diskName: - description: The Name of the data disk in the blob - storage type: string diskURI: - description: The URI the data disk in the blob storage type: string fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple blob - disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed - data disk (only in managed availability set). - defaults to shared' type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean required: - diskName - diskURI type: object azureFile: - description: AzureFile represents an Azure File Service - mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains Azure - Storage Account Name and Key type: string shareName: - description: Share Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount on the - host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the path to - key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference to - the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object user: - description: 'Optional: User is the rados user name, - default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must be - a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret object - containing parameters used to connect to OpenStack.' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object volumeID: - description: 'volume id used to identify the volume - in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap that should - populate this volume properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for - mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This - might be in conflict with other options that affect - the file mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer items: - description: If unspecified, each key-value pair - in the Data field of the referenced ConfigMap - will be projected into the volume as a file whose - name is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present in - the ConfigMap, the volume setup will error unless - it is marked optional. Paths must be relative - and may not contain the '..' path or start with - '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element '..'. - May not start with the string '..'. type: string required: - key @@ -5694,147 +2488,63 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' type: string optional: - description: Specify whether the ConfigMap or its - keys must be defined type: boolean type: object csi: - description: CSI (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI driver - that handles this volume. Consult with your admin - for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. "ext4", - "xfs", "ntfs". If not provided, the empty value - is passed to the associated CSI driver which will - determine the default filesystem to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference - to the secret object containing sensitive information - to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no - secret is required. If the secret object contains - more than one secret, all secret references are - passed. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific - properties that are passed to the CSI driver. - Consult your driver's documentation for supported - values. type: object required: - driver type: object downwardAPI: - description: DownwardAPI represents downward API about - the pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits - used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or - a decimal value between 0 and 511. YAML accepts - both octal and decimal values, JSON requires decimal - values for mode bits. Defaults to 0644. Directories - within the path are not affected by this setting. - This might be in conflict with other options that - affect the file mode, like fsGroup, and the result - can be other mode bits set.' format: int32 type: integer items: - description: Items is a list of downward API volume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field properties: fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name - and namespace are supported.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits used to - set permissions on this file, must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource @@ -5845,190 +2555,53 @@ spec: type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium should - back this directory. The default is "" which means - to use the node''s default medium. Must be an - empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage required - for this EmptyDir volume. The size limit is also - applicable for memory medium. The maximum usage - on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and - the sum of memory limits of all containers in - a pod. The default is nil which means that the - limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that is - handled by a cluster storage driver. The volume's - lifecycle is tied to the pod that defines it - it - will be created before the pod starts, and deleted - when the pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features of - normal volumes like restoring from snapshot or capacity - tracking are needed, c) the storage driver is specified - through a storage class, and d) the storage driver - supports dynamic volume provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information on - the connection between this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the - lifecycle of an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is meant - to be used that way - see the documentation of the - driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes - at the same time." properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone - PVC to provision the volume. The pod in which - this EphemeralVolumeSource is embedded will be - the owner of the PVC, i.e. the PVC will be deleted - together with the pod. The name of the PVC will - be `-` where `` - is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the concatenated - name is not valid for a PVC (for example, too - long). \n An existing PVC with that name that - is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by - mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the PVC has - to updated with an owner reference to the pod - once the pod exists. Normally this should not - be necessary, but it may be useful when manually - reconstructing a broken cluster. \n This field - is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. \n Required, - must not be nil." properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be - rejected during validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into - the PVC that gets created from this template. - The same fields as in a PersistentVolumeClaim - are also valid here. properties: accessModes: - description: 'AccessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, - it will create a new volume based on the - contents of the specified data source. - If the AnyVolumeDataSource feature gate - is enabled, this field will always have - the same contents as the DataSourceRef - field.' properties: apiGroup: - description: APIGroup is the group for - the resource being referenced. If - APIGroup is not specified, the specified - Kind must be in the core API group. - For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource - being referenced type: string name: - description: Name is the name of resource - being referenced type: string required: - kind - name type: object dataSourceRef: - description: 'Specifies the object from - which to populate the volume with data, - if a non-empty volume is desired. This - may be any local object from a non-empty - API group (non core object) or a PersistentVolumeClaim - object. When this field is specified, - volume binding will only succeed if the - type of the specified object matches some - installed volume populator or dynamic - provisioner. This field will replace the - functionality of the DataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to the - same value automatically if one of them - is empty and the other is non-empty. There - are two important differences between - DataSource and DataSourceRef: * While - DataSource only allows two specific types - of objects, DataSourceRef allows any non-core - object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef - preserves all values, and generates an - error if a disallowed value is specified. - (Alpha) Using this field requires the - AnyVolumeDataSource feature gate to be - enabled.' properties: apiGroup: - description: APIGroup is the group for - the resource being referenced. If - APIGroup is not specified, the specified - Kind must be in the core API group. - For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource - being referenced type: string name: - description: Name is the name of resource - being referenced type: string required: - kind - name type: object resources: - description: 'Resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to - specify resource requirements that are - lower than previous value but must still - be higher than capacity recorded in the - status field of the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: limits: additionalProperties: @@ -6037,9 +2610,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -6048,49 +2618,18 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the - minimum amount of compute resources - required. If Requests is omitted for - a container, it defaults to Limits - if that is explicitly specified, otherwise - to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -6102,29 +2641,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object storageClassName: - description: 'Name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: - description: volumeMode defines what type - of volume is required by the claim. Value - of Filesystem is implied when not included - in claim spec. type: string volumeName: - description: VolumeName is the binding reference - to the PersistentVolume backing this claim. type: string type: object required: @@ -6132,272 +2655,125 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must be - a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. TODO: how - do we prevent errors in the filesystem from compromising - the machine' type: string lun: - description: 'Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide names - (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume - resource that is provisioned/attached using an exec - based plugin. properties: driver: - description: Driver is the name of the driver to - use for this volume. type: string fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default - filesystem depends on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options if - any.' type: object readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference to - the secret object containing sensitive information - to pass to the plugin scripts. This may be empty - if no secret object is specified. If the secret - object contains more than one secret, all secrets - are passed to the plugin scripts.' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object required: - driver type: object flocker: - description: Flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running properties: datasetName: - description: Name of the dataset stored as metadata - -> name on the dataset for Flocker should be considered - as deprecated type: string datasetUUID: - description: UUID of the dataset. This is unique - identifier of a Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource in - GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at - a particular revision. DEPRECATED: GitRepo is deprecated. - To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo - using git, then mount the EmptyDir into the Pod''s - container.' properties: directory: - description: Target directory name. Must not contain - or start with '..'. If '.' is supplied, the volume - directory will be the git repository. Otherwise, - if specified, the volume will contain the git - repository in the subdirectory with the given - name. type: string repository: - description: Repository URL type: string revision: - description: Commit hash for the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint name - that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the Glusterfs - volume to be mounted with read-only permissions. - Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - endpoints - path type: object hostPath: - description: 'HostPath represents a pre-existing file - or directory on the host machine that is directly - exposed to the container. This is generally used for - system agents or other privileged things that are - allowed to see the host machine. Most containers will - NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use - host directory mounts and who can/can not mount host - directories as read/write.' properties: path: - description: 'Path of the directory on the host. - If the path is a symlink, it will follow the link - to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults - to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource - that is attached to a kubelet''s host machine and - then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP - authentication type: boolean chapAuthSession: - description: whether support iSCSI Session CHAP - authentication type: boolean fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, - new iSCSI interface : - will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI - transport. Defaults to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The portal - is either an IP or ip_addr:port if the port is - other than default (typically TCP ports 860 and - 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object targetPortal: - description: iSCSI Target Portal. The Portal is - either an IP or ip_addr:port if the port is other - than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -6405,158 +2781,67 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the host - that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP address - of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - path - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same - namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting in - VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx volume - attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem type - to mount Must be a filesystem type supported by - the host operating system. Ex. "ext4", "xfs". - Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies a Portworx - volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions on - created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. Directories within the path are not affected - by this setting. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set. format: int32 type: integer sources: - description: list of volume projections items: - description: Projection that may be projected - along with other supported volume types properties: configMap: - description: information about the configMap - data to project properties: items: - description: If unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the - volume as a file whose name is the key - and content is the value. If specified, - the listed keys will be projected into - the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the ConfigMap, - the volume setup will error unless it - is marked optional. Paths must be relative - and may not contain the '..' path or - start with '..'. items: - description: Maps a string key to a - path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits - used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. - May not start with the string - '..'. type: string required: - key @@ -6564,98 +2849,40 @@ spec: type: object type: array name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined type: boolean type: object downwardAPI: - description: information about the downwardAPI - data to project properties: items: - description: Items is a list of DownwardAPIVolume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field properties: fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace are - supported.' properties: apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field - to select in the specified - API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits - used to set permissions on this - file, must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource - of the container: only resources - limits and requests (limits.cpu, - limits.memory, requests.cpu and - requests.memory) are currently - supported.' properties: containerName: - description: 'Container name: - required for volumes, optional - for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource - to select' type: string required: - resource @@ -6666,54 +2893,16 @@ spec: type: array type: object secret: - description: information about the secret - data to project properties: items: - description: If unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and - content is the value. If specified, - the listed keys will be projected into - the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the Secret, - the volume setup will error unless it - is marked optional. Paths must be relative - and may not contain the '..' path or - start with '..'. items: - description: Maps a string key to a - path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits - used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. - May not start with the string - '..'. type: string required: - key @@ -6721,47 +2910,18 @@ spec: type: object type: array name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean type: object serviceAccountToken: - description: information about the serviceAccountToken - data to project properties: audience: - description: Audience is the intended - audience of the token. A recipient of - a token must identify itself with an - identifier specified in the audience - of the token, and otherwise should reject - the token. The audience defaults to - the identifier of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the - requested duration of validity of the - service account token. As the token - approaches expiration, the kubelet volume - plugin will proactively rotate the service - account token. The kubelet will start - trying to rotate the token if the token - is older than 80 percent of its time - to live or if the token is older than - 24 hours.Defaults to 1 hour and must - be at least 10 minutes. format: int64 type: integer path: - description: Path is the path relative - to the mount point of the file to project - the token into. type: string required: - path @@ -6770,155 +2930,74 @@ spec: type: array type: object quobyte: - description: Quobyte represents a Quobyte mount on the - host that shares a pod's lifetime properties: group: - description: Group to map volume access to Default - is no group type: string readOnly: - description: ReadOnly here will force the Quobyte - volume to be mounted with read-only permissions. - Defaults to false. type: boolean registry: - description: Registry represents a single or multiple - Quobyte Registry services specified as a string - as host:port pair (multiple entries are separated - with commas) which acts as the central registry - for volumes type: string tenant: - description: Tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned - Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to Defaults - to serivceaccount user type: string volume: - description: Volume is a string that references - an already created Quobyte volume by name. type: string required: - registry - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring for - RBDUser. Default is /etc/ceph/keyring. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object user: - description: 'The rados user name. Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is - "xfs". type: string gateway: - description: The host address of the ScaleIO API - Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret - for ScaleIO user and other sensitive information. - If this is not provided, Login operation will - fail. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false type: boolean storageMode: - description: Indicates whether the storage for a - volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. type: string system: - description: The name of the storage system as configured - in ScaleIO. type: string volumeName: - description: The name of a volume already created - in the ScaleIO system that is associated with - this volume source. type: string required: - gateway @@ -6926,59 +3005,19 @@ spec: - system type: object secret: - description: 'Secret represents a secret that should - populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for - mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This - might be in conflict with other options that affect - the file mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer items: - description: If unspecified, each key-value pair - in the Data field of the referenced Secret will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present in - the Secret, the volume setup will error unless - it is marked optional. Paths must be relative - and may not contain the '..' path or start with - '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element '..'. - May not start with the string '..'. type: string required: - key @@ -6986,78 +3025,35 @@ spec: type: object type: array optional: - description: Specify whether the Secret or its keys - must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret to use - for obtaining the StorageOS API credentials. If - not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object volumeName: - description: VolumeName is the human-readable name - of the StorageOS volume. Volume names are only - unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the scope - of the volume within StorageOS. If no namespace - is specified then the Pod's namespace will be - used. This allows the Kubernetes name scoping - to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default - behaviour. Set to "default" if you are not using - namespaces within StorageOS. Namespaces that do - not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management (SPBM) - profile ID associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management (SPBM) - profile name. type: string volumePath: - description: Path that identifies vSphere volume - vmdk type: string required: - volumePath @@ -7072,93 +3068,69 @@ spec: type: object type: object status: - description: NotebookStatus defines the observed state of Notebook properties: conditions: - description: Conditions is an array of current conditions items: properties: lastProbeTime: - description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: format: date-time type: string message: - description: Message regarding why the container is in the current - state. type: string reason: - description: (brief) reason the container is in the current - state + type: string + status: type: string type: - description: Type is the type of the condition. Possible values - are Running|Waiting|Terminated type: string required: + - status - type type: object type: array containerState: - description: ContainerState is the state of underlying container. properties: running: - description: Details about a running container properties: startedAt: - description: Time at which the container was last (re-)started format: date-time type: string type: object terminated: - description: Details about a terminated container properties: containerID: - description: Container's ID in the format 'docker://' type: string exitCode: - description: Exit status from the last termination of the - container format: int32 type: integer finishedAt: - description: Time at which the container last terminated format: date-time type: string message: - description: Message regarding the last termination of the - container type: string reason: - description: (brief) reason from the last termination of the - container type: string signal: - description: Signal from the last termination of the container format: int32 type: integer startedAt: - description: Time at which previous execution of the container - started format: date-time type: string required: - exitCode type: object waiting: - description: Details about a waiting container properties: message: - description: Message regarding why the container is not yet - running. type: string reason: - description: (brief) reason the container is not yet running. type: string type: object type: object readyReplicas: - description: ReadyReplicas is the number of Pods created by the StatefulSet - controller that have a Ready Condition. format: int32 type: integer required: @@ -7174,97 +3146,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Notebook is the Schema for the notebooks API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: NotebookSpec defines the desired state of Notebook properties: template: - description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster - Important: Run "make" to regenerate code after modifying this file' properties: spec: - description: PodSpec is a description of a pod. properties: activeDeadlineSeconds: - description: Optional duration in seconds the pod may be active - on the node relative to StartTime before the system will - actively try to mark it failed and kill associated containers. - Value must be a positive integer. format: int64 type: integer affinity: - description: If specified, the pod's scheduling constraints properties: nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if - the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term - matches all objects with implicit weight 0 (i.e. - it's a no-op). A null preferred scheduling term - matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated - with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements - by node's labels. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -7274,35 +3188,13 @@ spec: type: object type: array matchFields: - description: A list of node selector requirements - by node's fields. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -7313,9 +3205,6 @@ spec: type: array type: object weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in the - range 1-100. format: int32 type: integer required: @@ -7324,53 +3213,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - affinity requirements specified by this field cease - to be met at some point during pod execution (e.g. - due to an update), the system may or may not try - to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them - are ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements - by node's labels. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -7380,35 +3234,13 @@ spec: type: object type: array matchFields: - description: A list of node selector requirements - by node's fields. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -7424,67 +3256,22 @@ spec: type: object type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if - the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum - are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of - resources, in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -7496,59 +3283,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - This field is beta-level and is only honored - when PodAffinityNamespaceSelector feature - is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -7560,45 +3306,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching - the corresponding podAffinityTerm, in the - range 1-100. format: int32 type: integer required: @@ -7607,59 +3326,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - affinity requirements specified by this field cease - to be met at some point during pod execution (e.g. - due to a pod label update), the system may or may - not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes - corresponding to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the given - namespace(s)) that this pod should be co-located - (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node - whose value of the label with key - matches that of any node on which a pod of the - set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -7671,54 +3349,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -7730,34 +3372,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. type: string required: - topologyKey @@ -7765,67 +3386,22 @@ spec: type: array type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, - etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating through - the elements of this field and adding "weight" to - the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum - are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of - resources, in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -7837,59 +3413,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - This field is beta-level and is only honored - when PodAffinityNamespaceSelector feature - is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -7901,45 +3436,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching - the corresponding podAffinityTerm, in the - range 1-100. format: int32 type: integer required: @@ -7948,59 +3456,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - anti-affinity requirements specified by this field - cease to be met at some point during pod execution - (e.g. due to a pod label update), the system may - or may not try to eventually evict the pod from - its node. When there are multiple elements, the - lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the given - namespace(s)) that this pod should be co-located - (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node - whose value of the label with key - matches that of any node on which a pod of the - set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -8012,54 +3479,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -8071,34 +3502,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. type: string required: - topologyKey @@ -8107,157 +3517,69 @@ spec: type: object type: object automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether - a service account token should be automatically mounted. type: boolean containers: - description: List of containers belonging to the pod. Containers - cannot currently be added or removed. There must be at least - one container in a Pod. Cannot be updated. items: - description: A single application container that you want - to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -8268,116 +3590,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -8385,103 +3642,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -8489,44 +3692,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -8534,74 +3718,37 @@ spec: type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -8609,133 +3756,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. type: string ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -8746,74 +3822,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if - the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -8821,90 +3860,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: limits: additionalProperties: @@ -8913,8 +3908,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -8923,275 +3916,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields - of SecurityContext override the equivalent fields - of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has - successfully initialized. If specified, no other probes - are executed until this completes successfully. If - this probe fails, the Pod will be restarted, just - as if the livenessProbe failed. This can be used to - provide different probe parameters at the beginning - of a Pod''s lifecycle, when it might take a long time - to load data or warm a cache, than during steady-state - operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -9199,148 +4018,61 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -9348,44 +4080,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -9393,230 +4100,97 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters - specified here will be merged to the generated DNS configuration - based on DNSPolicy. properties: nameservers: - description: A list of DNS name server IP addresses. This - will be appended to the base nameservers generated from - DNSPolicy. Duplicated nameservers will be removed. items: type: string type: array options: - description: A list of DNS resolver options. This will - be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options - given in Options will override those that appear in - the base DNSPolicy. items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. properties: name: - description: Required. type: string value: type: string type: object type: array searches: - description: A list of DNS search domains for host-name - lookup. This will be appended to the base search paths - generated from DNSPolicy. Duplicated search paths will - be removed. items: type: string type: array type: object dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". - Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', - 'Default' or 'None'. DNS parameters given in DNSConfig will - be merged with the policy selected with DNSPolicy. To have - DNS options set along with hostNetwork, you have to specify - DNS policy explicitly to 'ClusterFirstWithHostNet'. type: string enableServiceLinks: - description: 'EnableServiceLinks indicates whether information - about services should be injected into pod''s environment - variables, matching the syntax of Docker links. Optional: - Defaults to true.' type: boolean ephemeralContainers: - description: List of ephemeral containers run in this pod. - Ephemeral containers may be run in an existing pod to perform - user-initiated actions such as debugging. This list cannot - be specified when creating a pod, and it cannot be modified - by updating the pod spec. In order to add an ephemeral container - to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters that - haven't disabled the EphemeralContainers feature gate. items: - description: "An EphemeralContainer is a temporary container - that you may add to an existing Pod for user-initiated - activities such as debugging. Ephemeral containers have - no resource or scheduling guarantees, and they will not - be restarted when they exit or when a Pod is removed or - restarted. The kubelet may evict a Pod if an ephemeral - container causes the Pod to exceed its resource allocation. - \n To add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers may - not be removed or restarted. \n This is a beta feature - available on clusters that haven't disabled the EphemeralContainers - feature gate." properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -9627,112 +4201,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Lifecycle is not allowed for ephemeral - containers. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -9740,103 +4253,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -9844,44 +4303,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -9889,72 +4329,37 @@ spec: type: object type: object livenessProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -9962,126 +4367,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the ephemeral container specified - as a DNS_LABEL. This name must be unique among all - containers, init containers and ephemeral containers. type: string ports: - description: Ports are not allowed for ephemeral containers. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -10092,72 +4433,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -10165,91 +4471,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: Resources are not allowed for ephemeral - containers. Ephemeral containers use spare resources - already allocated to the pod. properties: limits: additionalProperties: @@ -10258,8 +4519,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -10268,267 +4527,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Optional: SecurityContext defines the - security options the ephemeral container should be - run with. If set, the fields of SecurityContext override - the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -10536,159 +4629,63 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean targetContainerName: - description: "If set, the name of the container from - PodSpec that this ephemeral container targets. The - ephemeral container will be run in the namespaces - (IPC, PID, etc) of this container. If not set then - the ephemeral container uses the namespaces configured - in the Pod spec. \n The container runtime must implement - support for this feature. If the runtime does not - support namespace targeting then the result of setting - this field is undefined." type: string terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -10696,45 +4693,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Subpath mounts are not allowed for ephemeral - containers. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -10742,228 +4713,99 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array hostAliases: - description: HostAliases is an optional list of hosts and - IPs that will be injected into the pod's hosts file if specified. - This is only valid for non-hostNetwork pods. items: - description: HostAlias holds the mapping between IP and - hostnames that will be injected as an entry in the pod's - hosts file. properties: hostnames: - description: Hostnames for the above IP address. items: type: string type: array ip: - description: IP address of the host file entry. type: string type: object type: array hostIPC: - description: 'Use the host''s ipc namespace. Optional: Default - to false.' type: boolean hostNetwork: - description: Host networking requested for this pod. Use the - host's network namespace. If this option is set, the ports - that will be used must be specified. Default to false. type: boolean hostPID: - description: 'Use the host''s pid namespace. Optional: Default - to false.' type: boolean hostname: - description: Specifies the hostname of the Pod If not specified, - the pod's hostname will be set to a system-defined value. type: string imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references - to secrets in the same namespace to use for pulling any - of the images used by this PodSpec. If specified, these - secrets will be passed to individual puller implementations - for them to use. For example, in the case of docker, only - DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object type: array initContainers: - description: 'List of initialization containers belonging - to the pod. Init containers are executed in order prior - to containers being started. If any init container fails, - the pod is considered to have failed and is handled according - to its restartPolicy. The name for an init container or - normal container must be unique among all containers. Init - containers may not have Lifecycle actions, Readiness probes, - Liveness probes, or Startup probes. The resourceRequirements - of an init container are taken into account during scheduling - by finding the highest request/limit for each resource type, - and then using the max of of that value or the sum of the - normal containers. Limits are applied to init containers - in a similar fashion. Init containers cannot currently be - added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' items: - description: A single application container that you want - to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -10974,116 +4816,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -11091,103 +4868,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -11195,44 +4918,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -11240,74 +4944,37 @@ spec: type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -11315,133 +4982,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. type: string ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -11452,74 +5048,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if - the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -11527,90 +5086,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: limits: additionalProperties: @@ -11619,8 +5134,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -11629,275 +5142,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields - of SecurityContext override the equivalent fields - of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has - successfully initialized. If specified, no other probes - are executed until this completes successfully. If - this probe fails, the Pod will be restarted, just - as if the livenessProbe failed. This can be used to - provide different probe parameters at the beginning - of a Pod''s lifecycle, when it might take a long time - to load data or warm a cache, than during steady-state - operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -11905,148 +5244,61 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -12054,44 +5306,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -12099,55 +5326,21 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array nodeName: - description: NodeName is a request to schedule this pod onto - a specific node. If it is non-empty, the scheduler simply - schedules this pod onto that node, assuming that it fits - resource requirements. type: string nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node''s labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object x-kubernetes-map-type: atomic os: - description: "Specifies the OS of the containers in the pod. - Some pod and container fields are restricted if this is - set. \n If the OS field is set to linux, the following fields - must be unset: -securityContext.windowsOptions \n If the - OS field is set to windows, following fields must be unset: - - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This is - an alpha field and requires the IdentifyPodOS feature" properties: name: - description: 'Name is the name of the operating system. - The currently supported values are linux and windows. - Additional value may be defined in future and can be - one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration - Clients should expect to handle additional values and - treat unrecognized values in this field as os: null' type: string required: - name @@ -12159,213 +5352,75 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead associated - with running a pod for a given RuntimeClass. This field - will be autopopulated at admission time by the RuntimeClass - admission controller. If the RuntimeClass admission controller - is enabled, overhead must not be set in Pod create requests. - The RuntimeClass admission controller will reject Pod create - requests which have the overhead already set. If RuntimeClass - is configured and selected in the PodSpec, Overhead will - be set to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. More - info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md - This field is beta-level as of Kubernetes v1.18, and is - only honored by servers that enable the PodOverhead feature.' type: object preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting - pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field is - beta-level, gated by the NonPreemptingPriority feature-gate. type: string priority: - description: The priority value. Various system components - use this field to find the priority of the pod. When Priority - Admission Controller is enabled, it prevents users from - setting this field. The admission controller populates this - field from PriorityClassName. The higher the value, the - higher the priority. format: int32 type: integer priorityClassName: - description: If specified, indicates the pod's priority. "system-node-critical" - and "system-cluster-critical" are two special keywords which - indicate the highest priorities with the former being the - highest priority. Any other name must be defined by creating - a PriorityClass object with that name. If not specified, - the pod priority will be default or zero if there is no - default. type: string readinessGates: - description: 'If specified, all readiness gates will be evaluated - for pod readiness. A pod is ready when all its containers - are ready AND all conditions specified in the readiness - gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: - description: PodReadinessGate contains the reference to - a pod condition properties: conditionType: - description: ConditionType refers to a condition in - the pod's condition list with matching type. type: string required: - conditionType type: object type: array restartPolicy: - description: 'Restart policy for all containers within the - pod. One of Always, OnFailure, Never. Default to Always. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object - in the node.k8s.io group, which should be used to run this - pod. If no RuntimeClass resource matches the named class, - the pod will not be run. If unset or empty, the "legacy" - RuntimeClass will be used, which is an implicit class with - an empty definition that uses the default runtime handler. - More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class - This is a beta feature as of Kubernetes v1.14.' type: string schedulerName: - description: If specified, the pod will be dispatched by specified - scheduler. If not specified, the pod will be dispatched - by default scheduler. type: string securityContext: - description: 'SecurityContext holds pod-level security attributes - and common container settings. Optional: Defaults to empty. See - type description for default values of each field.' properties: fsGroup: - description: "A special supplemental group that applies - to all containers in a pod. Some volume types allow - the Kubelet to change the ownership of that volume to - be owned by the pod: \n 1. The owning GID will be the - FSGroup 2. The setgid bit is set (new files created - in the volume will be owned by FSGroup) 3. The permission - bits are OR'd with rw-rw---- \n If unset, the Kubelet - will not modify the ownership and permissions of any - volume. Note that this field cannot be set when spec.os.name - is windows." format: int64 type: integer fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of - changing ownership and permission of the volume before - being exposed inside Pod. This field will only apply - to volume types which support fsGroup based ownership(and - permissions). It will have no effect on ephemeral volume - types such as: secret, configmaps and emptydir. Valid - values are "OnRootMismatch" and "Always". If not specified, - "Always" is used. Note that this field cannot be set - when spec.os.name is windows.' type: string runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if it - does. If unset or false, no such validation will be - performed. May also be set in SecurityContext. If set - in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot be set - when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to all - containers. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies - to the container. type: string role: - description: Role is a SELinux role label that applies - to the container. type: string type: - description: Type is a SELinux type label that applies - to the container. type: string user: - description: User is a SELinux user label that applies - to the container. type: string type: object seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set when - spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. The - profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's - configured seccomp profile location. Must only be - set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n Localhost - - a profile defined in a file on the node should - be used. RuntimeDefault - the container runtime - default profile should be used. Unconfined - no - profile should be applied." type: string required: - type type: object supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's - primary GID. If unspecified, no groups will be added - to any container. Note that this field cannot be set - when spec.os.name is windows. items: format: int64 type: integer type: array sysctls: - description: Sysctls hold a list of namespaced sysctls - used for the pod. Pods with unsupported sysctls (by - the container runtime) might fail to launch. Note that - this field cannot be set when spec.os.name is windows. items: - description: Sysctl defines a kernel parameter to be - set properties: name: - description: Name of a property to set type: string value: - description: Value of a property to set type: string required: - name @@ -12373,174 +5428,59 @@ spec: type: object type: array windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options within a - container's SecurityContext will be used. If set in - both SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of - the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored by - components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the Pod. - All of a Pod's containers must have the same effective - HostProcess value (it is not allowed to have a mix - of HostProcess containers and non-HostProcess containers). In - addition, if HostProcess is true then HostNetwork - must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set - in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. type: string type: object type: object serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated alias - for ServiceAccountName. Deprecated: Use serviceAccountName - instead.' type: string serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount - to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string setHostnameAsFQDN: - description: If true the pod's hostname will be configured - as the pod's FQDN, rather than the leaf name (the default). - In Linux containers, this means setting the FQDN in the - hostname field of the kernel (the nodename field of struct - utsname). In Windows containers, this means setting the - registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no effect. - Default to false. type: boolean shareProcessNamespace: - description: 'Share a single process namespace between all - of the containers in a pod. When this is set containers - will be able to view and signal processes from other containers - in the same pod, and the first process in each container - will not be assigned PID 1. HostPID and ShareProcessNamespace - cannot both be set. Optional: Default to false.' type: boolean subdomain: - description: If specified, the fully qualified Pod hostname - will be "...svc.". If not specified, the pod will not have a domainname - at all. type: string terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to - terminate gracefully. May be decreased in delete request. - Value must be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity to - shut down). If this value is nil, the default grace period - will be used instead. The grace period is the duration in - seconds after the processes running in the pod are sent - a termination signal and the time when the processes are - forcibly halted with a kill signal. Set this value longer - than the expected cleanup time for your process. Defaults - to 30 seconds. format: int64 type: integer tolerations: - description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. type: string type: object type: array topologySpreadConstraints: - description: TopologySpreadConstraints describes how a group - of pods ought to spread across topology domains. Scheduler - will schedule pods in a way which abides by the constraints. - All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. properties: labelSelector: - description: LabelSelector is used to find matching - pods. Pods that match this label selector are counted - to determine the number of pods in their corresponding - topology domain. properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. items: type: string type: array @@ -12552,59 +5492,14 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. type: object type: object maxSkew: - description: 'MaxSkew describes the degree to which - pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, - it is the maximum permitted difference between the - number of matching pods in the target topology and - the global minimum. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same labelSelector - spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be scheduled - to zone3 to become 1/1/1; scheduling it onto zone1(zone2) - would make the ActualSkew(2-0) on zone1(zone2) violate - MaxSkew(1). - if MaxSkew is 2, incoming pod can be - scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default value - is 1 and 0 is not allowed.' format: int32 type: integer topologyKey: - description: TopologyKey is the key of node labels. - Nodes that have a label with this key and identical - values are considered to be in the same topology. - We consider each as a "bucket", and try - to put balanced number of pods into each bucket. It's - a required field. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal - with a pod if it doesn''t satisfy the spread constraint. - - DoNotSchedule (default) tells the scheduler not - to schedule it. - ScheduleAnyway tells the scheduler - to schedule the pod in any location, but giving higher - precedence to topologies that would help reduce the - skew. A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible node - assignment for that pod would violate "MaxSkew" on - some topology. For example, in a 3-zone cluster, MaxSkew - is set to 1, and pods with the same labelSelector - spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P - | P | P | If WhenUnsatisfiable is set to DoNotSchedule, - incoming pod can only be scheduled to zone2(zone3) - to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) - satisfies MaxSkew(1). In other words, the cluster - can still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' type: string required: - maxSkew @@ -12617,233 +5512,104 @@ spec: - whenUnsatisfiable x-kubernetes-list-type: map volumes: - description: 'List of volumes that can be mounted by containers - belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS - Disk resource that is attached to a kubelet''s host - machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and set the - ReadOnly property in VolumeMounts to "true". If - omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read Only, - Read Write.' type: string diskName: - description: The Name of the data disk in the blob - storage type: string diskURI: - description: The URI the data disk in the blob storage type: string fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple blob - disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed - data disk (only in managed availability set). - defaults to shared' type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean required: - diskName - diskURI type: object azureFile: - description: AzureFile represents an Azure File Service - mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains Azure - Storage Account Name and Key type: string shareName: - description: Share Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount on the - host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the path to - key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference to - the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object user: - description: 'Optional: User is the rados user name, - default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must be - a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret object - containing parameters used to connect to OpenStack.' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object volumeID: - description: 'volume id used to identify the volume - in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap that should - populate this volume properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for - mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This - might be in conflict with other options that affect - the file mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer items: - description: If unspecified, each key-value pair - in the Data field of the referenced ConfigMap - will be projected into the volume as a file whose - name is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present in - the ConfigMap, the volume setup will error unless - it is marked optional. Paths must be relative - and may not contain the '..' path or start with - '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element '..'. - May not start with the string '..'. type: string required: - key @@ -12851,147 +5617,63 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' type: string optional: - description: Specify whether the ConfigMap or its - keys must be defined type: boolean type: object csi: - description: CSI (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI driver - that handles this volume. Consult with your admin - for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. "ext4", - "xfs", "ntfs". If not provided, the empty value - is passed to the associated CSI driver which will - determine the default filesystem to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference - to the secret object containing sensitive information - to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no - secret is required. If the secret object contains - more than one secret, all secret references are - passed. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific - properties that are passed to the CSI driver. - Consult your driver's documentation for supported - values. type: object required: - driver type: object downwardAPI: - description: DownwardAPI represents downward API about - the pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits - used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or - a decimal value between 0 and 511. YAML accepts - both octal and decimal values, JSON requires decimal - values for mode bits. Defaults to 0644. Directories - within the path are not affected by this setting. - This might be in conflict with other options that - affect the file mode, like fsGroup, and the result - can be other mode bits set.' format: int32 type: integer items: - description: Items is a list of downward API volume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field properties: fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name - and namespace are supported.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits used to - set permissions on this file, must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource @@ -13002,190 +5684,53 @@ spec: type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium should - back this directory. The default is "" which means - to use the node''s default medium. Must be an - empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage required - for this EmptyDir volume. The size limit is also - applicable for memory medium. The maximum usage - on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and - the sum of memory limits of all containers in - a pod. The default is nil which means that the - limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that is - handled by a cluster storage driver. The volume's - lifecycle is tied to the pod that defines it - it - will be created before the pod starts, and deleted - when the pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features of - normal volumes like restoring from snapshot or capacity - tracking are needed, c) the storage driver is specified - through a storage class, and d) the storage driver - supports dynamic volume provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information on - the connection between this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the - lifecycle of an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is meant - to be used that way - see the documentation of the - driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes - at the same time." properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone - PVC to provision the volume. The pod in which - this EphemeralVolumeSource is embedded will be - the owner of the PVC, i.e. the PVC will be deleted - together with the pod. The name of the PVC will - be `-` where `` - is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the concatenated - name is not valid for a PVC (for example, too - long). \n An existing PVC with that name that - is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by - mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the PVC has - to updated with an owner reference to the pod - once the pod exists. Normally this should not - be necessary, but it may be useful when manually - reconstructing a broken cluster. \n This field - is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. \n Required, - must not be nil." properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be - rejected during validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into - the PVC that gets created from this template. - The same fields as in a PersistentVolumeClaim - are also valid here. properties: accessModes: - description: 'AccessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, - it will create a new volume based on the - contents of the specified data source. - If the AnyVolumeDataSource feature gate - is enabled, this field will always have - the same contents as the DataSourceRef - field.' properties: apiGroup: - description: APIGroup is the group for - the resource being referenced. If - APIGroup is not specified, the specified - Kind must be in the core API group. - For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource - being referenced type: string name: - description: Name is the name of resource - being referenced type: string required: - kind - name type: object dataSourceRef: - description: 'Specifies the object from - which to populate the volume with data, - if a non-empty volume is desired. This - may be any local object from a non-empty - API group (non core object) or a PersistentVolumeClaim - object. When this field is specified, - volume binding will only succeed if the - type of the specified object matches some - installed volume populator or dynamic - provisioner. This field will replace the - functionality of the DataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to the - same value automatically if one of them - is empty and the other is non-empty. There - are two important differences between - DataSource and DataSourceRef: * While - DataSource only allows two specific types - of objects, DataSourceRef allows any non-core - object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef - preserves all values, and generates an - error if a disallowed value is specified. - (Alpha) Using this field requires the - AnyVolumeDataSource feature gate to be - enabled.' properties: apiGroup: - description: APIGroup is the group for - the resource being referenced. If - APIGroup is not specified, the specified - Kind must be in the core API group. - For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource - being referenced type: string name: - description: Name is the name of resource - being referenced type: string required: - kind - name type: object resources: - description: 'Resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to - specify resource requirements that are - lower than previous value but must still - be higher than capacity recorded in the - status field of the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: limits: additionalProperties: @@ -13194,9 +5739,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -13205,49 +5747,18 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the - minimum amount of compute resources - required. If Requests is omitted for - a container, it defaults to Limits - if that is explicitly specified, otherwise - to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -13259,29 +5770,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object storageClassName: - description: 'Name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: - description: volumeMode defines what type - of volume is required by the claim. Value - of Filesystem is implied when not included - in claim spec. type: string volumeName: - description: VolumeName is the binding reference - to the PersistentVolume backing this claim. type: string type: object required: @@ -13289,272 +5784,125 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must be - a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. TODO: how - do we prevent errors in the filesystem from compromising - the machine' type: string lun: - description: 'Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide names - (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume - resource that is provisioned/attached using an exec - based plugin. properties: driver: - description: Driver is the name of the driver to - use for this volume. type: string fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default - filesystem depends on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options if - any.' type: object readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference to - the secret object containing sensitive information - to pass to the plugin scripts. This may be empty - if no secret object is specified. If the secret - object contains more than one secret, all secrets - are passed to the plugin scripts.' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object required: - driver type: object flocker: - description: Flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running properties: datasetName: - description: Name of the dataset stored as metadata - -> name on the dataset for Flocker should be considered - as deprecated type: string datasetUUID: - description: UUID of the dataset. This is unique - identifier of a Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource in - GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at - a particular revision. DEPRECATED: GitRepo is deprecated. - To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo - using git, then mount the EmptyDir into the Pod''s - container.' properties: directory: - description: Target directory name. Must not contain - or start with '..'. If '.' is supplied, the volume - directory will be the git repository. Otherwise, - if specified, the volume will contain the git - repository in the subdirectory with the given - name. type: string repository: - description: Repository URL type: string revision: - description: Commit hash for the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint name - that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the Glusterfs - volume to be mounted with read-only permissions. - Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - endpoints - path type: object hostPath: - description: 'HostPath represents a pre-existing file - or directory on the host machine that is directly - exposed to the container. This is generally used for - system agents or other privileged things that are - allowed to see the host machine. Most containers will - NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use - host directory mounts and who can/can not mount host - directories as read/write.' properties: path: - description: 'Path of the directory on the host. - If the path is a symlink, it will follow the link - to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults - to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource - that is attached to a kubelet''s host machine and - then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP - authentication type: boolean chapAuthSession: - description: whether support iSCSI Session CHAP - authentication type: boolean fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, - new iSCSI interface : - will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI - transport. Defaults to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The portal - is either an IP or ip_addr:port if the port is - other than default (typically TCP ports 860 and - 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object targetPortal: - description: iSCSI Target Portal. The Portal is - either an IP or ip_addr:port if the port is other - than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -13562,158 +5910,67 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the host - that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP address - of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - path - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same - namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting in - VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx volume - attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem type - to mount Must be a filesystem type supported by - the host operating system. Ex. "ext4", "xfs". - Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies a Portworx - volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions on - created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. Directories within the path are not affected - by this setting. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set. format: int32 type: integer sources: - description: list of volume projections items: - description: Projection that may be projected - along with other supported volume types properties: configMap: - description: information about the configMap - data to project properties: items: - description: If unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the - volume as a file whose name is the key - and content is the value. If specified, - the listed keys will be projected into - the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the ConfigMap, - the volume setup will error unless it - is marked optional. Paths must be relative - and may not contain the '..' path or - start with '..'. items: - description: Maps a string key to a - path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits - used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. - May not start with the string - '..'. type: string required: - key @@ -13721,98 +5978,40 @@ spec: type: object type: array name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined type: boolean type: object downwardAPI: - description: information about the downwardAPI - data to project properties: items: - description: Items is a list of DownwardAPIVolume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field properties: fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace are - supported.' properties: apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field - to select in the specified - API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits - used to set permissions on this - file, must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource - of the container: only resources - limits and requests (limits.cpu, - limits.memory, requests.cpu and - requests.memory) are currently - supported.' properties: containerName: - description: 'Container name: - required for volumes, optional - for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource - to select' type: string required: - resource @@ -13823,54 +6022,16 @@ spec: type: array type: object secret: - description: information about the secret - data to project properties: items: - description: If unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and - content is the value. If specified, - the listed keys will be projected into - the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the Secret, - the volume setup will error unless it - is marked optional. Paths must be relative - and may not contain the '..' path or - start with '..'. items: - description: Maps a string key to a - path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits - used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. - May not start with the string - '..'. type: string required: - key @@ -13878,47 +6039,18 @@ spec: type: object type: array name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean type: object serviceAccountToken: - description: information about the serviceAccountToken - data to project properties: audience: - description: Audience is the intended - audience of the token. A recipient of - a token must identify itself with an - identifier specified in the audience - of the token, and otherwise should reject - the token. The audience defaults to - the identifier of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the - requested duration of validity of the - service account token. As the token - approaches expiration, the kubelet volume - plugin will proactively rotate the service - account token. The kubelet will start - trying to rotate the token if the token - is older than 80 percent of its time - to live or if the token is older than - 24 hours.Defaults to 1 hour and must - be at least 10 minutes. format: int64 type: integer path: - description: Path is the path relative - to the mount point of the file to project - the token into. type: string required: - path @@ -13927,155 +6059,74 @@ spec: type: array type: object quobyte: - description: Quobyte represents a Quobyte mount on the - host that shares a pod's lifetime properties: group: - description: Group to map volume access to Default - is no group type: string readOnly: - description: ReadOnly here will force the Quobyte - volume to be mounted with read-only permissions. - Defaults to false. type: boolean registry: - description: Registry represents a single or multiple - Quobyte Registry services specified as a string - as host:port pair (multiple entries are separated - with commas) which acts as the central registry - for volumes type: string tenant: - description: Tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned - Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to Defaults - to serivceaccount user type: string volume: - description: Volume is a string that references - an already created Quobyte volume by name. type: string required: - registry - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring for - RBDUser. Default is /etc/ceph/keyring. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object user: - description: 'The rados user name. Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is - "xfs". type: string gateway: - description: The host address of the ScaleIO API - Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret - for ScaleIO user and other sensitive information. - If this is not provided, Login operation will - fail. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false type: boolean storageMode: - description: Indicates whether the storage for a - volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. type: string system: - description: The name of the storage system as configured - in ScaleIO. type: string volumeName: - description: The name of a volume already created - in the ScaleIO system that is associated with - this volume source. type: string required: - gateway @@ -14083,59 +6134,19 @@ spec: - system type: object secret: - description: 'Secret represents a secret that should - populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for - mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This - might be in conflict with other options that affect - the file mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer items: - description: If unspecified, each key-value pair - in the Data field of the referenced Secret will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present in - the Secret, the volume setup will error unless - it is marked optional. Paths must be relative - and may not contain the '..' path or start with - '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element '..'. - May not start with the string '..'. type: string required: - key @@ -14143,78 +6154,35 @@ spec: type: object type: array optional: - description: Specify whether the Secret or its keys - must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret to use - for obtaining the StorageOS API credentials. If - not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object volumeName: - description: VolumeName is the human-readable name - of the StorageOS volume. Volume names are only - unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the scope - of the volume within StorageOS. If no namespace - is specified then the Pod's namespace will be - used. This allows the Kubernetes name scoping - to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default - behaviour. Set to "default" if you are not using - namespaces within StorageOS. Namespaces that do - not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management (SPBM) - profile ID associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management (SPBM) - profile name. type: string volumePath: - description: Path that identifies vSphere volume - vmdk type: string required: - volumePath @@ -14229,93 +6197,69 @@ spec: type: object type: object status: - description: NotebookStatus defines the observed state of Notebook properties: conditions: - description: Conditions is an array of current conditions items: properties: lastProbeTime: - description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: format: date-time type: string message: - description: Message regarding why the container is in the current - state. type: string reason: - description: (brief) reason the container is in the current - state + type: string + status: type: string type: - description: Type is the type of the condition. Possible values - are Running|Waiting|Terminated type: string required: + - status - type type: object type: array containerState: - description: ContainerState is the state of underlying container. properties: running: - description: Details about a running container properties: startedAt: - description: Time at which the container was last (re-)started format: date-time type: string type: object terminated: - description: Details about a terminated container properties: containerID: - description: Container's ID in the format 'docker://' type: string exitCode: - description: Exit status from the last termination of the - container format: int32 type: integer finishedAt: - description: Time at which the container last terminated format: date-time type: string message: - description: Message regarding the last termination of the - container type: string reason: - description: (brief) reason from the last termination of the - container type: string signal: - description: Signal from the last termination of the container format: int32 type: integer startedAt: - description: Time at which previous execution of the container - started format: date-time type: string required: - exitCode type: object waiting: - description: Details about a waiting container properties: message: - description: Message regarding why the container is not yet - running. type: string reason: - description: (brief) reason the container is not yet running. type: string type: object type: object readyReplicas: - description: ReadyReplicas is the number of Pods created by the StatefulSet - controller that have a Ready Condition. format: int32 type: integer required: @@ -14331,97 +6275,39 @@ spec: - name: v1beta1 schema: openAPIV3Schema: - description: Notebook is the Schema for the notebooks API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: NotebookSpec defines the desired state of Notebook properties: template: - description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster - Important: Run "make" to regenerate code after modifying this file' properties: spec: - description: PodSpec is a description of a pod. properties: activeDeadlineSeconds: - description: Optional duration in seconds the pod may be active - on the node relative to StartTime before the system will - actively try to mark it failed and kill associated containers. - Value must be a positive integer. format: int64 type: integer affinity: - description: If specified, the pod's scheduling constraints properties: nodeAffinity: - description: Describes node affinity scheduling rules - for the pod. properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if - the node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most preferred. items: - description: An empty preferred scheduling term - matches all objects with implicit weight 0 (i.e. - it's a no-op). A null preferred scheduling term - matches no objects (i.e. is also a no-op). properties: preference: - description: A node selector term, associated - with the corresponding weight. properties: matchExpressions: - description: A list of node selector requirements - by node's labels. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -14431,35 +6317,13 @@ spec: type: object type: array matchFields: - description: A list of node selector requirements - by node's fields. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -14470,9 +6334,6 @@ spec: type: array type: object weight: - description: Weight associated with matching - the corresponding nodeSelectorTerm, in the - range 1-100. format: int32 type: integer required: @@ -14481,53 +6342,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - affinity requirements specified by this field cease - to be met at some point during pod execution (e.g. - due to an update), the system may or may not try - to eventually evict the pod from its node. properties: nodeSelectorTerms: - description: Required. A list of node selector - terms. The terms are ORed. items: - description: A null or empty node selector term - matches no objects. The requirements of them - are ANDed. The TopologySelectorTerm type implements - a subset of the NodeSelectorTerm. properties: matchExpressions: - description: A list of node selector requirements - by node's labels. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -14537,35 +6363,13 @@ spec: type: object type: array matchFields: - description: A list of node selector requirements - by node's fields. items: - description: A node selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: The label key that the - selector applies to. type: string operator: - description: Represents a key's relationship - to a set of values. Valid operators - are In, NotIn, Exists, DoesNotExist. - Gt, and Lt. type: string values: - description: An array of string values. - If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. - If the operator is Gt or Lt, the - values array must have a single - element, which will be interpreted - as an integer. This array is replaced - during a strategic merge patch. items: type: string type: array @@ -14581,67 +6385,22 @@ spec: type: object type: object podAffinity: - description: Describes pod affinity scheduling rules (e.g. - co-locate this pod in the same node, zone, etc. as some - other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling affinity expressions, - etc.), compute a sum by iterating through the elements - of this field and adding "weight" to the sum if - the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum - are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of - resources, in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -14653,59 +6412,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - This field is beta-level and is only honored - when PodAffinityNamespaceSelector feature - is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -14717,45 +6435,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching - the corresponding podAffinityTerm, in the - range 1-100. format: int32 type: integer required: @@ -14764,59 +6455,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - affinity requirements specified by this field cease - to be met at some point during pod execution (e.g. - due to a pod label update), the system may or may - not try to eventually evict the pod from its node. - When there are multiple elements, the lists of nodes - corresponding to each podAffinityTerm are intersected, - i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the given - namespace(s)) that this pod should be co-located - (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node - whose value of the label with key - matches that of any node on which a pod of the - set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -14828,54 +6478,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -14887,34 +6501,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. type: string required: - topologyKey @@ -14922,67 +6515,22 @@ spec: type: array type: object podAntiAffinity: - description: Describes pod anti-affinity scheduling rules - (e.g. avoid putting this pod in the same node, zone, - etc. as some other pod(s)). properties: preferredDuringSchedulingIgnoredDuringExecution: - description: The scheduler will prefer to schedule - pods to nodes that satisfy the anti-affinity expressions - specified by this field, but it may choose a node - that violates one or more of the expressions. The - node that is most preferred is the one with the - greatest sum of weights, i.e. for each node that - meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating through - the elements of this field and adding "weight" to - the sum if the node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest sum - are the most preferred. items: - description: The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred - node(s) properties: podAffinityTerm: - description: Required. A pod affinity term, - associated with the corresponding weight. properties: labelSelector: - description: A label query over a set of - resources, in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -14994,59 +6542,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaceSelector: - description: A label query over the set - of namespaces that the term applies to. - The term is applied to the union of the - namespaces selected by this field and - the ones listed in the namespaces field. - null selector and null or empty namespaces - list means "this pod's namespace". An - empty selector ({}) matches all namespaces. - This field is beta-level and is only honored - when PodAffinityNamespaceSelector feature - is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -15058,45 +6565,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object namespaces: - description: namespaces specifies a static - list of namespace names that the term - applies to. The term is applied to the - union of the namespaces listed in this - field and the ones selected by namespaceSelector. - null or empty namespaces list and null - namespaceSelector means "this pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located - (affinity) or not co-located (anti-affinity) - with the pods matching the labelSelector - in the specified namespaces, where co-located - is defined as running on a node whose - value of the label with key topologyKey - matches that of any node on which any - of the selected pods is running. Empty - topologyKey is not allowed. type: string required: - topologyKey type: object weight: - description: weight associated with matching - the corresponding podAffinityTerm, in the - range 1-100. format: int32 type: integer required: @@ -15105,59 +6585,18 @@ spec: type: object type: array requiredDuringSchedulingIgnoredDuringExecution: - description: If the anti-affinity requirements specified - by this field are not met at scheduling time, the - pod will not be scheduled onto the node. If the - anti-affinity requirements specified by this field - cease to be met at some point during pod execution - (e.g. due to a pod label update), the system may - or may not try to eventually evict the pod from - its node. When there are multiple elements, the - lists of nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. items: - description: Defines a set of pods (namely those - matching the labelSelector relative to the given - namespace(s)) that this pod should be co-located - (affinity) or not co-located (anti-affinity) with, - where co-located is defined as running on a node - whose value of the label with key - matches that of any node on which a pod of the - set of pods is running properties: labelSelector: - description: A label query over a set of resources, - in this case pods. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -15169,54 +6608,18 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaceSelector: - description: A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by - this field and the ones listed in the namespaces - field. null selector and null or empty namespaces - list means "this pod's namespace". An empty - selector ({}) matches all namespaces. This - field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label key - that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. items: type: string type: array @@ -15228,34 +6631,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. type: object type: object namespaces: - description: namespaces specifies a static list - of namespace names that the term applies to. - The term is applied to the union of the namespaces - listed in this field and the ones selected - by namespaceSelector. null or empty namespaces - list and null namespaceSelector means "this - pod's namespace" items: type: string type: array topologyKey: - description: This pod should be co-located (affinity) - or not co-located (anti-affinity) with the - pods matching the labelSelector in the specified - namespaces, where co-located is defined as - running on a node whose value of the label - with key topologyKey matches that of any node - on which any of the selected pods is running. - Empty topologyKey is not allowed. type: string required: - topologyKey @@ -15264,157 +6646,69 @@ spec: type: object type: object automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether - a service account token should be automatically mounted. type: boolean containers: - description: List of containers belonging to the pod. Containers - cannot currently be added or removed. There must be at least - one container in a Pod. Cannot be updated. items: - description: A single application container that you want - to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -15425,116 +6719,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -15542,103 +6771,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -15646,44 +6821,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -15691,74 +6847,37 @@ spec: type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -15766,133 +6885,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. type: string ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -15903,74 +6951,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if - the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -15978,90 +6989,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: limits: additionalProperties: @@ -16070,8 +7037,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -16080,275 +7045,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields - of SecurityContext override the equivalent fields - of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has - successfully initialized. If specified, no other probes - are executed until this completes successfully. If - this probe fails, the Pod will be restarted, just - as if the livenessProbe failed. This can be used to - provide different probe parameters at the beginning - of a Pod''s lifecycle, when it might take a long time - to load data or warm a cache, than during steady-state - operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -16356,148 +7147,61 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -16505,44 +7209,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -16550,230 +7229,97 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array dnsConfig: - description: Specifies the DNS parameters of a pod. Parameters - specified here will be merged to the generated DNS configuration - based on DNSPolicy. properties: nameservers: - description: A list of DNS name server IP addresses. This - will be appended to the base nameservers generated from - DNSPolicy. Duplicated nameservers will be removed. items: type: string type: array options: - description: A list of DNS resolver options. This will - be merged with the base options generated from DNSPolicy. - Duplicated entries will be removed. Resolution options - given in Options will override those that appear in - the base DNSPolicy. items: - description: PodDNSConfigOption defines DNS resolver - options of a pod. properties: name: - description: Required. type: string value: type: string type: object type: array searches: - description: A list of DNS search domains for host-name - lookup. This will be appended to the base search paths - generated from DNSPolicy. Duplicated search paths will - be removed. items: type: string type: array type: object dnsPolicy: - description: Set DNS policy for the pod. Defaults to "ClusterFirst". - Valid values are 'ClusterFirstWithHostNet', 'ClusterFirst', - 'Default' or 'None'. DNS parameters given in DNSConfig will - be merged with the policy selected with DNSPolicy. To have - DNS options set along with hostNetwork, you have to specify - DNS policy explicitly to 'ClusterFirstWithHostNet'. type: string enableServiceLinks: - description: 'EnableServiceLinks indicates whether information - about services should be injected into pod''s environment - variables, matching the syntax of Docker links. Optional: - Defaults to true.' type: boolean ephemeralContainers: - description: List of ephemeral containers run in this pod. - Ephemeral containers may be run in an existing pod to perform - user-initiated actions such as debugging. This list cannot - be specified when creating a pod, and it cannot be modified - by updating the pod spec. In order to add an ephemeral container - to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters that - haven't disabled the EphemeralContainers feature gate. items: - description: "An EphemeralContainer is a temporary container - that you may add to an existing Pod for user-initiated - activities such as debugging. Ephemeral containers have - no resource or scheduling guarantees, and they will not - be restarted when they exit or when a Pod is removed or - restarted. The kubelet may evict a Pod if an ephemeral - container causes the Pod to exceed its resource allocation. - \n To add an ephemeral container, use the ephemeralcontainers - subresource of an existing Pod. Ephemeral containers may - not be removed or restarted. \n This is a beta feature - available on clusters that haven't disabled the EphemeralContainers - feature gate." properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -16784,112 +7330,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Lifecycle is not allowed for ephemeral - containers. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -16897,103 +7382,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -17001,44 +7432,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -17046,72 +7458,37 @@ spec: type: object type: object livenessProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -17119,126 +7496,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the ephemeral container specified - as a DNS_LABEL. This name must be unique among all - containers, init containers and ephemeral containers. type: string ports: - description: Ports are not allowed for ephemeral containers. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -17249,72 +7562,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -17322,91 +7600,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: Resources are not allowed for ephemeral - containers. Ephemeral containers use spare resources - already allocated to the pod. properties: limits: additionalProperties: @@ -17415,8 +7648,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -17425,267 +7656,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Optional: SecurityContext defines the - security options the ephemeral container should be - run with. If set, the fields of SecurityContext override - the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: Probes are not allowed for ephemeral containers. properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -17693,159 +7758,63 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean targetContainerName: - description: "If set, the name of the container from - PodSpec that this ephemeral container targets. The - ephemeral container will be run in the namespaces - (IPC, PID, etc) of this container. If not set then - the ephemeral container uses the namespaces configured - in the Pod spec. \n The container runtime must implement - support for this feature. If the runtime does not - support namespace targeting then the result of setting - this field is undefined." type: string terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -17853,45 +7822,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Subpath mounts are not allowed for ephemeral - containers. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -17899,228 +7842,99 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array hostAliases: - description: HostAliases is an optional list of hosts and - IPs that will be injected into the pod's hosts file if specified. - This is only valid for non-hostNetwork pods. items: - description: HostAlias holds the mapping between IP and - hostnames that will be injected as an entry in the pod's - hosts file. properties: hostnames: - description: Hostnames for the above IP address. items: type: string type: array ip: - description: IP address of the host file entry. type: string type: object type: array hostIPC: - description: 'Use the host''s ipc namespace. Optional: Default - to false.' type: boolean hostNetwork: - description: Host networking requested for this pod. Use the - host's network namespace. If this option is set, the ports - that will be used must be specified. Default to false. type: boolean hostPID: - description: 'Use the host''s pid namespace. Optional: Default - to false.' type: boolean hostname: - description: Specifies the hostname of the Pod If not specified, - the pod's hostname will be set to a system-defined value. type: string imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references - to secrets in the same namespace to use for pulling any - of the images used by this PodSpec. If specified, these - secrets will be passed to individual puller implementations - for them to use. For example, in the case of docker, only - DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: - description: LocalObjectReference contains enough information - to let you locate the referenced object inside the same - namespace. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object type: array initContainers: - description: 'List of initialization containers belonging - to the pod. Init containers are executed in order prior - to containers being started. If any init container fails, - the pod is considered to have failed and is handled according - to its restartPolicy. The name for an init container or - normal container must be unique among all containers. Init - containers may not have Lifecycle actions, Readiness probes, - Liveness probes, or Startup probes. The resourceRequirements - of an init container are taken into account during scheduling - by finding the highest request/limit for each resource type, - and then using the max of of that value or the sum of the - normal containers. Limits are applied to init containers - in a similar fashion. Init containers cannot currently be - added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' items: - description: A single application container that you want - to run within a pod. properties: args: - description: 'Arguments to the entrypoint. The docker - image''s CMD is used if this is not provided. Variable - references $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, the - reference in the input string will be unchanged. Double - $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce - the string literal "$(VAR_NAME)". Escaped references - will never be expanded, regardless of whether the - variable exists or not. Cannot be updated. More info: - https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array command: - description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used if - this is not provided. Variable references $(VAR_NAME) - are expanded using the container''s environment. If - a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' items: type: string type: array env: - description: List of environment variables to set in - the container. Cannot be updated. items: - description: EnvVar represents an environment variable - present in a Container. properties: name: - description: Name of the environment variable. - Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) - are expanded using the previously defined environment - variables in the container and any service environment - variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows - for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" - will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless - of whether the variable exists or not. Defaults - to "".' type: string valueFrom: - description: Source for the environment variable's - value. Cannot be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its key must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: - supports metadata.name, metadata.namespace, - `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, - status.hostIP, status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, - requests.cpu, requests.memory and requests.ephemeral-storage) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in - the pod's namespace properties: key: - description: The key of the secret to - select from. Must be a valid secret - key. type: string name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean required: - key @@ -18131,116 +7945,51 @@ spec: type: object type: array envFrom: - description: List of sources to populate environment - variables in the container. The keys defined within - a source must be a C_IDENTIFIER. All invalid keys - will be reported as an event when the container is - starting. When a key exists in multiple sources, the - value associated with the last source will take precedence. - Values defined by an Env with a duplicate key will - take precedence. Cannot be updated. items: - description: EnvFromSource represents the source of - a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - must be defined type: boolean type: object prefix: - description: An optional identifier to prepend - to each key in the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret must - be defined type: boolean type: object type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images - This field is optional to allow higher level config - management to default or override container images - in workload controllers like Deployments and StatefulSets.' type: string imagePullPolicy: - description: 'Image pull policy. One of Always, Never, - IfNotPresent. Defaults to Always if :latest tag is - specified, or IfNotPresent otherwise. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' type: string lifecycle: - description: Actions that the management system should - take in response to container lifecycle events. Cannot - be updated. properties: postStart: - description: 'PostStart is called immediately after - a container is created. If the handler fails, - the container is terminated and restarted according - to its restart policy. Other management of the - container blocks until the hook completes. More - info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -18248,103 +7997,49 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object type: object preStop: - description: 'PreStop is called immediately before - a container is terminated due to an API request - or management event such as liveness/startup probe - failure, preemption, resource contention, etc. - The handler is not called if the container crashes - or exits. The Pod''s termination grace period - countdown begins before the PreStop hook is executed. - Regardless of the outcome of the handler, the - container will eventually terminate within the - Pod''s termination grace period (unless delayed - by finalizers). Other management of the container - blocks until the hook completes or until the termination - grace period is reached. More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line - to execute inside the container, the working - directory for the command is root ('/') - in the container's filesystem. The command - is simply exec'd, it is not run inside - a shell, so traditional shell instructions - ('|', etc) won't work. To use a shell, - you need to explicitly call out to that - shell. Exit status of 0 is treated as - live/healthy and non-zero is unhealthy. items: type: string type: array type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set - "Host" in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the - request. HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -18352,44 +8047,25 @@ spec: type: object type: array path: - description: Path to access on the HTTP - server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting - to the host. Defaults to HTTP. type: string required: - port type: object tcpSocket: - description: Deprecated. TCPSocket is NOT supported - as a LifecycleHandler and kept for the backward - compatibility. There are no validation of - this field and lifecycle hooks will fail in - runtime when tcp handler is specified. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port - to access on the container. Number must - be in the range 1 to 65535. Name must - be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port @@ -18397,74 +8073,37 @@ spec: type: object type: object livenessProbe: - description: 'Periodic probe of container liveness. - Container will be restarted if the probe fails. Cannot - be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -18472,133 +8111,62 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object name: - description: Name of the container specified as a DNS_LABEL. - Each container in a pod must have a unique name (DNS_LABEL). - Cannot be updated. type: string ports: - description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. items: - description: ContainerPort represents a network port - in a single container. properties: containerPort: - description: Number of port to expose on the pod's - IP address. This must be a valid port number, - 0 < x < 65536. format: int32 type: integer hostIP: - description: What host IP to bind the external - port to. type: string hostPort: - description: Number of port to expose on the host. - If specified, this must be a valid port number, - 0 < x < 65536. If HostNetwork is specified, - this must match ContainerPort. Most containers - do not need this. format: int32 type: integer name: - description: If specified, this must be an IANA_SVC_NAME - and unique within the pod. Each named port in - a pod must have a unique name. Name for the - port that can be referred to by services. type: string protocol: default: TCP - description: Protocol for port. Must be UDP, TCP, - or SCTP. Defaults to "TCP". type: string required: - containerPort @@ -18609,74 +8177,37 @@ spec: - protocol x-kubernetes-list-type: map readinessProbe: - description: 'Periodic probe of container service readiness. - Container will be removed from service endpoints if - the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -18684,90 +8215,46 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object resources: - description: 'Compute Resources required by this container. - Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: limits: additionalProperties: @@ -18776,8 +8263,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -18786,275 +8271,101 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount - of compute resources required. If Requests is - omitted for a container, it defaults to Limits - if that is explicitly specified, otherwise to - an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'SecurityContext defines the security options - the container should be run with. If set, the fields - of SecurityContext override the equivalent fields - of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: - description: 'AllowPrivilegeEscalation controls - whether a process can gain more privileges than - its parent process. This bool directly controls - if the no_new_privs flag will be set on the container - process. AllowPrivilegeEscalation is true always - when the container is: 1) run as Privileged 2) - has CAP_SYS_ADMIN Note that this field cannot - be set when spec.os.name is windows.' type: boolean capabilities: - description: The capabilities to add/drop when running - containers. Defaults to the default set of capabilities - granted by the container runtime. Note that this - field cannot be set when spec.os.name is windows. properties: add: - description: Added capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array drop: - description: Removed capabilities items: - description: Capability represent POSIX capabilities - type type: string type: array type: object privileged: - description: Run container in privileged mode. Processes - in privileged containers are essentially equivalent - to root on the host. Defaults to false. Note that - this field cannot be set when spec.os.name is - windows. type: boolean procMount: - description: procMount denotes the type of proc - mount to use for the containers. The default is - DefaultProcMount which uses the container runtime - defaults for readonly paths and masked paths. - This requires the ProcMountType feature flag to - be enabled. Note that this field cannot be set - when spec.os.name is windows. type: string readOnlyRootFilesystem: - description: Whether this container has a read-only - root filesystem. Default is false. Note that this - field cannot be set when spec.os.name is windows. type: boolean runAsGroup: - description: The GID to run the entrypoint of the - container process. Uses runtime default if unset. - May also be set in PodSecurityContext. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run - as a non-root user. If true, the Kubelet will - validate the image at runtime to ensure that it - does not run as UID 0 (root) and fail to start - the container if it does. If unset or false, no - such validation will be performed. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the - container process. Defaults to user specified - in image metadata if unspecified. May also be - set in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to - the container. If unspecified, the container runtime - will allocate a random SELinux context for each - container. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is windows. properties: level: - description: Level is SELinux level label that - applies to the container. type: string role: - description: Role is a SELinux role label that - applies to the container. type: string type: - description: Type is a SELinux type label that - applies to the container. type: string user: - description: User is a SELinux user label that - applies to the container. type: string type: object seccompProfile: - description: The seccomp options to use by this - container. If seccomp options are provided at - both the pod & container level, the container - options override the pod options. Note that this - field cannot be set when spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. - The profile must be preconfigured on the node - to work. Must be a descending path, relative - to the kubelet's configured seccomp profile - location. Must only be set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: - \n Localhost - a profile defined in a file - on the node should be used. RuntimeDefault - - the container runtime default profile should - be used. Unconfined - no profile should be - applied." type: string required: - type type: object windowsOptions: - description: The Windows specific settings applied - to all containers. If unspecified, the options - from the PodSecurityContext will be used. If set - in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence. - Note that this field cannot be set when spec.os.name - is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the - GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential - spec named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name - of the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. - This field is alpha-level and will only be - honored by components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the - feature flag will result in errors when validating - the Pod. All of a Pod's containers must have - the same effective HostProcess value (it is - not allowed to have a mix of HostProcess containers - and non-HostProcess containers). In addition, - if HostProcess is true then HostNetwork must - also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run - the entrypoint of the container process. Defaults - to the user specified in image metadata if - unspecified. May also be set in PodSecurityContext. - If set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. type: string type: object type: object startupProbe: - description: 'StartupProbe indicates that the Pod has - successfully initialized. If specified, no other probes - are executed until this completes successfully. If - this probe fails, the Pod will be restarted, just - as if the livenessProbe failed. This can be used to - provide different probe parameters at the beginning - of a Pod''s lifecycle, when it might take a long time - to load data or warm a cache, than during steady-state - operation. This cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: Exec specifies the action to take. properties: command: - description: Command is the command line to - execute inside the container, the working - directory for the command is root ('/') in - the container's filesystem. The command is - simply exec'd, it is not run inside a shell, - so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is - treated as live/healthy and non-zero is unhealthy. items: type: string type: array type: object failureThreshold: - description: Minimum consecutive failures for the - probe to be considered failed after having succeeded. - Defaults to 3. Minimum value is 1. format: int32 type: integer grpc: - description: GRPC specifies an action involving - a GRPC port. This is an alpha field and requires - enabling GRPCContainerProbe feature gate. properties: port: - description: Port number of the gRPC service. - Number must be in the range 1 to 65535. format: int32 type: integer service: - description: "Service is the name of the service - to place in the gRPC HealthCheckRequest (see - https://github.com/grpc/grpc/blob/master/doc/health-checking.md). - \n If this is not specified, the default behavior - is defined by gRPC." type: string required: - port type: object httpGet: - description: HTTPGet specifies the http request - to perform. properties: host: - description: Host name to connect to, defaults - to the pod IP. You probably want to set "Host" - in httpHeaders instead. type: string httpHeaders: - description: Custom headers to set in the request. - HTTP allows repeated headers. items: - description: HTTPHeader describes a custom - header to be used in HTTP probes properties: name: - description: The header field name type: string value: - description: The header field value type: string required: - name @@ -19062,148 +8373,61 @@ spec: type: object type: array path: - description: Path to access on the HTTP server. type: string port: anyOf: - type: integer - type: string - description: Name or number of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true scheme: - description: Scheme to use for connecting to - the host. Defaults to HTTP. type: string required: - port type: object initialDelaySeconds: - description: 'Number of seconds after the container - has started before liveness probes are initiated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer periodSeconds: - description: How often (in seconds) to perform the - probe. Default to 10 seconds. Minimum value is - 1. format: int32 type: integer successThreshold: - description: Minimum consecutive successes for the - probe to be considered successful after having - failed. Defaults to 1. Must be 1 for liveness - and startup. Minimum value is 1. format: int32 type: integer tcpSocket: - description: TCPSocket specifies an action involving - a TCP port. properties: host: - description: 'Optional: Host name to connect - to, defaults to the pod IP.' type: string port: anyOf: - type: integer - type: string - description: Number or name of the port to access - on the container. Number must be in the range - 1 to 65535. Name must be an IANA_SVC_NAME. x-kubernetes-int-or-string: true required: - port type: object terminationGracePeriodSeconds: - description: Optional duration in seconds the pod - needs to terminate gracefully upon probe failure. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer - than the expected cleanup time for your process. - If this value is nil, the pod's terminationGracePeriodSeconds - will be used. Otherwise, this value overrides - the value provided by the pod spec. Value must - be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity - to shut down). This is a beta field and requires - enabling ProbeTerminationGracePeriod feature gate. - Minimum value is 1. spec.terminationGracePeriodSeconds - is used if unset. format: int64 type: integer timeoutSeconds: - description: 'Number of seconds after which the - probe times out. Defaults to 1 second. Minimum - value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' format: int32 type: integer type: object stdin: - description: Whether this container should allocate - a buffer for stdin in the container runtime. If this - is not set, reads from stdin in the container will - always result in EOF. Default is false. type: boolean stdinOnce: - description: Whether the container runtime should close - the stdin channel after it has been opened by a single - attach. When stdin is true the stdin stream will remain - open across multiple attach sessions. If stdinOnce - is set to true, stdin is opened on container start, - is empty until the first client attaches to stdin, - and then remains open and accepts data until the client - disconnects, at which time stdin is closed and remains - closed until the container is restarted. If this flag - is false, a container processes that reads from stdin - will never receive an EOF. Default is false type: boolean terminationMessagePath: - description: 'Optional: Path at which the file to which - the container''s termination message will be written - is mounted into the container''s filesystem. Message - written is intended to be brief final status, such - as an assertion failure message. Will be truncated - by the node if greater than 4096 bytes. The total - message length across all containers will be limited - to 12kb. Defaults to /dev/termination-log. Cannot - be updated.' type: string terminationMessagePolicy: - description: Indicate how the termination message should - be populated. File will use the contents of terminationMessagePath - to populate the container status message on both success - and failure. FallbackToLogsOnError will use the last - chunk of container log output if the termination message - file is empty and the container exited with an error. - The log output is limited to 2048 bytes or 80 lines, - whichever is smaller. Defaults to File. Cannot be - updated. type: string tty: - description: Whether this container should allocate - a TTY for itself, also requires 'stdin' to be true. - Default is false. type: boolean volumeDevices: - description: volumeDevices is the list of block devices - to be used by the container. items: - description: volumeDevice describes a mapping of a - raw block device within a container. properties: devicePath: - description: devicePath is the path inside of - the container that the device will be mapped - to. type: string name: - description: name must match the name of a persistentVolumeClaim - in the pod type: string required: - devicePath @@ -19211,44 +8435,19 @@ spec: type: object type: array volumeMounts: - description: Pod volumes to mount into the container's - filesystem. Cannot be updated. items: - description: VolumeMount describes a mounting of a - Volume within a container. properties: mountPath: - description: Path within the container at which - the volume should be mounted. Must not contain - ':'. type: string mountPropagation: - description: mountPropagation determines how mounts - are propagated from the host to container and - the other way around. When not set, MountPropagationNone - is used. This field is beta in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write - otherwise (false or unspecified). Defaults to - false. type: boolean subPath: - description: Path within the volume from which - the container's volume should be mounted. Defaults - to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from - which the container's volume should be mounted. - Behaves similarly to SubPath but environment - variable references $(VAR_NAME) are expanded - using the container's environment. Defaults - to "" (volume's root). SubPathExpr and SubPath - are mutually exclusive. type: string required: - mountPath @@ -19256,55 +8455,21 @@ spec: type: object type: array workingDir: - description: Container's working directory. If not specified, - the container runtime's default will be used, which - might be configured in the container image. Cannot - be updated. type: string required: - name type: object type: array nodeName: - description: NodeName is a request to schedule this pod onto - a specific node. If it is non-empty, the scheduler simply - schedules this pod onto that node, assuming that it fits - resource requirements. type: string nodeSelector: additionalProperties: type: string - description: 'NodeSelector is a selector which must be true - for the pod to fit on a node. Selector which must match - a node''s labels for the pod to be scheduled on that node. - More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object x-kubernetes-map-type: atomic os: - description: "Specifies the OS of the containers in the pod. - Some pod and container fields are restricted if this is - set. \n If the OS field is set to linux, the following fields - must be unset: -securityContext.windowsOptions \n If the - OS field is set to windows, following fields must be unset: - - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - - spec.shareProcessNamespace - spec.securityContext.runAsUser - - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - - spec.containers[*].securityContext.runAsGroup This is - an alpha field and requires the IdentifyPodOS feature" properties: name: - description: 'Name is the name of the operating system. - The currently supported values are linux and windows. - Additional value may be defined in future and can be - one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration - Clients should expect to handle additional values and - treat unrecognized values in this field as os: null' type: string required: - name @@ -19316,213 +8481,75 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead associated - with running a pod for a given RuntimeClass. This field - will be autopopulated at admission time by the RuntimeClass - admission controller. If the RuntimeClass admission controller - is enabled, overhead must not be set in Pod create requests. - The RuntimeClass admission controller will reject Pod create - requests which have the overhead already set. If RuntimeClass - is configured and selected in the PodSpec, Overhead will - be set to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. More - info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md - This field is beta-level as of Kubernetes v1.18, and is - only honored by servers that enable the PodOverhead feature.' type: object preemptionPolicy: - description: PreemptionPolicy is the Policy for preempting - pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field is - beta-level, gated by the NonPreemptingPriority feature-gate. type: string priority: - description: The priority value. Various system components - use this field to find the priority of the pod. When Priority - Admission Controller is enabled, it prevents users from - setting this field. The admission controller populates this - field from PriorityClassName. The higher the value, the - higher the priority. format: int32 type: integer priorityClassName: - description: If specified, indicates the pod's priority. "system-node-critical" - and "system-cluster-critical" are two special keywords which - indicate the highest priorities with the former being the - highest priority. Any other name must be defined by creating - a PriorityClass object with that name. If not specified, - the pod priority will be default or zero if there is no - default. type: string readinessGates: - description: 'If specified, all readiness gates will be evaluated - for pod readiness. A pod is ready when all its containers - are ready AND all conditions specified in the readiness - gates have status equal to "True" More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: - description: PodReadinessGate contains the reference to - a pod condition properties: conditionType: - description: ConditionType refers to a condition in - the pod's condition list with matching type. type: string required: - conditionType type: object type: array restartPolicy: - description: 'Restart policy for all containers within the - pod. One of Always, OnFailure, Never. Default to Always. - More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: - description: 'RuntimeClassName refers to a RuntimeClass object - in the node.k8s.io group, which should be used to run this - pod. If no RuntimeClass resource matches the named class, - the pod will not be run. If unset or empty, the "legacy" - RuntimeClass will be used, which is an implicit class with - an empty definition that uses the default runtime handler. - More info: https://git.k8s.io/enhancements/keps/sig-node/585-runtime-class - This is a beta feature as of Kubernetes v1.14.' type: string schedulerName: - description: If specified, the pod will be dispatched by specified - scheduler. If not specified, the pod will be dispatched - by default scheduler. type: string securityContext: - description: 'SecurityContext holds pod-level security attributes - and common container settings. Optional: Defaults to empty. See - type description for default values of each field.' properties: fsGroup: - description: "A special supplemental group that applies - to all containers in a pod. Some volume types allow - the Kubelet to change the ownership of that volume to - be owned by the pod: \n 1. The owning GID will be the - FSGroup 2. The setgid bit is set (new files created - in the volume will be owned by FSGroup) 3. The permission - bits are OR'd with rw-rw---- \n If unset, the Kubelet - will not modify the ownership and permissions of any - volume. Note that this field cannot be set when spec.os.name - is windows." format: int64 type: integer fsGroupChangePolicy: - description: 'fsGroupChangePolicy defines behavior of - changing ownership and permission of the volume before - being exposed inside Pod. This field will only apply - to volume types which support fsGroup based ownership(and - permissions). It will have no effect on ephemeral volume - types such as: secret, configmaps and emptydir. Valid - values are "OnRootMismatch" and "Always". If not specified, - "Always" is used. Note that this field cannot be set - when spec.os.name is windows.' type: string runAsGroup: - description: The GID to run the entrypoint of the container - process. Uses runtime default if unset. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: - description: Indicates that the container must run as - a non-root user. If true, the Kubelet will validate - the image at runtime to ensure that it does not run - as UID 0 (root) and fail to start the container if it - does. If unset or false, no such validation will be - performed. May also be set in SecurityContext. If set - in both SecurityContext and PodSecurityContext, the - value specified in SecurityContext takes precedence. type: boolean runAsUser: - description: The UID to run the entrypoint of the container - process. Defaults to user specified in image metadata - if unspecified. May also be set in SecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes precedence - for that container. Note that this field cannot be set - when spec.os.name is windows. format: int64 type: integer seLinuxOptions: - description: The SELinux context to be applied to all - containers. If unspecified, the container runtime will - allocate a random SELinux context for each container. May - also be set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence for that container. Note that this - field cannot be set when spec.os.name is windows. properties: level: - description: Level is SELinux level label that applies - to the container. type: string role: - description: Role is a SELinux role label that applies - to the container. type: string type: - description: Type is a SELinux type label that applies - to the container. type: string user: - description: User is a SELinux user label that applies - to the container. type: string type: object seccompProfile: - description: The seccomp options to use by the containers - in this pod. Note that this field cannot be set when - spec.os.name is windows. properties: localhostProfile: - description: localhostProfile indicates a profile - defined in a file on the node should be used. The - profile must be preconfigured on the node to work. - Must be a descending path, relative to the kubelet's - configured seccomp profile location. Must only be - set if type is "Localhost". type: string type: - description: "type indicates which kind of seccomp - profile will be applied. Valid options are: \n Localhost - - a profile defined in a file on the node should - be used. RuntimeDefault - the container runtime - default profile should be used. Unconfined - no - profile should be applied." type: string required: - type type: object supplementalGroups: - description: A list of groups applied to the first process - run in each container, in addition to the container's - primary GID. If unspecified, no groups will be added - to any container. Note that this field cannot be set - when spec.os.name is windows. items: format: int64 type: integer type: array sysctls: - description: Sysctls hold a list of namespaced sysctls - used for the pod. Pods with unsupported sysctls (by - the container runtime) might fail to launch. Note that - this field cannot be set when spec.os.name is windows. items: - description: Sysctl defines a kernel parameter to be - set properties: name: - description: Name of a property to set type: string value: - description: Value of a property to set type: string required: - name @@ -19530,174 +8557,59 @@ spec: type: object type: array windowsOptions: - description: The Windows specific settings applied to - all containers. If unspecified, the options within a - container's SecurityContext will be used. If set in - both SecurityContext and PodSecurityContext, the value - specified in SecurityContext takes precedence. Note - that this field cannot be set when spec.os.name is linux. properties: gmsaCredentialSpec: - description: GMSACredentialSpec is where the GMSA - admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) - inlines the contents of the GMSA credential spec - named by the GMSACredentialSpecName field. type: string gmsaCredentialSpecName: - description: GMSACredentialSpecName is the name of - the GMSA credential spec to use. type: string hostProcess: - description: HostProcess determines if a container - should be run as a 'Host Process' container. This - field is alpha-level and will only be honored by - components that enable the WindowsHostProcessContainers - feature flag. Setting this field without the feature - flag will result in errors when validating the Pod. - All of a Pod's containers must have the same effective - HostProcess value (it is not allowed to have a mix - of HostProcess containers and non-HostProcess containers). In - addition, if HostProcess is true then HostNetwork - must also be set to true. type: boolean runAsUserName: - description: The UserName in Windows to run the entrypoint - of the container process. Defaults to the user specified - in image metadata if unspecified. May also be set - in PodSecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in SecurityContext - takes precedence. type: string type: object type: object serviceAccount: - description: 'DeprecatedServiceAccount is a depreciated alias - for ServiceAccountName. Deprecated: Use serviceAccountName - instead.' type: string serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount - to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' type: string setHostnameAsFQDN: - description: If true the pod's hostname will be configured - as the pod's FQDN, rather than the leaf name (the default). - In Linux containers, this means setting the FQDN in the - hostname field of the kernel (the nodename field of struct - utsname). In Windows containers, this means setting the - registry value of hostname for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no effect. - Default to false. type: boolean shareProcessNamespace: - description: 'Share a single process namespace between all - of the containers in a pod. When this is set containers - will be able to view and signal processes from other containers - in the same pod, and the first process in each container - will not be assigned PID 1. HostPID and ShareProcessNamespace - cannot both be set. Optional: Default to false.' type: boolean subdomain: - description: If specified, the fully qualified Pod hostname - will be "...svc.". If not specified, the pod will not have a domainname - at all. type: string terminationGracePeriodSeconds: - description: Optional duration in seconds the pod needs to - terminate gracefully. May be decreased in delete request. - Value must be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity to - shut down). If this value is nil, the default grace period - will be used instead. The grace period is the duration in - seconds after the processes running in the pod are sent - a termination signal and the time when the processes are - forcibly halted with a kill signal. Set this value longer - than the expected cleanup time for your process. Defaults - to 30 seconds. format: int64 type: integer tolerations: - description: If specified, the pod's tolerations. items: - description: The pod this Toleration is attached to tolerates - any taint that matches the triple using - the matching operator . properties: effect: - description: Effect indicates the taint effect to match. - Empty means match all taint effects. When specified, - allowed values are NoSchedule, PreferNoSchedule and - NoExecute. type: string key: - description: Key is the taint key that the toleration - applies to. Empty means match all taint keys. If the - key is empty, operator must be Exists; this combination - means to match all values and all keys. type: string operator: - description: Operator represents a key's relationship - to the value. Valid operators are Exists and Equal. - Defaults to Equal. Exists is equivalent to wildcard - for value, so that a pod can tolerate all taints of - a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period - of time the toleration (which must be of effect NoExecute, - otherwise this field is ignored) tolerates the taint. - By default, it is not set, which means tolerate the - taint forever (do not evict). Zero and negative values - will be treated as 0 (evict immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration - matches to. If the operator is Exists, the value should - be empty, otherwise just a regular string. type: string type: object type: array topologySpreadConstraints: - description: TopologySpreadConstraints describes how a group - of pods ought to spread across topology domains. Scheduler - will schedule pods in a way which abides by the constraints. - All topologySpreadConstraints are ANDed. items: - description: TopologySpreadConstraint specifies how to spread - matching pods among the given topology. properties: labelSelector: - description: LabelSelector is used to find matching - pods. Pods that match this label selector are counted - to determine the number of pods in their corresponding - topology domain. properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. properties: key: - description: key is the label key that the - selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. items: type: string type: array @@ -19709,59 +8621,14 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. type: object type: object maxSkew: - description: 'MaxSkew describes the degree to which - pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, - it is the maximum permitted difference between the - number of matching pods in the target topology and - the global minimum. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same labelSelector - spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be scheduled - to zone3 to become 1/1/1; scheduling it onto zone1(zone2) - would make the ActualSkew(2-0) on zone1(zone2) violate - MaxSkew(1). - if MaxSkew is 2, incoming pod can be - scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default value - is 1 and 0 is not allowed.' format: int32 type: integer topologyKey: - description: TopologyKey is the key of node labels. - Nodes that have a label with this key and identical - values are considered to be in the same topology. - We consider each as a "bucket", and try - to put balanced number of pods into each bucket. It's - a required field. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how to deal - with a pod if it doesn''t satisfy the spread constraint. - - DoNotSchedule (default) tells the scheduler not - to schedule it. - ScheduleAnyway tells the scheduler - to schedule the pod in any location, but giving higher - precedence to topologies that would help reduce the - skew. A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible node - assignment for that pod would violate "MaxSkew" on - some topology. For example, in a 3-zone cluster, MaxSkew - is set to 1, and pods with the same labelSelector - spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P - | P | P | If WhenUnsatisfiable is set to DoNotSchedule, - incoming pod can only be scheduled to zone2(zone3) - to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) - satisfies MaxSkew(1). In other words, the cluster - can still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' type: string required: - maxSkew @@ -19774,233 +8641,104 @@ spec: - whenUnsatisfiable x-kubernetes-list-type: map volumes: - description: 'List of volumes that can be mounted by containers - belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' items: - description: Volume represents a named volume in a pod that - may be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS - Disk resource that is attached to a kubelet''s host - machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and set the - ReadOnly property in VolumeMounts to "true". If - omitted, the default is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data Disk - mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read Only, - Read Write.' type: string diskName: - description: The Name of the data disk in the blob - storage type: string diskURI: - description: The URI the data disk in the blob storage type: string fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple blob - disks per storage account Dedicated: single blob - disk per storage account Managed: azure managed - data disk (only in managed availability set). - defaults to shared' type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean required: - diskName - diskURI type: object azureFile: - description: AzureFile represents an Azure File Service - mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains Azure - Storage Account Name and Key type: string shareName: - description: Share Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount on the - host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted root, - rather than the full Ceph tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the path to - key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference to - the authentication secret for User, default is - empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object user: - description: 'Optional: User is the rados user name, - default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume attached - and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must be - a filesystem type supported by the host operating - system. Examples: "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret object - containing parameters used to connect to OpenStack.' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object volumeID: - description: 'volume id used to identify the volume - in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap that should - populate this volume properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for - mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This - might be in conflict with other options that affect - the file mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer items: - description: If unspecified, each key-value pair - in the Data field of the referenced ConfigMap - will be projected into the volume as a file whose - name is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present in - the ConfigMap, the volume setup will error unless - it is marked optional. Paths must be relative - and may not contain the '..' path or start with - '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element '..'. - May not start with the string '..'. type: string required: - key @@ -20008,147 +8746,63 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' type: string optional: - description: Specify whether the ConfigMap or its - keys must be defined type: boolean type: object csi: - description: CSI (Container Storage Interface) represents - ephemeral storage that is handled by certain external - CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI driver - that handles this volume. Consult with your admin - for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. "ext4", - "xfs", "ntfs". If not provided, the empty value - is passed to the associated CSI driver which will - determine the default filesystem to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference - to the secret object containing sensitive information - to pass to the CSI driver to complete the CSI - NodePublishVolume and NodeUnpublishVolume calls. - This field is optional, and may be empty if no - secret is required. If the secret object contains - more than one secret, all secret references are - passed. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific - properties that are passed to the CSI driver. - Consult your driver's documentation for supported - values. type: object required: - driver type: object downwardAPI: - description: DownwardAPI represents downward API about - the pod that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created - files by default. Must be a Optional: mode bits - used to set permissions on created files by default. - Must be an octal value between 0000 and 0777 or - a decimal value between 0 and 511. YAML accepts - both octal and decimal values, JSON requires decimal - values for mode bits. Defaults to 0644. Directories - within the path are not affected by this setting. - This might be in conflict with other options that - affect the file mode, like fsGroup, and the result - can be other mode bits set.' format: int32 type: integer items: - description: Items is a list of downward API volume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing the - pod field properties: fieldRef: - description: 'Required: Selects a field of - the pod: only annotations, labels, name - and namespace are supported.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, defaults - to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits used to - set permissions on this file, must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' path. - Must be utf-8 encoded. The first item of - the relative path must not start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults to - "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource @@ -20159,190 +8813,53 @@ spec: type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory - that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium should - back this directory. The default is "" which means - to use the node''s default medium. Must be an - empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage required - for this EmptyDir volume. The size limit is also - applicable for memory medium. The maximum usage - on memory medium EmptyDir would be the minimum - value between the SizeLimit specified here and - the sum of memory limits of all containers in - a pod. The default is nil which means that the - limit is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that is - handled by a cluster storage driver. The volume's - lifecycle is tied to the pod that defines it - it - will be created before the pod starts, and deleted - when the pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features of - normal volumes like restoring from snapshot or capacity - tracking are needed, c) the storage driver is specified - through a storage class, and d) the storage driver - supports dynamic volume provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information on - the connection between this volume type and PersistentVolumeClaim). - \n Use PersistentVolumeClaim or one of the vendor-specific - APIs for volumes that persist for longer than the - lifecycle of an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is meant - to be used that way - see the documentation of the - driver for more information. \n A pod can use both - types of ephemeral volumes and persistent volumes - at the same time." properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone - PVC to provision the volume. The pod in which - this EphemeralVolumeSource is embedded will be - the owner of the PVC, i.e. the PVC will be deleted - together with the pod. The name of the PVC will - be `-` where `` - is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the concatenated - name is not valid for a PVC (for example, too - long). \n An existing PVC with that name that - is not owned by the pod will *not* be used for - the pod to avoid using an unrelated volume by - mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the PVC has - to updated with an owner reference to the pod - once the pod exists. Normally this should not - be necessary, but it may be useful when manually - reconstructing a broken cluster. \n This field - is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. \n Required, - must not be nil." properties: metadata: - description: May contain labels and annotations - that will be copied into the PVC when creating - it. No other fields are allowed and will be - rejected during validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into - the PVC that gets created from this template. - The same fields as in a PersistentVolumeClaim - are also valid here. properties: accessModes: - description: 'AccessModes contains the desired - access modes the volume should have. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used to - specify either: * An existing VolumeSnapshot - object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) - If the provisioner or an external controller - can support the specified data source, - it will create a new volume based on the - contents of the specified data source. - If the AnyVolumeDataSource feature gate - is enabled, this field will always have - the same contents as the DataSourceRef - field.' properties: apiGroup: - description: APIGroup is the group for - the resource being referenced. If - APIGroup is not specified, the specified - Kind must be in the core API group. - For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource - being referenced type: string name: - description: Name is the name of resource - being referenced type: string required: - kind - name type: object dataSourceRef: - description: 'Specifies the object from - which to populate the volume with data, - if a non-empty volume is desired. This - may be any local object from a non-empty - API group (non core object) or a PersistentVolumeClaim - object. When this field is specified, - volume binding will only succeed if the - type of the specified object matches some - installed volume populator or dynamic - provisioner. This field will replace the - functionality of the DataSource field - and as such if both fields are non-empty, - they must have the same value. For backwards - compatibility, both fields (DataSource - and DataSourceRef) will be set to the - same value automatically if one of them - is empty and the other is non-empty. There - are two important differences between - DataSource and DataSourceRef: * While - DataSource only allows two specific types - of objects, DataSourceRef allows any non-core - object, as well as PersistentVolumeClaim - objects. * While DataSource ignores disallowed - values (dropping them), DataSourceRef - preserves all values, and generates an - error if a disallowed value is specified. - (Alpha) Using this field requires the - AnyVolumeDataSource feature gate to be - enabled.' properties: apiGroup: - description: APIGroup is the group for - the resource being referenced. If - APIGroup is not specified, the specified - Kind must be in the core API group. - For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource - being referenced type: string name: - description: Name is the name of resource - being referenced type: string required: - kind - name type: object resources: - description: 'Resources represents the minimum - resources the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to - specify resource requirements that are - lower than previous value but must still - be higher than capacity recorded in the - status field of the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: limits: additionalProperties: @@ -20351,9 +8868,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum - amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -20362,49 +8876,18 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the - minimum amount of compute resources - required. If Requests is omitted for - a container, it defaults to Limits - if that is explicitly specified, otherwise - to an implementation-defined value. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. properties: matchExpressions: - description: matchExpressions is a list - of label selector requirements. The - requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. properties: key: - description: key is the label - key that the selector applies - to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. - This array is replaced during - a strategic merge patch. items: type: string type: array @@ -20416,29 +8899,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of - {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent - to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are - ANDed. type: object type: object storageClassName: - description: 'Name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: - description: volumeMode defines what type - of volume is required by the claim. Value - of Filesystem is implied when not included - in claim spec. type: string volumeName: - description: VolumeName is the binding reference - to the PersistentVolume backing this claim. type: string type: object required: @@ -20446,272 +8913,125 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource - that is attached to a kubelet's host machine and then - exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must be - a filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. TODO: how - do we prevent errors in the filesystem from compromising - the machine' type: string lun: - description: 'Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide names - (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs - and lun must be set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume - resource that is provisioned/attached using an exec - based plugin. properties: driver: - description: Driver is the name of the driver to - use for this volume. type: string fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". The default - filesystem depends on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options if - any.' type: object readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting - in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference to - the secret object containing sensitive information - to pass to the plugin scripts. This may be empty - if no secret object is specified. If the secret - object contains more than one secret, all secrets - are passed to the plugin scripts.' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object required: - driver type: object flocker: - description: Flocker represents a Flocker volume attached - to a kubelet's host machine. This depends on the Flocker - control service being running properties: datasetName: - description: Name of the dataset stored as metadata - -> name on the dataset for Flocker should be considered - as deprecated type: string datasetUUID: - description: UUID of the dataset. This is unique - identifier of a Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk - resource that is attached to a kubelet''s host machine - and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string partition: - description: 'The partition in the volume that you - want to mount. If omitted, the default is to mount - by volume name. Examples: For volume /dev/sda1, - you specify the partition as "1". Similarly, the - volume partition for /dev/sda is "0" (or you can - leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource in - GCE. Used to identify the disk in GCE. More info: - https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at - a particular revision. DEPRECATED: GitRepo is deprecated. - To provision a container with a git repo, mount an - EmptyDir into an InitContainer that clones the repo - using git, then mount the EmptyDir into the Pod''s - container.' properties: directory: - description: Target directory name. Must not contain - or start with '..'. If '.' is supplied, the volume - directory will be the git repository. Otherwise, - if specified, the volume will contain the git - repository in the subdirectory with the given - name. type: string repository: - description: Repository URL type: string revision: - description: Commit hash for the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint name - that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume path. - More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the Glusterfs - volume to be mounted with read-only permissions. - Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - endpoints - path type: object hostPath: - description: 'HostPath represents a pre-existing file - or directory on the host machine that is directly - exposed to the container. This is generally used for - system agents or other privileged things that are - allowed to see the host machine. Most containers will - NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use - host directory mounts and who can/can not mount host - directories as read/write.' properties: path: - description: 'Path of the directory on the host. - If the path is a symlink, it will follow the link - to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults - to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource - that is attached to a kubelet''s host machine and - then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP - authentication type: boolean chapAuthSession: - description: whether support iSCSI Session CHAP - authentication type: boolean fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, - new iSCSI interface : - will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI - transport. Defaults to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The portal - is either an IP or ip_addr:port if the port is - other than default (typically TCP ports 860 and - 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object targetPortal: - description: iSCSI Target Portal. The Portal is - either an IP or ip_addr:port if the port is other - than default (typically TCP ports 860 and 3260). type: string required: - iqn @@ -20719,158 +9039,67 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and - unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the host - that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the NFS server. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the NFS export - to be mounted with read-only permissions. Defaults - to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP address - of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - path - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents - a reference to a PersistentVolumeClaim in the same - namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting in - VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host - machine properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx volume - attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem type - to mount Must be a filesystem type supported by - the host operating system. Ex. "ext4", "xfs". - Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies a Portworx - volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions on - created files by default. Must be an octal value - between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal - values, JSON requires decimal values for mode - bits. Directories within the path are not affected - by this setting. This might be in conflict with - other options that affect the file mode, like - fsGroup, and the result can be other mode bits - set. format: int32 type: integer sources: - description: list of volume projections items: - description: Projection that may be projected - along with other supported volume types properties: configMap: - description: information about the configMap - data to project properties: items: - description: If unspecified, each key-value - pair in the Data field of the referenced - ConfigMap will be projected into the - volume as a file whose name is the key - and content is the value. If specified, - the listed keys will be projected into - the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the ConfigMap, - the volume setup will error unless it - is marked optional. Paths must be relative - and may not contain the '..' path or - start with '..'. items: - description: Maps a string key to a - path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits - used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. - May not start with the string - '..'. type: string required: - key @@ -20878,98 +9107,40 @@ spec: type: object type: array name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined type: boolean type: object downwardAPI: - description: information about the downwardAPI - data to project properties: items: - description: Items is a list of DownwardAPIVolume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field properties: fieldRef: - description: 'Required: Selects - a field of the pod: only annotations, - labels, name and namespace are - supported.' properties: apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field - to select in the specified - API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits - used to set permissions on this - file, must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: 'Required: Path is the - relative path name of the file - to be created. Must not be absolute - or contain the ''..'' path. Must - be utf-8 encoded. The first item - of the relative path must not - start with ''..''' type: string resourceFieldRef: - description: 'Selects a resource - of the container: only resources - limits and requests (limits.cpu, - limits.memory, requests.cpu and - requests.memory) are currently - supported.' properties: containerName: - description: 'Container name: - required for volumes, optional - for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource - to select' type: string required: - resource @@ -20980,54 +9151,16 @@ spec: type: array type: object secret: - description: information about the secret - data to project properties: items: - description: If unspecified, each key-value - pair in the Data field of the referenced - Secret will be projected into the volume - as a file whose name is the key and - content is the value. If specified, - the listed keys will be projected into - the specified paths, and unlisted keys - will not be present. If a key is specified - which is not present in the Secret, - the volume setup will error unless it - is marked optional. Paths must be relative - and may not contain the '..' path or - start with '..'. items: - description: Maps a string key to a - path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits - used to set permissions on this - file. Must be an octal value between - 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts - both octal and decimal values, - JSON requires decimal values for - mode bits. If not specified, the - volume defaultMode will be used. - This might be in conflict with - other options that affect the - file mode, like fsGroup, and the - result can be other mode bits - set.' format: int32 type: integer path: - description: The relative path of - the file to map the key to. May - not be an absolute path. May not - contain the path element '..'. - May not start with the string - '..'. type: string required: - key @@ -21035,47 +9168,18 @@ spec: type: object type: array name: - description: 'Name of the referent. More - info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string optional: - description: Specify whether the Secret - or its key must be defined type: boolean type: object serviceAccountToken: - description: information about the serviceAccountToken - data to project properties: audience: - description: Audience is the intended - audience of the token. A recipient of - a token must identify itself with an - identifier specified in the audience - of the token, and otherwise should reject - the token. The audience defaults to - the identifier of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the - requested duration of validity of the - service account token. As the token - approaches expiration, the kubelet volume - plugin will proactively rotate the service - account token. The kubelet will start - trying to rotate the token if the token - is older than 80 percent of its time - to live or if the token is older than - 24 hours.Defaults to 1 hour and must - be at least 10 minutes. format: int64 type: integer path: - description: Path is the path relative - to the mount point of the file to project - the token into. type: string required: - path @@ -21084,155 +9188,74 @@ spec: type: array type: object quobyte: - description: Quobyte represents a Quobyte mount on the - host that shares a pod's lifetime properties: group: - description: Group to map volume access to Default - is no group type: string readOnly: - description: ReadOnly here will force the Quobyte - volume to be mounted with read-only permissions. - Defaults to false. type: boolean registry: - description: Registry represents a single or multiple - Quobyte Registry services specified as a string - as host:port pair (multiple entries are separated - with commas) which acts as the central registry - for volumes type: string tenant: - description: Tenant owning the given Quobyte volume - in the Backend Used with dynamically provisioned - Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to Defaults - to serivceaccount user type: string volume: - description: Volume is a string that references - an already created Quobyte volume by name. type: string required: - registry - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount - on the host that shares a pod''s lifetime. More info: - https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume that - you want to mount. Tip: Ensure that the filesystem - type is supported by the host operating system. - Examples: "ext4", "xfs", "ntfs". Implicitly inferred - to be "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem - from compromising the machine' type: string image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring for - RBDUser. Default is /etc/ceph/keyring. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default is rbd. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly - setting in VolumeMounts. Defaults to false. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication - secret for RBDUser. If provided overrides keyring. - Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object user: - description: 'The rados user name. Default is admin. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent - volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Default is - "xfs". type: string gateway: - description: The host address of the ScaleIO API - Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret - for ScaleIO user and other sensitive information. - If this is not provided, Login operation will - fail. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false type: boolean storageMode: - description: Indicates whether the storage for a - volume should be ThickProvisioned or ThinProvisioned. - Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. type: string system: - description: The name of the storage system as configured - in ScaleIO. type: string volumeName: - description: The name of a volume already created - in the ScaleIO system that is associated with - this volume source. type: string required: - gateway @@ -21240,59 +9263,19 @@ spec: - system type: object secret: - description: 'Secret represents a secret that should - populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value - between 0 and 511. YAML accepts both octal and - decimal values, JSON requires decimal values for - mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This - might be in conflict with other options that affect - the file mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer items: - description: If unspecified, each key-value pair - in the Data field of the referenced Secret will - be projected into the volume as a file whose name - is the key and content is the value. If specified, - the listed keys will be projected into the specified - paths, and unlisted keys will not be present. - If a key is specified which is not present in - the Secret, the volume setup will error unless - it is marked optional. Paths must be relative - and may not contain the '..' path or start with - '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element '..'. - May not start with the string '..'. type: string required: - key @@ -21300,78 +9283,35 @@ spec: type: object type: array optional: - description: Specify whether the Secret or its keys - must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS volume - attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly - here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret to use - for obtaining the StorageOS API credentials. If - not specified, default values will be attempted. properties: name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, - kind, uid?' type: string type: object volumeName: - description: VolumeName is the human-readable name - of the StorageOS volume. Volume names are only - unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the scope - of the volume within StorageOS. If no namespace - is specified then the Pod's namespace will be - used. This allows the Kubernetes name scoping - to be mirrored within StorageOS for tighter integration. - Set VolumeName to any name to override the default - behaviour. Set to "default" if you are not using - namespaces within StorageOS. Namespaces that do - not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere volume - attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must be a - filesystem type supported by the host operating - system. Ex. "ext4", "xfs", "ntfs". Implicitly - inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management (SPBM) - profile ID associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management (SPBM) - profile name. type: string volumePath: - description: Path that identifies vSphere volume - vmdk type: string required: - volumePath @@ -21386,93 +9326,69 @@ spec: type: object type: object status: - description: NotebookStatus defines the observed state of Notebook properties: conditions: - description: Conditions is an array of current conditions items: properties: lastProbeTime: - description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: format: date-time type: string message: - description: Message regarding why the container is in the current - state. type: string reason: - description: (brief) reason the container is in the current - state + type: string + status: type: string type: - description: Type is the type of the condition. Possible values - are Running|Waiting|Terminated type: string required: + - status - type type: object type: array containerState: - description: ContainerState is the state of underlying container. properties: running: - description: Details about a running container properties: startedAt: - description: Time at which the container was last (re-)started format: date-time type: string type: object terminated: - description: Details about a terminated container properties: containerID: - description: Container's ID in the format 'docker://' type: string exitCode: - description: Exit status from the last termination of the - container format: int32 type: integer finishedAt: - description: Time at which the container last terminated format: date-time type: string message: - description: Message regarding the last termination of the - container type: string reason: - description: (brief) reason from the last termination of the - container type: string signal: - description: Signal from the last termination of the container format: int32 type: integer startedAt: - description: Time at which previous execution of the container - started format: date-time type: string required: - exitCode type: object waiting: - description: Details about a waiting container properties: message: - description: Message regarding why the container is not yet - running. type: string reason: - description: (brief) reason the container is not yet running. type: string type: object type: object readyReplicas: - description: ReadyReplicas is the number of Pods created by the StatefulSet - controller that have a Ready Condition. format: int32 type: integer required: diff --git a/kubeflow/helm/notebooks/crds/poddefaults_crd.yaml b/kubeflow/helm/notebooks/crds/poddefaults_crd.yaml index 88e304a64..b719b5d70 100644 --- a/kubeflow/helm/notebooks/crds/poddefaults_crd.yaml +++ b/kubeflow/helm/notebooks/crds/poddefaults_crd.yaml @@ -18,130 +18,82 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: PodDefault is the Schema for the poddefaults API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: PodDefaultSpec defines the desired state of PodDefault properties: annotations: additionalProperties: type: string - description: Annotations defines the annotations to inject into the - pod. type: object + args: + items: + type: string + type: array + automountServiceAccountToken: + type: boolean + command: + items: + type: string + type: array desc: - description: 'Human readable description of poddefault todo: not sure - if Spec is the right place for this (move to meta..) Can be used - by UI to show users avaialble options for poddefaults.' type: string env: - description: Env defines the collection of EnvVar to inject into containers. items: - description: EnvVar represents an environment variable present in - a Container. properties: name: - description: Name of the environment variable. Must be a C_IDENTIFIER. type: string value: - description: 'Variable references $(VAR_NAME) are expanded using - the previously defined environment variables in the container - and any service environment variables. If a variable cannot - be resolved, the reference in the input string will be unchanged. - Double $$ are reduced to a single $, which allows for escaping - the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the - string literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists or - not. Defaults to "".' type: string valueFrom: - description: Source for the environment variable's value. Cannot - be used if value is not empty. properties: configMapKeyRef: - description: Selects a key of a ConfigMap. properties: key: - description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its key - must be defined type: boolean required: - key type: object fieldRef: - description: 'Selects a field of the pod: supports metadata.name, - metadata.namespace, `metadata.labels['''']`, `metadata.annotations['''']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, - status.podIP, status.podIPs.' properties: apiVersion: - description: Version of the schema the FieldPath is - written in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field to select in the specified - API version. type: string required: - fieldPath type: object resourceFieldRef: - description: 'Selects a resource of the container: only - resources limits and requests (limits.cpu, limits.memory, - limits.ephemeral-storage, requests.cpu, requests.memory - and requests.ephemeral-storage) are currently supported.' properties: containerName: - description: 'Container name: required for volumes, - optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the exposed - resources, defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource type: object secretKeyRef: - description: Selects a key of a secret in the pod's namespace properties: key: - description: The key of the secret to select from. Must - be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the Secret or its key must - be defined type: boolean required: - key @@ -152,162 +104,1266 @@ spec: type: object type: array envFrom: - description: EnvFrom defines the collection of EnvFromSource to inject - into containers. items: - description: EnvFromSource represents the source of a set of ConfigMaps properties: configMapRef: - description: The ConfigMap to select from properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap must be defined type: boolean type: object prefix: - description: An optional identifier to prepend to each key in - the ConfigMap. Must be a C_IDENTIFIER. type: string secretRef: - description: The Secret to select from properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the Secret must be defined type: boolean type: object type: object type: array - labels: - additionalProperties: - type: string - description: Labels defines the labels to inject into the pod. - type: object - selector: - description: Selector is a label query over a set of resources, in - this case pods. Required. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: + imagePullSecrets: + items: + properties: + name: + type: string + type: object + type: array + initContainers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: type: string - type: array - required: - - key - - operator + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object type: object - type: array - matchLabels: - additionalProperties: + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + labels: + additionalProperties: + type: string + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + serviceAccountName: + type: string + sidecars: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array tolerations: items: - description: The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . properties: effect: - description: Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. type: string key: - description: Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. type: string operator: - description: Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. type: string tolerationSeconds: - description: TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. format: int64 type: integer value: - description: Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. type: string type: object type: array volumeMounts: - description: VolumeMounts defines the collection of VolumeMount to - inject into containers. items: - description: VolumeMount describes a mounting of a Volume within - a container. properties: mountPath: - description: Path within the container at which the volume should - be mounted. Must not contain ':'. type: string mountPropagation: - description: mountPropagation determines how mounts are propagated - from the host to container and the other way around. When - not set, MountPropagationNone is used. This field is beta - in 1.10. type: string name: - description: This must match the Name of a Volume. type: string readOnly: - description: Mounted read-only if true, read-write otherwise - (false or unspecified). Defaults to false. type: boolean subPath: - description: Path within the volume from which the container's - volume should be mounted. Defaults to "" (volume's root). type: string subPathExpr: - description: Expanded path within the volume from which the - container's volume should be mounted. Behaves similarly to - SubPath but environment variable references $(VAR_NAME) are - expanded using the container's environment. Defaults to "" - (volume's root). SubPathExpr and SubPath are mutually exclusive. type: string required: - mountPath @@ -315,217 +1371,104 @@ spec: type: object type: array volumes: - description: Volumes defines the collection of Volume to inject into - the pod. items: - description: Volume represents a named volume in a pod that may - be accessed by any container in the pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents an AWS Disk resource - that is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume that you want - to mount. Tip: Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore - TODO: how do we prevent errors in the filesystem from - compromising the machine' type: string partition: - description: 'The partition in the volume that you want - to mount. If omitted, the default is to mount by volume - name. Examples: For volume /dev/sda1, you specify the - partition as "1". Similarly, the volume partition for - /dev/sda is "0" (or you can leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and set the ReadOnly - property in VolumeMounts to "true". If omitted, the default - is "false". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent disk resource - in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data Disk mount on - the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read Only, Read Write.' type: string diskName: - description: The Name of the data disk in the blob storage type: string diskURI: - description: The URI the data disk in the blob storage type: string fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple blob disks - per storage account Dedicated: single blob disk per storage - account Managed: azure managed data disk (only in managed - availability set). defaults to shared' type: string readOnly: - description: Defaults to false (read/write). ReadOnly here - will force the ReadOnly setting in VolumeMounts. type: boolean required: - diskName - diskURI type: object azureFile: - description: AzureFile represents an Azure File Service mount - on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). ReadOnly here - will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains Azure Storage - Account Name and Key type: string shareName: - description: Share Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount on the host that - shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection of Ceph - monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted root, rather - than the full Ceph tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the path to key ring - for User, default is /etc/ceph/user.secret More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference to the authentication - secret for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object user: - description: 'Optional: User is the rados user name, default - is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume attached and - mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Examples: - "ext4", "xfs", "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret object containing - parameters used to connect to OpenStack.' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object volumeID: - description: 'volume id used to identify the volume in cinder. - More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap that should populate - this volume properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal value between - 0000 and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires decimal - values for mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This might - be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits - set.' format: int32 type: integer items: - description: If unspecified, each key-value pair in the - Data field of the referenced ConfigMap will be projected - into the volume as a file whose name is the key and content - is the value. If specified, the listed keys will be projected - into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in - the ConfigMap, the volume setup will error unless it is - marked optional. Paths must be relative and may not contain - the '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to set permissions - on this file. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This might - be in conflict with other options that affect the - file mode, like fsGroup, and the result can be other - mode bits set.' format: int32 type: integer path: - description: The relative path of the file to map - the key to. May not be an absolute path. May not - contain the path element '..'. May not start with - the string '..'. type: string required: - key @@ -533,136 +1476,63 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string optional: - description: Specify whether the ConfigMap or its keys must - be defined type: boolean type: object csi: - description: CSI (Container Storage Interface) represents ephemeral - storage that is handled by certain external CSI drivers (Beta - feature). properties: driver: - description: Driver is the name of the CSI driver that handles - this volume. Consult with your admin for the correct name - as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. "ext4", "xfs", - "ntfs". If not provided, the empty value is passed to - the associated CSI driver which will determine the default - filesystem to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference to the - secret object containing sensitive information to pass - to the CSI driver to complete the CSI NodePublishVolume - and NodeUnpublishVolume calls. This field is optional, - and may be empty if no secret is required. If the secret - object contains more than one secret, all secret references - are passed. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object readOnly: - description: Specifies a read-only configuration for the - volume. Defaults to false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific properties - that are passed to the CSI driver. Consult your driver's - documentation for supported values. type: object required: - driver type: object downwardAPI: - description: DownwardAPI represents downward API about the pod - that should populate this volume properties: defaultMode: - description: 'Optional: mode bits to use on created files - by default. Must be a Optional: mode bits used to set - permissions on created files by default. Must be an octal - value between 0000 and 0777 or a decimal value between - 0 and 511. YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. Defaults to - 0644. Directories within the path are not affected by - this setting. This might be in conflict with other options - that affect the file mode, like fsGroup, and the result - can be other mode bits set.' format: int32 type: integer items: - description: Items is a list of downward API volume file items: - description: DownwardAPIVolumeFile represents information - to create the file containing the pod field properties: fieldRef: - description: 'Required: Selects a field of the pod: - only annotations, labels, name and namespace are - supported.' properties: apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". type: string fieldPath: - description: Path of the field to select in the - specified API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits used to set permissions - on this file, must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This might - be in conflict with other options that affect the - file mode, like fsGroup, and the result can be other - mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative path - name of the file to be created. Must not be absolute - or contain the ''..'' path. Must be utf-8 encoded. - The first item of the relative path must not start - with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, requests.cpu and requests.memory) - are currently supported.' properties: containerName: - description: 'Container name: required for volumes, - optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to select' type: string required: - resource @@ -673,168 +1543,53 @@ spec: type: array type: object emptyDir: - description: 'EmptyDir represents a temporary directory that - shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium should back this - directory. The default is "" which means to use the node''s - default medium. Must be an empty string (default) or Memory. - More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage required for - this EmptyDir volume. The size limit is also applicable - for memory medium. The maximum usage on memory medium - EmptyDir would be the minimum value between the SizeLimit - specified here and the sum of memory limits of all containers - in a pod. The default is nil which means that the limit - is undefined. More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that is handled - by a cluster storage driver. The volume's lifecycle is tied - to the pod that defines it - it will be created before the - pod starts, and deleted when the pod is removed. \n Use this - if: a) the volume is only needed while the pod runs, b) features - of normal volumes like restoring from snapshot or capacity - tracking are needed, c) the storage driver is specified through - a storage class, and d) the storage driver supports dynamic - volume provisioning through a PersistentVolumeClaim (see EphemeralVolumeSource - for more information on the connection between this volume - type and PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes that persist - for longer than the lifecycle of an individual pod. \n Use - CSI for light-weight local ephemeral volumes if the CSI driver - is meant to be used that way - see the documentation of the - driver for more information. \n A pod can use both types of - ephemeral volumes and persistent volumes at the same time." properties: volumeClaimTemplate: - description: "Will be used to create a stand-alone PVC to - provision the volume. The pod in which this EphemeralVolumeSource - is embedded will be the owner of the PVC, i.e. the PVC - will be deleted together with the pod. The name of the - PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the concatenated - name is not valid for a PVC (for example, too long). \n - An existing PVC with that name that is not owned by the - pod will *not* be used for the pod to avoid using an unrelated - volume by mistake. Starting the pod is then blocked until - the unrelated PVC is removed. If such a pre-created PVC - is meant to be used by the pod, the PVC has to updated - with an owner reference to the pod once the pod exists. - Normally this should not be necessary, but it may be useful - when manually reconstructing a broken cluster. \n This - field is read-only and no changes will be made by Kubernetes - to the PVC after it has been created. \n Required, must - not be nil." properties: metadata: - description: May contain labels and annotations that - will be copied into the PVC when creating it. No other - fields are allowed and will be rejected during validation. type: object spec: - description: The specification for the PersistentVolumeClaim. - The entire content is copied unchanged into the PVC - that gets created from this template. The same fields - as in a PersistentVolumeClaim are also valid here. properties: accessModes: - description: 'AccessModes contains the desired access - modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used to specify - either: * An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) - * An existing PVC (PersistentVolumeClaim) If the - provisioner or an external controller can support - the specified data source, it will create a new - volume based on the contents of the specified - data source. If the AnyVolumeDataSource feature - gate is enabled, this field will always have the - same contents as the DataSourceRef field.' properties: apiGroup: - description: APIGroup is the group for the resource - being referenced. If APIGroup is not specified, - the specified Kind must be in the core API - group. For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource being - referenced type: string name: - description: Name is the name of resource being - referenced type: string required: - kind - name type: object dataSourceRef: - description: 'Specifies the object from which to - populate the volume with data, if a non-empty - volume is desired. This may be any local object - from a non-empty API group (non core object) or - a PersistentVolumeClaim object. When this field - is specified, volume binding will only succeed - if the type of the specified object matches some - installed volume populator or dynamic provisioner. - This field will replace the functionality of the - DataSource field and as such if both fields are - non-empty, they must have the same value. For - backwards compatibility, both fields (DataSource - and DataSourceRef) will be set to the same value - automatically if one of them is empty and the - other is non-empty. There are two important differences - between DataSource and DataSourceRef: * While - DataSource only allows two specific types of objects, - DataSourceRef allows any non-core object, as well - as PersistentVolumeClaim objects. * While DataSource - ignores disallowed values (dropping them), DataSourceRef - preserves all values, and generates an error if - a disallowed value is specified. (Alpha) Using - this field requires the AnyVolumeDataSource feature - gate to be enabled.' properties: apiGroup: - description: APIGroup is the group for the resource - being referenced. If APIGroup is not specified, - the specified Kind must be in the core API - group. For any other third-party types, APIGroup - is required. type: string kind: - description: Kind is the type of resource being - referenced type: string name: - description: Name is the name of resource being - referenced type: string required: - kind - name type: object resources: - description: 'Resources represents the minimum resources - the volume should have. If RecoverVolumeExpansionFailure - feature is enabled users are allowed to specify - resource requirements that are lower than previous - value but must still be higher than capacity recorded - in the status field of the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: limits: additionalProperties: @@ -843,8 +1598,6 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount - of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -853,46 +1606,18 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum - amount of compute resources required. If Requests - is omitted for a container, it defaults to - Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes to consider - for binding. properties: matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are - ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. properties: key: - description: key is the label key that - the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. items: type: string type: array @@ -904,26 +1629,13 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. type: object type: object storageClassName: - description: 'Name of the StorageClass required - by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: - description: volumeMode defines what type of volume - is required by the claim. Value of Filesystem - is implied when not included in claim spec. type: string volumeName: - description: VolumeName is the binding reference - to the PersistentVolume backing this claim. type: string type: object required: @@ -931,250 +1643,125 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource that is - attached to a kubelet's host machine and then exposed to the - pod. properties: fsType: - description: 'Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem from - compromising the machine' type: string lun: - description: 'Optional: FC target lun number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide names (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide identifiers - (wwids) Either wwids or combination of targetWWNs and - lun must be set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume resource - that is provisioned/attached using an exec based plugin. properties: driver: - description: Driver is the name of the driver to use for - this volume. type: string fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". The default filesystem depends on FlexVolume - script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options if any.' type: object readOnly: - description: 'Optional: Defaults to false (read/write). - ReadOnly here will force the ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference to the secret - object containing sensitive information to pass to the - plugin scripts. This may be empty if no secret object - is specified. If the secret object contains more than - one secret, all secrets are passed to the plugin scripts.' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object required: - driver type: object flocker: - description: Flocker represents a Flocker volume attached to - a kubelet's host machine. This depends on the Flocker control - service being running properties: datasetName: - description: Name of the dataset stored as metadata -> name - on the dataset for Flocker should be considered as deprecated type: string datasetUUID: - description: UUID of the dataset. This is unique identifier - of a Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE Disk resource - that is attached to a kubelet''s host machine and then exposed - to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume that you want - to mount. Tip: Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk - TODO: how do we prevent errors in the filesystem from - compromising the machine' type: string partition: - description: 'The partition in the volume that you want - to mount. If omitted, the default is to mount by volume - name. Examples: For volume /dev/sda1, you specify the - partition as "1". Similarly, the volume partition for - /dev/sda is "0" (or you can leave the property empty). - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource in GCE. Used - to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean required: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository at a particular - revision. DEPRECATED: GitRepo is deprecated. To provision - a container with a git repo, mount an EmptyDir into an InitContainer - that clones the repo using git, then mount the EmptyDir into - the Pod''s container.' properties: directory: - description: Target directory name. Must not contain or - start with '..'. If '.' is supplied, the volume directory - will be the git repository. Otherwise, if specified, - the volume will contain the git repository in the subdirectory - with the given name. type: string repository: - description: Repository URL type: string revision: - description: Commit hash for the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs mount on the - host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint name that details - Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume path. More info: - https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the Glusterfs volume - to be mounted with read-only permissions. Defaults to - false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: boolean required: - endpoints - path type: object hostPath: - description: 'HostPath represents a pre-existing file or directory - on the host machine that is directly exposed to the container. - This is generally used for system agents or other privileged - things that are allowed to see the host machine. Most containers - will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can use host directory - mounts and who can/can not mount host directories as read/write.' properties: path: - description: 'Path of the directory on the host. If the - path is a symlink, it will follow the link to the real - path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults to "" More - info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource that is - attached to a kubelet''s host machine and then exposed to - the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: whether support iSCSI Session CHAP authentication type: boolean fsType: - description: 'Filesystem type of the volume that you want - to mount. Tip: Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi - TODO: how do we prevent errors in the filesystem from - compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. If initiatorName - is specified with iscsiInterface simultaneously, new iSCSI - interface : will be created - for the connection. type: string iqn: - description: Target iSCSI Qualified Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses an iSCSI transport. - Defaults to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The portal is either - an IP or ip_addr:port if the port is other than default - (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target and initiator - authentication properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object targetPortal: - description: iSCSI Target Portal. The Portal is either an - IP or ip_addr:port if the port is other than default (typically - TCP ports 860 and 3260). type: string required: - iqn @@ -1182,146 +1769,67 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL and unique - within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the host that shares - a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the NFS server. More - info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the NFS export to - be mounted with read-only permissions. Defaults to false. - More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP address of the - NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: - path - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource represents a - reference to a PersistentVolumeClaim in the same namespace. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim - in the same namespace as the pod using this volume. More - info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting in VolumeMounts. - Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a PhotonController - persistent disk attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller persistent - disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx volume attached - and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem type to mount - Must be a filesystem type supported by the host operating - system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" - if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly here - will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies a Portworx volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, configmaps, - and downward API properties: defaultMode: - description: Mode bits used to set permissions on created - files by default. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511. YAML accepts - both octal and decimal values, JSON requires decimal values - for mode bits. Directories within the path are not affected - by this setting. This might be in conflict with other - options that affect the file mode, like fsGroup, and the - result can be other mode bits set. format: int32 type: integer sources: - description: list of volume projections items: - description: Projection that may be projected along with - other supported volume types properties: configMap: - description: information about the configMap data - to project properties: items: - description: If unspecified, each key-value pair - in the Data field of the referenced ConfigMap - will be projected into the volume as a file - whose name is the key and content is the value. - If specified, the listed keys will be projected - into the specified paths, and unlisted keys - will not be present. If a key is specified which - is not present in the ConfigMap, the volume - setup will error unless it is marked optional. - Paths must be relative and may not contain the - '..' path or start with '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be - an octal value between 0000 and 0777 or - a decimal value between 0 and 511. YAML - accepts both octal and decimal values, - JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element - '..'. May not start with the string '..'. type: string required: - key @@ -1329,89 +1837,40 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' type: string optional: - description: Specify whether the ConfigMap or - its keys must be defined type: boolean type: object downwardAPI: - description: information about the downwardAPI data - to project properties: items: - description: Items is a list of DownwardAPIVolume - file items: - description: DownwardAPIVolumeFile represents - information to create the file containing - the pod field properties: fieldRef: - description: 'Required: Selects a field - of the pod: only annotations, labels, - name and namespace are supported.' properties: apiVersion: - description: Version of the schema the - FieldPath is written in terms of, - defaults to "v1". type: string fieldPath: - description: Path of the field to select - in the specified API version. type: string required: - fieldPath type: object mode: - description: 'Optional: mode bits used to - set permissions on this file, must be - an octal value between 0000 and 0777 or - a decimal value between 0 and 511. YAML - accepts both octal and decimal values, - JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer path: - description: 'Required: Path is the relative - path name of the file to be created. Must - not be absolute or contain the ''..'' - path. Must be utf-8 encoded. The first - item of the relative path must not start - with ''..''' type: string resourceFieldRef: - description: 'Selects a resource of the - container: only resources limits and requests - (limits.cpu, limits.memory, requests.cpu - and requests.memory) are currently supported.' properties: containerName: - description: 'Container name: required - for volumes, optional for env vars' type: string divisor: anyOf: - type: integer - type: string - description: Specifies the output format - of the exposed resources, defaults - to "1" pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true resource: - description: 'Required: resource to - select' type: string required: - resource @@ -1422,47 +1881,16 @@ spec: type: array type: object secret: - description: information about the secret data to - project properties: items: - description: If unspecified, each key-value pair - in the Data field of the referenced Secret will - be projected into the volume as a file whose - name is the key and content is the value. If - specified, the listed keys will be projected - into the specified paths, and unlisted keys - will not be present. If a key is specified which - is not present in the Secret, the volume setup - will error unless it is marked optional. Paths - must be relative and may not contain the '..' - path or start with '..'. items: - description: Maps a string key to a path within - a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to - set permissions on this file. Must be - an octal value between 0000 and 0777 or - a decimal value between 0 and 511. YAML - accepts both octal and decimal values, - JSON requires decimal values for mode - bits. If not specified, the volume defaultMode - will be used. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can - be other mode bits set.' format: int32 type: integer path: - description: The relative path of the file - to map the key to. May not be an absolute - path. May not contain the path element - '..'. May not start with the string '..'. type: string required: - key @@ -1470,44 +1898,18 @@ spec: type: object type: array name: - description: 'Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' type: string optional: - description: Specify whether the Secret or its - key must be defined type: boolean type: object serviceAccountToken: - description: information about the serviceAccountToken - data to project properties: audience: - description: Audience is the intended audience - of the token. A recipient of a token must identify - itself with an identifier specified in the audience - of the token, and otherwise should reject the - token. The audience defaults to the identifier - of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is the requested - duration of validity of the service account - token. As the token approaches expiration, the - kubelet volume plugin will proactively rotate - the service account token. The kubelet will - start trying to rotate the token if the token - is older than 80 percent of its time to live - or if the token is older than 24 hours.Defaults - to 1 hour and must be at least 10 minutes. format: int64 type: integer path: - description: Path is the path relative to the - mount point of the file to project the token - into. type: string required: - path @@ -1516,143 +1918,74 @@ spec: type: array type: object quobyte: - description: Quobyte represents a Quobyte mount on the host - that shares a pod's lifetime properties: group: - description: Group to map volume access to Default is no - group type: string readOnly: - description: ReadOnly here will force the Quobyte volume - to be mounted with read-only permissions. Defaults to - false. type: boolean registry: - description: Registry represents a single or multiple Quobyte - Registry services specified as a string as host:port pair - (multiple entries are separated with commas) which acts - as the central registry for volumes type: string tenant: - description: Tenant owning the given Quobyte volume in the - Backend Used with dynamically provisioned Quobyte volumes, - value is set by the plugin type: string user: - description: User to map volume access to Defaults to serivceaccount - user type: string volume: - description: Volume is a string that references an already - created Quobyte volume by name. type: string required: - registry - volume type: object rbd: - description: 'RBD represents a Rados Block Device mount on the - host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume that you want - to mount. Tip: Ensure that the filesystem type is supported - by the host operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" if unspecified. - More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd - TODO: how do we prevent errors in the filesystem from - compromising the machine' type: string image: - description: 'The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring for RBDUser. - Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default is rbd. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the ReadOnly setting - in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication secret - for RBDUser. If provided overrides keyring. Default is - nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object user: - description: 'The rados user name. Default is admin. More - info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent volume - attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Default is "xfs". type: string gateway: - description: The host address of the ScaleIO API Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection Domain for - the configured storage. type: string readOnly: - description: Defaults to false (read/write). ReadOnly here - will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret for ScaleIO - user and other sensitive information. If this is not provided, - Login operation will fail. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object sslEnabled: - description: Flag to enable/disable SSL communication with - Gateway, default false type: boolean storageMode: - description: Indicates whether the storage for a volume - should be ThickProvisioned or ThinProvisioned. Default - is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated with the - protection domain. type: string system: - description: The name of the storage system as configured - in ScaleIO. type: string volumeName: - description: The name of a volume already created in the - ScaleIO system that is associated with this volume source. type: string required: - gateway @@ -1660,54 +1993,19 @@ spec: - system type: object secret: - description: 'Secret represents a secret that should populate - this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to set permissions - on created files by default. Must be an octal value between - 0000 and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires decimal - values for mode bits. Defaults to 0644. Directories within - the path are not affected by this setting. This might - be in conflict with other options that affect the file - mode, like fsGroup, and the result can be other mode bits - set.' format: int32 type: integer items: - description: If unspecified, each key-value pair in the - Data field of the referenced Secret will be projected - into the volume as a file whose name is the key and content - is the value. If specified, the listed keys will be projected - into the specified paths, and unlisted keys will not be - present. If a key is specified which is not present in - the Secret, the volume setup will error unless it is marked - optional. Paths must be relative and may not contain the - '..' path or start with '..'. items: - description: Maps a string key to a path within a volume. properties: key: - description: The key to project. type: string mode: - description: 'Optional: mode bits used to set permissions - on this file. Must be an octal value between 0000 - and 0777 or a decimal value between 0 and 511. YAML - accepts both octal and decimal values, JSON requires - decimal values for mode bits. If not specified, - the volume defaultMode will be used. This might - be in conflict with other options that affect the - file mode, like fsGroup, and the result can be other - mode bits set.' format: int32 type: integer path: - description: The relative path of the file to map - the key to. May not be an absolute path. May not - contain the path element '..'. May not start with - the string '..'. type: string required: - key @@ -1715,72 +2013,35 @@ spec: type: object type: array optional: - description: Specify whether the Secret or its keys must - be defined type: boolean secretName: - description: 'Name of the secret in the pod''s namespace - to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS volume attached - and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). ReadOnly here - will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret to use for obtaining - the StorageOS API credentials. If not specified, default - values will be attempted. properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' type: string type: object volumeName: - description: VolumeName is the human-readable name of the - StorageOS volume. Volume names are only unique within - a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the scope of the - volume within StorageOS. If no namespace is specified - then the Pod's namespace will be used. This allows the - Kubernetes name scoping to be mirrored within StorageOS - for tighter integration. Set VolumeName to any name to - override the default behaviour. Set to "default" if you - are not using namespaces within StorageOS. Namespaces - that do not pre-exist within StorageOS will be created. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere volume attached - and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must be a filesystem - type supported by the host operating system. Ex. "ext4", - "xfs", "ntfs". Implicitly inferred to be "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management (SPBM) profile - ID associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management (SPBM) profile - name. type: string volumePath: - description: Path that identifies vSphere volume vmdk type: string required: - volumePath @@ -1793,13 +2054,10 @@ spec: - selector type: object status: - description: PodDefaultStatus defines the observed state of PodDefault type: object type: object served: true storage: true - subresources: - status: {} status: acceptedNames: kind: "" diff --git a/kubeflow/helm/notebooks/templates/controller/cluster-role.yaml b/kubeflow/helm/notebooks/templates/controller/cluster-role.yaml new file mode 100644 index 000000000..41594926a --- /dev/null +++ b/kubeflow/helm/notebooks/templates/controller/cluster-role.yaml @@ -0,0 +1,50 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "notebooks.labels" . | nindent 4 }} + name: {{ include "notebooks.fullname" . }}-controller-cluster-role +rules: + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - '*' + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - '*' + - apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - notebooks/status + verbs: + - '*' + - apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - '*' diff --git a/kubeflow/helm/notebooks/templates/controller/configmap.yaml b/kubeflow/helm/notebooks/templates/controller/configmap.yaml index 45c522358..50b1b0626 100644 --- a/kubeflow/helm/notebooks/templates/controller/configmap.yaml +++ b/kubeflow/helm/notebooks/templates/controller/configmap.yaml @@ -1,11 +1,12 @@ apiVersion: v1 +kind: ConfigMap +metadata: + labels: {{- include "notebooks.labels" . | nindent 4 }} + name: {{ include "notebooks.fullname" . }}-controller-config data: ISTIO_GATEWAY: {{ .Values.controller.istio.gateway | quote }} USE_ISTIO: {{ .Values.controller.istio.enabled | quote }} + CLUSTER_DOMAIN: {{ .Values.global.clusterDomain | quote }} ENABLE_CULLING: {{ .Values.controller.culling.enabled | quote }} IDLENESS_CHECK_PERIOD: {{ .Values.controller.culling.checkPeriod | quote }} CULL_IDLE_TIME: {{ .Values.controller.culling.idleTime | quote }} -kind: ConfigMap -metadata: - labels: {{- include "notebooks.labels" . | nindent 4 }} - name: {{ include "notebooks.fullname" . }}-controller-config diff --git a/kubeflow/helm/notebooks/templates/controller/clusterrole.yaml b/kubeflow/helm/notebooks/templates/controller/kubeflow-cluster-roles.yaml similarity index 62% rename from kubeflow/helm/notebooks/templates/controller/clusterrole.yaml rename to kubeflow/helm/notebooks/templates/controller/kubeflow-cluster-roles.yaml index f743d5b00..b999b9ad9 100644 --- a/kubeflow/helm/notebooks/templates/controller/clusterrole.yaml +++ b/kubeflow/helm/notebooks/templates/controller/kubeflow-cluster-roles.yaml @@ -48,53 +48,3 @@ rules: - get - list - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "notebooks.labels" . | nindent 4 }} - name: {{ include "notebooks.fullname" . }}-controller-cluster-role -rules: - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - '*' - - apiGroups: - - "" - resources: - - events - verbs: - - create - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - services - verbs: - - '*' - - apiGroups: - - kubeflow.org - resources: - - notebooks - - notebooks/finalizers - - notebooks/status - verbs: - - '*' - - apiGroups: - - networking.istio.io - resources: - - virtualservices - verbs: - - '*' diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml index 3a64c33d0..c23d5f4fa 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/certificate.yaml @@ -4,10 +4,10 @@ metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} name: {{ include "notebooks.fullname" . }}-pod-defaults-certs spec: - commonName: {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc + commonName: {{ include "notebooks.fullname" . }}-pod-defaults.{{ .Release.Namespace }}.svc dnsNames: - - {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc - - {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.svc.cluster.local + - {{ include "notebooks.fullname" . }}-pod-defaults.{{ .Release.Namespace }}.svc + - {{ include "notebooks.fullname" . }}-pod-defaults.{{ .Release.Namespace }}.svc.cluster.local isCA: true issuerRef: kind: ClusterIssuer diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/cluster-role.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/cluster-role.yaml new file mode 100644 index 000000000..dccb2825e --- /dev/null +++ b/kubeflow/helm/notebooks/templates/pod-defaults/cluster-role.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "notebooks.labels" . | nindent 4 }} + name: {{ include "notebooks.fullname" . }}-pod-defaults-cluster-role +rules: + - apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - watch + - list + - update + - create + - patch + - delete diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/clusterrole.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/kubeflow-cluster-roles.yaml similarity index 77% rename from kubeflow/helm/notebooks/templates/pod-defaults/clusterrole.yaml rename to kubeflow/helm/notebooks/templates/pod-defaults/kubeflow-cluster-roles.yaml index 3b137c1a8..d5ad2649c 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/clusterrole.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/kubeflow-cluster-roles.yaml @@ -1,22 +1,3 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "notebooks.labels" . | nindent 4 }} - name: {{ include "notebooks.fullname" . }}-pod-defaults-cluster-role -rules: - - apiGroups: - - kubeflow.org - resources: - - poddefaults - verbs: - - get - - watch - - list - - update - - create - - patch - - delete ---- aggregationRule: clusterRoleSelectors: - matchLabels: diff --git a/kubeflow/helm/notebooks/templates/web-app/cluster-role.yaml b/kubeflow/helm/notebooks/templates/web-app/cluster-role.yaml new file mode 100644 index 000000000..0e1197754 --- /dev/null +++ b/kubeflow/helm/notebooks/templates/web-app/cluster-role.yaml @@ -0,0 +1,57 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "notebooks.labels" . | nindent 4 }} + name: {{ include "notebooks.fullname" . }}-web-app-cluster-role +rules: + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete + - patch + - update + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - apiGroups: + - "" + resources: + - events + - nodes + verbs: + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - list + - get diff --git a/kubeflow/helm/notebooks/templates/web-app/configmap.yaml b/kubeflow/helm/notebooks/templates/web-app/configmap.yaml index c40a00ff1..46b4e12b9 100644 --- a/kubeflow/helm/notebooks/templates/web-app/configmap.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/configmap.yaml @@ -429,6 +429,7 @@ data: UI: default USERID_HEADER: {{ .Values.global.userIDHeader }} USERID_PREFIX: {{ .Values.global.userIDPrefix | quote }} + APP_SECURE_COOKIES: "true" kind: ConfigMap metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} diff --git a/kubeflow/helm/notebooks/templates/web-app/destination-rule.yaml b/kubeflow/helm/notebooks/templates/web-app/destination-rule.yaml new file mode 100644 index 000000000..107ce75ac --- /dev/null +++ b/kubeflow/helm/notebooks/templates/web-app/destination-rule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ include "notebooks.fullname" . }}-web-app + labels: {{- include "notebooks.labels" . | nindent 4 }} + {{- with .Values.webApp.virtualService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ include "notebooks.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/notebooks/templates/web-app/clusterrole.yaml b/kubeflow/helm/notebooks/templates/web-app/kubeflow-cluster-roles.yaml similarity index 56% rename from kubeflow/helm/notebooks/templates/web-app/clusterrole.yaml rename to kubeflow/helm/notebooks/templates/web-app/kubeflow-cluster-roles.yaml index 4d9dd0ef8..5512aaf0a 100644 --- a/kubeflow/helm/notebooks/templates/web-app/clusterrole.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/kubeflow-cluster-roles.yaml @@ -1,64 +1,5 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: {{- include "notebooks.labels" . | nindent 4 }} - name: {{ include "notebooks.fullname" . }}-web-app-cluster-role -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - create - - delete - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - kubeflow.org - resources: - - notebooks - - notebooks/finalizers - - poddefaults - verbs: - - get - - list - - create - - delete - - patch - - update - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - apiGroups: - - "" - resources: - - events - - nodes - verbs: - - list - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" diff --git a/kubeflow/helm/notebooks/templates/web-app/role.yaml b/kubeflow/helm/notebooks/templates/web-app/role.yaml index 831568819..c9256b914 100644 --- a/kubeflow/helm/notebooks/templates/web-app/role.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/role.yaml @@ -6,32 +6,45 @@ metadata: name: {{ include "notebooks.fullname" . }}-web-app-notebook-role rules: - apiGroups: - - "" + - authorization.k8s.io resources: - - pods - - pods/log - - secrets - - services + - subjectaccessreviews verbs: - - '*' + - create + - apiGroups: + - kubeflow.org + resources: + - notebooks + - notebooks/finalizers + - poddefaults + verbs: + - get + - list + - create + - delete + - patch + - update - apiGroups: - "" - - apps - - extensions resources: - - deployments - - replicasets + - persistentvolumeclaims verbs: - - '*' + - create + - delete + - get + - list - apiGroups: - - kubeflow.org + - "" resources: - - '*' + - events + - nodes verbs: - - '*' + - list - apiGroups: - - batch + - storage.k8s.io resources: - - jobs + - storageclasses verbs: - - '*' + - get + - list + - watch diff --git a/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml b/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml index 152002799..8893e7e71 100644 --- a/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: / route: - destination: - host: {{ include "notebooks.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "notebooks.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.webApp.service.port }} diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index 5a30ae34a..bc4fec410 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -30,10 +30,10 @@ serviceAccount: webApp: replicaCount: 1 image: - repository: public.ecr.aws/j1r0q0g6/notebooks/jupyter-web-app + repository: docker.io/kubeflownotebookswg/jupyter-web-app pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v1.4 + tag: v1.8.0-rc.0 podAnnotations: sidecar.istio.io/inject: "true" @@ -242,10 +242,10 @@ controller: # The idle time after which to cull the notebook (minutes) idleTime: 1440 # 1 day image: - repository: public.ecr.aws/j1r0q0g6/notebooks/notebook-controller + repository: docker.io/kubeflownotebookswg/notebook-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v1.5.0 + tag: v1.8.0-rc.0 service: metrics: @@ -295,10 +295,10 @@ controller: podDefaults: replicaCount: 1 image: - repository: public.ecr.aws/j1r0q0g6/notebooks/admission-webhook + repository: docker.io/kubeflownotebookswg/poddefaults-webhook pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v1.5.0 + tag: v1.8.0-rc.0 service: port: 443 diff --git a/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml index f2c196287..ce94eb056 100644 --- a/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/destinationrule.yaml @@ -4,7 +4,7 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-api-server spec: - host: {{ include "pipelines.fullname" . }}-api-server.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "pipelines.fullname" . }}-api-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} trafficPolicy: tls: mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml index 9e261332d..6da494872 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml @@ -4,7 +4,7 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-metadata-grpc-server spec: - host: {{ include "pipelines.fullname" . }}-metadata-grpc-server.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "pipelines.fullname" . }}-metadata-grpc-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} trafficPolicy: tls: mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml index 9576aaa47..2a8dc4381 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: {{ .Values.metadata.grpc.virtualService.prefix }} route: - destination: - host: {{ include "pipelines.fullname" . }}-metadata-envoy.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "pipelines.fullname" . }}-metadata-envoy.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.metadata.envoy.service.port }} diff --git a/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml index 0aeb547b0..538893a1d 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/destinationrule.yaml @@ -4,7 +4,7 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-visualization-server spec: - host: {{ include "pipelines.fullname" . }}-visualization-server.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "pipelines.fullname" . }}-visualization-server.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} trafficPolicy: tls: mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/pipelines/templates/web-app/configmap.yaml b/kubeflow/helm/pipelines/templates/web-app/configmap.yaml index 358e1803c..582997d22 100644 --- a/kubeflow/helm/pipelines/templates/web-app/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/configmap.yaml @@ -7,7 +7,7 @@ data: AWS_REGION: {{ .Values.config.objectStore.bucketRegion }} VIEWER_TENSORBOARD_POD_TEMPLATE_SPEC_PATH: /etc/config/viewer-tensorboard-template.json VIEWER_TENSORBOARD_TF_IMAGE_NAME: tensorflow/tensorflow - METADATA_ENVOY_SERVICE_SERVICE_HOST: kubeflow-pipelines-metadata-envoy.kubeflow.svc.cluster.local + METADATA_ENVOY_SERVICE_SERVICE_HOST: kubeflow-pipelines-metadata-envoy.kubeflow.svc.cluster.local # TODO: don't hardcode these values METADATA_ENVOY_SERVICE_SERVICE_PORT: "9090" ML_PIPELINE_SERVICE_HOST: kubeflow-pipelines-api-server.kubeflow.svc.cluster.local ML_PIPELINE_SERVICE_PORT: "8888" diff --git a/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml b/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml index c8a914c98..8dff607d7 100644 --- a/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/destinationrule.yaml @@ -4,7 +4,7 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-web-app spec: - host: {{ include "pipelines.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "pipelines.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} trafficPolicy: tls: mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml index 7a39be60c..bdebd25f2 100644 --- a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml @@ -29,7 +29,7 @@ spec: uri: {{ .Values.virtualService.prefix }} route: - destination: - host: {{ include "pipelines.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "pipelines.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.service.port }} timeout: 300s diff --git a/kubeflow/helm/profile-controller/templates/virtualservice.yaml b/kubeflow/helm/profile-controller/templates/virtualservice.yaml index c3739786b..40e43087a 100644 --- a/kubeflow/helm/profile-controller/templates/virtualservice.yaml +++ b/kubeflow/helm/profile-controller/templates/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: / route: - destination: - host: {{ include "profile-controller.fullname" . }}-kfam.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "profile-controller.fullname" . }}-kfam.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.service.kfam.port }} diff --git a/kubeflow/helm/serving/templates/web-app/virtualservice.yaml b/kubeflow/helm/serving/templates/web-app/virtualservice.yaml index f2e46e568..0f19ebdfa 100644 --- a/kubeflow/helm/serving/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/serving/templates/web-app/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: / route: - destination: - host: {{ include "serving.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "serving.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.webApp.service.port }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml b/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml index a3593463c..c22dfa8a0 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: / route: - destination: - host: {{ include "tensorboards.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "tensorboards.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.webApp.service.port }} diff --git a/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml b/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml index 55a23fd12..60cfd041f 100644 --- a/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/volumes/templates/web-app/virtualservice.yaml @@ -29,6 +29,6 @@ spec: uri: / route: - destination: - host: {{ include "volumes.fullname" . }}-web-app.kubeflow.svc.{{ .Values.global.clusterDomain }} + host: {{ include "volumes.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: number: {{ .Values.webApp.service.port }} From 90d86900337e53fe5c052fa77dd935817479f475 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 14:22:57 +0200 Subject: [PATCH 10/32] update tensorboards Signed-off-by: David van der Spek --- kubeflow/helm/notebooks/Chart.yaml | 2 +- .../templates/controller/deployment.yaml | 11 +-- kubeflow/helm/tensorboards/Chart.yaml | 2 +- .../{clusterrole.yaml => cluster-role.yaml} | 25 ++----- .../controller/clusterrolebinding.yaml | 14 ---- .../templates/controller/configmap.yaml | 4 +- .../templates/controller/deployment.yaml | 14 ++-- .../templates/controller/role.yaml | 9 ++- .../web-app/authorizationpolicy.yaml | 2 +- .../templates/web-app/cluster-role.yaml | 54 +++++++++++++++ .../templates/web-app/configmap.yaml | 1 + .../templates/web-app/destination-rule.yaml | 14 ++++ ...rrole.yaml => kubeflow-cluster-roles.yaml} | 69 +++++-------------- kubeflow/helm/tensorboards/values.yaml | 22 +++--- 14 files changed, 135 insertions(+), 108 deletions(-) rename kubeflow/helm/tensorboards/templates/controller/{clusterrole.yaml => cluster-role.yaml} (75%) create mode 100644 kubeflow/helm/tensorboards/templates/web-app/cluster-role.yaml create mode 100644 kubeflow/helm/tensorboards/templates/web-app/destination-rule.yaml rename kubeflow/helm/tensorboards/templates/web-app/{clusterrole.yaml => kubeflow-cluster-roles.yaml} (58%) diff --git a/kubeflow/helm/notebooks/Chart.yaml b/kubeflow/helm/notebooks/Chart.yaml index b0fdead30..5ebffc1e6 100644 --- a/kubeflow/helm/notebooks/Chart.yaml +++ b/kubeflow/helm/notebooks/Chart.yaml @@ -3,4 +3,4 @@ name: notebooks description: A Helm chart for Kubernetes type: application version: 0.1.27 -appVersion: "1.5.0" \ No newline at end of file +appVersion: "v1.8.0-rc.0" diff --git a/kubeflow/helm/notebooks/templates/controller/deployment.yaml b/kubeflow/helm/notebooks/templates/controller/deployment.yaml index 43b67b3e7..6faffbdfc 100644 --- a/kubeflow/helm/notebooks/templates/controller/deployment.yaml +++ b/kubeflow/helm/notebooks/templates/controller/deployment.yaml @@ -39,16 +39,19 @@ spec: - name: metrics containerPort: 8080 protocol: TCP + - name: probe + containerPort: 8081 + protocol: TCP livenessProbe: httpGet: - path: /metrics - port: metrics + path: /healthz + port: probe initialDelaySeconds: 30 periodSeconds: 30 readinessProbe: httpGet: - path: /metrics - port: metrics + path: /readyz + port: probe resources: {{- toYaml .Values.controller.resources | nindent 12 }} envFrom: diff --git a/kubeflow/helm/tensorboards/Chart.yaml b/kubeflow/helm/tensorboards/Chart.yaml index 724f95f8b..08103d5a9 100644 --- a/kubeflow/helm/tensorboards/Chart.yaml +++ b/kubeflow/helm/tensorboards/Chart.yaml @@ -3,4 +3,4 @@ name: tensorboards description: A Helm chart for Kubernetes type: application version: 0.1.11 -appVersion: "1.3.0" +appVersion: "v1.8.0-rc.0" diff --git a/kubeflow/helm/tensorboards/templates/controller/clusterrole.yaml b/kubeflow/helm/tensorboards/templates/controller/cluster-role.yaml similarity index 75% rename from kubeflow/helm/tensorboards/templates/controller/clusterrole.yaml rename to kubeflow/helm/tensorboards/templates/controller/cluster-role.yaml index 4151e0eb9..b4482314e 100644 --- a/kubeflow/helm/tensorboards/templates/controller/clusterrole.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/cluster-role.yaml @@ -65,27 +65,14 @@ rules: - apiGroups: - tensorboard.kubeflow.org resources: - - tensorboards/status + - tensorboards/finalizers verbs: - - get - - patch - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "tensorboards.labels" . | nindent 4 }} - name: {{ include "tensorboards.fullname" . }}-controller-proxy-cluster-role -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - apiGroups: - - authorization.k8s.io + - tensorboard.kubeflow.org resources: - - subjectaccessreviews + - tensorboards/status verbs: - - create + - get + - patch + - update diff --git a/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml b/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml index bc4b4361a..416198fd4 100644 --- a/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/clusterrolebinding.yaml @@ -11,17 +11,3 @@ subjects: - kind: ServiceAccount name: {{ include "tensorboards.serviceAccountName" . }}-controller namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "tensorboards.labels" . | nindent 4 }} - name: {{ include "tensorboards.fullname" . }}-controller-proxy-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "tensorboards.fullname" . }}-controller-proxy-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "tensorboards.serviceAccountName" . }}-controller - namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/tensorboards/templates/controller/configmap.yaml b/kubeflow/helm/tensorboards/templates/controller/configmap.yaml index faa412c96..0037a9361 100644 --- a/kubeflow/helm/tensorboards/templates/controller/configmap.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/configmap.yaml @@ -1,10 +1,12 @@ apiVersion: v1 data: - {{ if eq .Values.controller.rwoScheduling.enabled false }} + {{ if eq .Values.controller.config.rwoScheduling.enabled false }} RWO_PVC_SCHEDULING: "False" {{ else }} RWO_PVC_SCHEDULING: "True" {{ end }} + ISTIO_GATEWAY: {{ .Values.controller.config.istioGateway }} + TENSORBOARD_IMAGE: {{ .Values.controller.config.tensorboardImage }} kind: ConfigMap metadata: name: {{ include "tensorboards.fullname" . }}-controller-config diff --git a/kubeflow/helm/tensorboards/templates/controller/deployment.yaml b/kubeflow/helm/tensorboards/templates/controller/deployment.yaml index 5cd2a8e68..96898e597 100644 --- a/kubeflow/helm/tensorboards/templates/controller/deployment.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/deployment.yaml @@ -34,23 +34,23 @@ spec: {{- toYaml .Values.controller.securityContext | nindent 12 }} image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.controller.image.pullPolicy }} - args: - - --metrics-addr=0.0.0.0:8080 - - --enable-leader-election command: - /manager ports: - name: metrics containerPort: 8080 protocol: TCP + - name: probe + containerPort: 8081 + protocol: TCP livenessProbe: httpGet: - path: /metrics - port: metrics + path: /healthz + port: probe readinessProbe: httpGet: - path: /metrics - port: metrics + path: /readyz + port: probe resources: {{- toYaml .Values.controller.resources | nindent 12 }} envFrom: diff --git a/kubeflow/helm/tensorboards/templates/controller/role.yaml b/kubeflow/helm/tensorboards/templates/controller/role.yaml index 4098425be..83bad6943 100644 --- a/kubeflow/helm/tensorboards/templates/controller/role.yaml +++ b/kubeflow/helm/tensorboards/templates/controller/role.yaml @@ -17,16 +17,21 @@ rules: - patch - delete - apiGroups: - - "" + - coordination.k8s.io resources: - - configmaps/status + - leases verbs: - get + - list + - watch + - create - update - patch + - delete - apiGroups: - "" resources: - events verbs: - create + - patch diff --git a/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml index 9a9b48b3a..4cb9fb07b 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml @@ -1,8 +1,8 @@ apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: - labels: {{- include "tensorboards.labels" . | nindent 4 }} name: {{ include "tensorboards.fullname" . }}-web-app + labels: {{- include "tensorboards.labels" . | nindent 4 }} spec: action: ALLOW rules: diff --git a/kubeflow/helm/tensorboards/templates/web-app/cluster-role.yaml b/kubeflow/helm/tensorboards/templates/web-app/cluster-role.yaml new file mode 100644 index 000000000..d59dbe4d2 --- /dev/null +++ b/kubeflow/helm/tensorboards/templates/web-app/cluster-role.yaml @@ -0,0 +1,54 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "tensorboards.labels" . | nindent 4 }} + name: {{ include "tensorboards.fullname" . }}-web-app-cluster-role +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - tensorboard.kubeflow.org + resources: + - tensorboards + - tensorboards/finalizers + verbs: + - get + - list + - create + - delete + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch diff --git a/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml b/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml index 8346f9f51..9b754aede 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/configmap.yaml @@ -3,6 +3,7 @@ data: APP_PREFIX: {{ .Values.webApp.virtualService.prefix }} USERID_HEADER: {{ .Values.global.userIDHeader }} USERID_PREFIX: {{ .Values.global.userIDPrefix | quote }} + APP_SECURE_COOKIES: "true" # TODO: don't hardcode this kind: ConfigMap metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} diff --git a/kubeflow/helm/tensorboards/templates/web-app/destination-rule.yaml b/kubeflow/helm/tensorboards/templates/web-app/destination-rule.yaml new file mode 100644 index 000000000..63102d4e6 --- /dev/null +++ b/kubeflow/helm/tensorboards/templates/web-app/destination-rule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ include "tensorboards.fullname" . }}-web-app + labels: {{- include "tensorboards.labels" . | nindent 4 }} + {{- with .Values.webApp.virtualService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ include "tensorboards.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/tensorboards/templates/web-app/clusterrole.yaml b/kubeflow/helm/tensorboards/templates/web-app/kubeflow-cluster-roles.yaml similarity index 58% rename from kubeflow/helm/tensorboards/templates/web-app/clusterrole.yaml rename to kubeflow/helm/tensorboards/templates/web-app/kubeflow-cluster-roles.yaml index 62d880261..3fbe44a66 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/clusterrole.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/kubeflow-cluster-roles.yaml @@ -1,56 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: {{- include "tensorboards.labels" . | nindent 4 }} - name: {{ include "tensorboards.fullname" . }}-web-app-cluster-role -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - tensorboard.kubeflow.org - resources: - - tensorboards - - tensorboards/finalizers - verbs: - - get - - list - - create - - delete - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: tensorboards-web-app-kubeflow-tensorboard-ui-admin + name: {{ include "tensorboards.fullname" . }}-web-app-kubeflow-tensorboard-ui-admin rules: [] --- apiVersion: rbac.authorization.k8s.io/v1 @@ -58,7 +11,7 @@ kind: ClusterRole metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - name: tensorboards-web-app-kubeflow-tensorboard-ui-edit + name: {{ include "tensorboards.fullname" . }}-web-app-kubeflow-tensorboard-ui-edit rules: - apiGroups: - tensorboard.kubeflow.org @@ -70,13 +23,21 @@ rules: - list - create - delete + - apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: {{- include "tensorboards.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: tensorboards-web-app-kubeflow-tensorboard-ui-view + name: {{ include "tensorboards.fullname" . }}-web-app-kubeflow-tensorboard-ui-view rules: - apiGroups: - tensorboard.kubeflow.org @@ -94,3 +55,11 @@ rules: - get - list - watch + - apiGroups: + - kubeflow.org + resources: + - poddefaults + verbs: + - get + - list + - watch diff --git a/kubeflow/helm/tensorboards/values.yaml b/kubeflow/helm/tensorboards/values.yaml index a9491611b..a2102e5d0 100644 --- a/kubeflow/helm/tensorboards/values.yaml +++ b/kubeflow/helm/tensorboards/values.yaml @@ -30,10 +30,10 @@ serviceAccount: webApp: replicaCount: 1 image: - repository: public.ecr.aws/j1r0q0g6/notebooks/tensorboards-web-app + repository: docker.io/kubeflownotebookswg/tensorboards-web-app pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v1.3.0 + tag: v1.8.0-rc.0 podAnnotations: sidecar.istio.io/inject: "true" @@ -84,16 +84,19 @@ webApp: controller: - rwoScheduling: - enabled: true + config: + rwoScheduling: + enabled: true + istioGateway: kubeflow/kubeflow-gateway + tensorboardImage: tensorflow/tensorflow:2.5.1 replicaCount: 1 image: - repository: public.ecr.aws/j1r0q0g6/notebooks/tensorboard-controller + repository: docker.io/kubeflownotebookswg/tensorboard-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: master-18264c8f + tag: v1.8.0-rc.0 podAnnotations: sidecar.istio.io/inject: "true" @@ -103,10 +106,13 @@ controller: prometheus.io/scrape: "true" prometheus.io/path: /metrics - podSecurityContext: {} + podSecurityContext: + runAsNonRoot: true + runAsUser: 999 # fsGroup: 2000 - securityContext: {} + securityContext: + allowPrivilegeEscalation: false # capabilities: # drop: # - ALL From 431628b47e2162c341633727372da167db8e1c25 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 15:43:42 +0200 Subject: [PATCH 11/32] update volumes + use upstream pvc viewer controller Signed-off-by: David van der Spek --- .../mutatingwebhookconfiguration.yaml | 6 +- kubeflow/helm/volumes/Chart.yaml | 2 +- kubeflow/helm/volumes/crds/volumes_crds.yaml | 3182 ++++++++++++++++- .../templates/controller/certificate.yaml | 15 + .../{clusterrole.yaml => cluster-role.yaml} | 39 +- .../controller/clusterrolebinding.yaml | 14 - .../templates/controller/configmap.yaml | 11 - .../templates/controller/deployment.yaml | 30 +- .../mutatingwebhookconfiguration.yaml | 28 + .../volumes/templates/controller/role.yaml | 9 +- .../volumes/templates/controller/service.yaml | 6 +- .../validatingwebhookconfiguration.yaml | 28 + .../templates/web-app/cluster-role.yaml | 81 + .../volumes/templates/web-app/configmap.yaml | 49 +- .../volumes/templates/web-app/deployment.yaml | 9 +- .../templates/web-app/destination-rule.yaml | 14 + ...rrole.yaml => kubeflow-cluster-roles.yaml} | 88 +- kubeflow/helm/volumes/values.yaml | 24 +- 18 files changed, 3420 insertions(+), 215 deletions(-) create mode 100644 kubeflow/helm/volumes/templates/controller/certificate.yaml rename kubeflow/helm/volumes/templates/controller/{clusterrole.yaml => cluster-role.yaml} (69%) delete mode 100644 kubeflow/helm/volumes/templates/controller/configmap.yaml create mode 100644 kubeflow/helm/volumes/templates/controller/mutatingwebhookconfiguration.yaml create mode 100644 kubeflow/helm/volumes/templates/controller/validatingwebhookconfiguration.yaml create mode 100644 kubeflow/helm/volumes/templates/web-app/cluster-role.yaml create mode 100644 kubeflow/helm/volumes/templates/web-app/destination-rule.yaml rename kubeflow/helm/volumes/templates/web-app/{clusterrole.yaml => kubeflow-cluster-roles.yaml} (52%) diff --git a/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml b/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml index 6e38679d9..27df36b7b 100644 --- a/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml +++ b/kubeflow/helm/notebooks/templates/pod-defaults/mutatingwebhookconfiguration.yaml @@ -4,7 +4,7 @@ metadata: annotations: cert-manager.io/inject-ca-from: kubeflow/{{ include "notebooks.fullname" . }}-pod-defaults-certs labels: {{- include "notebooks.labels" . | nindent 4 }} - name: admission-webhook-mutating-webhook-configuration + name: poddefaults.kubeflow.org webhooks: - clientConfig: caBundle: "" @@ -12,8 +12,8 @@ webhooks: name: {{ include "notebooks.fullname" . }}-pod-defaults namespace: {{ .Release.Namespace }} path: /apply-poddefault - name: admission-webhook-deployment.kubeflow.org - admissionReviewVersions: ["v1beta1"] + name: {{ include "notebooks.fullname" . }}-pod-defaults.kubeflow.org + admissionReviewVersions: ["v1beta1", "v1"] sideEffects: None namespaceSelector: matchLabels: diff --git a/kubeflow/helm/volumes/Chart.yaml b/kubeflow/helm/volumes/Chart.yaml index 283027434..2ae85f54c 100644 --- a/kubeflow/helm/volumes/Chart.yaml +++ b/kubeflow/helm/volumes/Chart.yaml @@ -3,4 +3,4 @@ name: volumes description: A Helm chart for Kubernetes type: application version: 0.1.10 -appVersion: "1.3.0" +appVersion: "v1.8.0-rc.0" diff --git a/kubeflow/helm/volumes/crds/volumes_crds.yaml b/kubeflow/helm/volumes/crds/volumes_crds.yaml index 1ba226507..642540334 100644 --- a/kubeflow/helm/volumes/crds/volumes_crds.yaml +++ b/kubeflow/helm/volumes/crds/volumes_crds.yaml @@ -1,13 +1,11 @@ ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.8.0 - creationTimestamp: null - name: pvcviewers.pvcviewer.kubeflow.org + controller-gen.kubebuilder.io/version: v0.10.0 + name: pvcviewers.kubeflow.org spec: - group: pvcviewer.kubeflow.org + group: kubeflow.org names: kind: PVCViewer listKind: PVCViewerList @@ -18,74 +16,3172 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: PVCViewer is the Schema for the pvcviewers API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: - description: PVCViewerSpec defines the desired state of PVCViewer properties: - pvcname: - description: 'INSERT ADDITIONAL SPEC FIELDS - desired state of cluster - Important: Run "make" to regenerate code after modifying this file' - type: string - viewerimage: + networking: + properties: + basePrefix: + type: string + rewrite: + type: string + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeout: + type: string + type: object + podSpec: + properties: + activeDeadlineSeconds: + format: int64 + type: integer + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + type: boolean + containers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + dnsConfig: + properties: + nameservers: + items: + type: string + type: array + options: + items: + properties: + name: + type: string + value: + type: string + type: object + type: array + searches: + items: + type: string + type: array + type: object + dnsPolicy: + type: string + enableServiceLinks: + type: boolean + ephemeralContainers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + targetContainerName: + type: string + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + hostAliases: + items: + properties: + hostnames: + items: + type: string + type: array + ip: + type: string + type: object + type: array + hostIPC: + type: boolean + hostNetwork: + type: boolean + hostPID: + type: boolean + hostUsers: + type: boolean + hostname: + type: string + imagePullSecrets: + items: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + nodeName: + type: string + nodeSelector: + additionalProperties: + type: string + type: object + x-kubernetes-map-type: atomic + os: + properties: + name: + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + preemptionPolicy: + type: string + priority: + format: int32 + type: integer + priorityClassName: + type: string + readinessGates: + items: + properties: + conditionType: + type: string + required: + - conditionType + type: object + type: array + restartPolicy: + type: string + runtimeClassName: + type: string + schedulerName: + type: string + securityContext: + properties: + fsGroup: + format: int64 + type: integer + fsGroupChangePolicy: + type: string + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + supplementalGroups: + items: + format: int64 + type: integer + type: array + sysctls: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + serviceAccount: + type: string + serviceAccountName: + type: string + setHostnameAsFQDN: + type: boolean + shareProcessNamespace: + type: boolean + subdomain: + type: string + terminationGracePeriodSeconds: + format: int64 + type: integer + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + topologySpreadConstraints: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + format: int32 + type: integer + minDomains: + format: int32 + type: integer + nodeAffinityPolicy: + type: string + nodeTaintsPolicy: + type: string + topologyKey: + type: string + whenUnsatisfiable: + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + resources: + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + pvc: type: string + rwoScheduling: + default: false + type: boolean required: - - pvcname - - viewerimage + - pvc + - rwoScheduling type: object status: - description: PVCViewerStatus defines the observed state of PVCViewer properties: conditions: - description: Conditions is an array of current conditions items: - description: PVCViewerCondition defines the observed state of PVCViewer properties: - deploymentState: - description: Deployment status, 'Available', 'Progressing', - 'ReplicaFailure' . + lastTransitionTime: + format: date-time type: string - lastProbeTime: - description: Last time we probed the condition. + lastUpdateTime: format: date-time type: string + message: + type: string + reason: + type: string + status: + type: string + type: + type: string required: - - deploymentState + - status + - type type: object type: array ready: + default: false type: boolean - readyReplicas: - description: ReadyReplicas defines the number of PVCViewer Servers - that are available to connect. The value of ReadyReplicas can be - either 0 or 1 - format: int32 - type: integer + url: + type: string required: - - conditions - ready - - readyReplicas type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/volumes/templates/controller/certificate.yaml b/kubeflow/helm/volumes/templates/controller/certificate.yaml new file mode 100644 index 000000000..47772d9a6 --- /dev/null +++ b/kubeflow/helm/volumes/templates/controller/certificate.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + labels: {{- include "volumes.labels" . | nindent 4 }} + name: {{ include "volumes.fullname" . }}-controller-certs +spec: + commonName: {{ include "volumes.fullname" . }}-controller.{{ .Release.Namespace }}.svc + dnsNames: + - {{ include "volumes.fullname" . }}-controller.{{ .Release.Namespace }}.svc + - {{ include "volumes.fullname" . }}-controller.{{ .Release.Namespace }}.svc.cluster.local + isCA: true + issuerRef: + kind: ClusterIssuer + name: kubeflow-self-signing-issuer + secretName: {{ include "volumes.fullname" . }}-controller-certs diff --git a/kubeflow/helm/volumes/templates/controller/clusterrole.yaml b/kubeflow/helm/volumes/templates/controller/cluster-role.yaml similarity index 69% rename from kubeflow/helm/volumes/templates/controller/clusterrole.yaml rename to kubeflow/helm/volumes/templates/controller/cluster-role.yaml index 0aa6f0f13..e167c8724 100644 --- a/kubeflow/helm/volumes/templates/controller/clusterrole.yaml +++ b/kubeflow/helm/volumes/templates/controller/cluster-role.yaml @@ -41,51 +41,38 @@ rules: - update - watch - apiGroups: - - networking.istio.io + - kubeflow.org resources: - - virtualservices + - pvcviewers verbs: - create + - delete - get - list + - patch - update - watch - apiGroups: - - pvcviewer.kubeflow.org + - kubeflow.org resources: - - pvcviewers + - pvcviewers/finalizers verbs: - - create - - delete - - get - - list - - patch - update - - watch - apiGroups: - - pvcviewer.kubeflow.org + - kubeflow.org resources: - pvcviewers/status verbs: - get - patch - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "volumes.labels" . | nindent 4 }} - name: {{ include "volumes.fullname" . }}-controller-proxy-cluster-role -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - apiGroups: - - authorization.k8s.io + - networking.istio.io resources: - - subjectaccessreviews + - virtualservices verbs: - create + - get + - list + - update + - watch diff --git a/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml b/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml index 0a58ec19d..3a0c1a0f2 100644 --- a/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml +++ b/kubeflow/helm/volumes/templates/controller/clusterrolebinding.yaml @@ -11,17 +11,3 @@ subjects: - kind: ServiceAccount name: {{ include "volumes.serviceAccountName" . }}-controller namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "volumes.labels" . | nindent 4 }} - name: {{ include "volumes.fullname" . }}-controller-proxy-cluster-role-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "volumes.fullname" . }}-controller-proxy-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "volumes.serviceAccountName" . }}-controller - namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/volumes/templates/controller/configmap.yaml b/kubeflow/helm/volumes/templates/controller/configmap.yaml deleted file mode 100644 index 90f1409fe..000000000 --- a/kubeflow/helm/volumes/templates/controller/configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -data: - {{ if eq .Values.controller.rwoScheduling.enabled false }} - RWO_PVC_SCHEDULING: "False" - {{ else }} - RWO_PVC_SCHEDULING: "True" - {{ end }} -kind: ConfigMap -metadata: - name: {{ include "volumes.fullname" . }}-controller-config - labels: {{- include "volumes.labels" . | nindent 4 }} diff --git a/kubeflow/helm/volumes/templates/controller/deployment.yaml b/kubeflow/helm/volumes/templates/controller/deployment.yaml index f7de6721e..dc092b1e8 100644 --- a/kubeflow/helm/volumes/templates/controller/deployment.yaml +++ b/kubeflow/helm/volumes/templates/controller/deployment.yaml @@ -35,27 +35,39 @@ spec: image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.controller.image.pullPolicy }} args: - - --metrics-addr=0.0.0.0:8080 - - --enable-leader-election + - --metrics-bind-address=0.0.0.0:8080 + - --leader-elect command: - /manager ports: + - name: webhook + containerPort: 9443 + protocol: TCP - name: metrics containerPort: 8080 protocol: TCP + - name: probe + containerPort: 8081 + protocol: TCP livenessProbe: httpGet: - path: /metrics - port: metrics + path: /healthz + port: probe readinessProbe: httpGet: - path: /metrics - port: metrics + path: /readyz + port: probe resources: {{- toYaml .Values.controller.resources | nindent 12 }} - envFrom: - - configMapRef: - name: {{ include "volumes.fullname" . }}-controller-config + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ include "volumes.fullname" . }}-controller-certs {{- with .Values.controller.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/kubeflow/helm/volumes/templates/controller/mutatingwebhookconfiguration.yaml b/kubeflow/helm/volumes/templates/controller/mutatingwebhookconfiguration.yaml new file mode 100644 index 000000000..b71978559 --- /dev/null +++ b/kubeflow/helm/volumes/templates/controller/mutatingwebhookconfiguration.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeflow/{{ include "volumes.fullname" . }}-controller-certs + name: pvcviewers.kubeflow.org + labels: {{- include "volumes.labels" . | nindent 4 }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "volumes.fullname" . }}-controller + namespace: {{ .Release.Namespace }} + path: /mutate-kubeflow-org-v1alpha1-pvcviewer + failurePolicy: Fail + name: mpvcviewer.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - pvcviewers + sideEffects: None diff --git a/kubeflow/helm/volumes/templates/controller/role.yaml b/kubeflow/helm/volumes/templates/controller/role.yaml index 9c65e465f..b51271389 100644 --- a/kubeflow/helm/volumes/templates/controller/role.yaml +++ b/kubeflow/helm/volumes/templates/controller/role.yaml @@ -17,16 +17,21 @@ rules: - patch - delete - apiGroups: - - "" + - coordination.k8s.io resources: - - configmaps/status + - leases verbs: - get + - list + - watch + - create - update - patch + - delete - apiGroups: - "" resources: - events verbs: - create + - patch diff --git a/kubeflow/helm/volumes/templates/controller/service.yaml b/kubeflow/helm/volumes/templates/controller/service.yaml index dc01341c4..1f9f5666a 100644 --- a/kubeflow/helm/volumes/templates/controller/service.yaml +++ b/kubeflow/helm/volumes/templates/controller/service.yaml @@ -7,7 +7,11 @@ metadata: spec: type: ClusterIP ports: - - port: {{ .Values.controller.service.port }} + - port: {{ .Values.controller.service.webhook.port }} + targetPort: webhook + protocol: TCP + name: https-webhook + - port: {{ .Values.controller.service.metrics.port }} targetPort: metrics protocol: TCP name: http-metrics diff --git a/kubeflow/helm/volumes/templates/controller/validatingwebhookconfiguration.yaml b/kubeflow/helm/volumes/templates/controller/validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..eed4c9be2 --- /dev/null +++ b/kubeflow/helm/volumes/templates/controller/validatingwebhookconfiguration.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: kubeflow/{{ include "volumes.fullname" . }}-controller-certs + name: pvcviewers.kubeflow.org + labels: {{- include "volumes.labels" . | nindent 4 }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: {{ include "volumes.fullname" . }}-controller + namespace: {{ .Release.Namespace }} + path: /validate-kubeflow-org-v1alpha1-pvcviewer + failurePolicy: Fail + name: vpvcviewer.kb.io + rules: + - apiGroups: + - kubeflow.org + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - pvcviewers + sideEffects: None diff --git a/kubeflow/helm/volumes/templates/web-app/cluster-role.yaml b/kubeflow/helm/volumes/templates/web-app/cluster-role.yaml new file mode 100644 index 000000000..78fed2908 --- /dev/null +++ b/kubeflow/helm/volumes/templates/web-app/cluster-role.yaml @@ -0,0 +1,81 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "volumes.labels" . | nindent 4 }} + name: {{ include "volumes.fullname" . }}-web-app-cluster-role +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + verbs: + - get + - list + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create + - apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - watch + - update + - patch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - delete + - get + - list + - watch + - update + - patch + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshotclasses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - list + - apiGroups: + - kubeflow.org + resources: + - notebooks + verbs: + - list + - apiGroups: + - kubeflow.org + resources: + - pvcviewers + verbs: + - get + - list + - create + - delete diff --git a/kubeflow/helm/volumes/templates/web-app/configmap.yaml b/kubeflow/helm/volumes/templates/web-app/configmap.yaml index 3644db239..66e8c146c 100644 --- a/kubeflow/helm/volumes/templates/web-app/configmap.yaml +++ b/kubeflow/helm/volumes/templates/web-app/configmap.yaml @@ -1,14 +1,43 @@ apiVersion: v1 data: - pvcviewer.yaml: | - apiVersion: pvcviewer.kubeflow.org/v1alpha1 - kind: PVCViewer - metadata: - name: {name} - namespace: {namespace} - spec: - viewerimage: davidspek/kubeflow-filebrowser:0.31 - pvcname: {name} + viewer-spec.yaml: | + # Note: the volumes-web-app allows expanding strings using ${VAR_NAME} + # You may use any environment variable. This lets us e.g. specify images that can be modified using kustomize's image transformer. + # Additionally, 'PVC_NAME', 'NAME' and 'NAMESPACE' are defined + # Name of the pvc is set by the volumes web app + pvc: $NAME + podTemplate: + containers: + - name: main + image: $VOLUME_VIEWER_IMAGE + env: + - name: FB_ADDRESS + value: "0.0.0.0" + - name: FB_PORT + value: "8080" + - name: FB_DATABASE + value: /tmp/filebrowser.db + - name: FB_NOAUTH + value: "true" + - name: FB_BASEURL + value: /pvcviewers/$NAMESPACE/$NAME/ # TODO: should this be configurable? + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 2 + periodSeconds: 10 + # viewer-volume is provided automatically by the volumes web app + volumeMounts: + - name: viewer-volume + mountPath: /data + workingDir: /data + serviceAccountName: default-editor + networking: + targetPort: 8080 + basePrefix: "/pvcviewers" # TODO: should this be configurable? + rewrite: "/" + timeout: 30s + rwoScheduling: {{ .Values.config.rwoScheduling.enabled }} kind: ConfigMap metadata: labels: {{- include "volumes.labels" . | nindent 4 }} @@ -19,6 +48,8 @@ data: APP_PREFIX: {{ .Values.webApp.virtualService.prefix }} USERID_HEADER: {{ .Values.global.userIDHeader }} USERID_PREFIX: {{ .Values.global.userIDPrefix | quote }} + VOLUME_VIEWER_IMAGE: {{ .Values.config.volumeViewerImage.repository }}:{{ .Values.config.volumeViewerImage.tag }} + APP_SECURE_COOKIES: "true" # TODO: don't hardcode this kind: ConfigMap metadata: labels: {{- include "volumes.labels" . | nindent 4 }} diff --git a/kubeflow/helm/volumes/templates/web-app/deployment.yaml b/kubeflow/helm/volumes/templates/web-app/deployment.yaml index 4e5d1b8b2..020a52297 100644 --- a/kubeflow/helm/volumes/templates/web-app/deployment.yaml +++ b/kubeflow/helm/volumes/templates/web-app/deployment.yaml @@ -51,12 +51,13 @@ spec: - configMapRef: name: {{ include "volumes.fullname" . }}-web-app-parameters volumeMounts: - - mountPath: /etc/config - name: config-volume + - name: viewer-spec + mountPath: /etc/config/viewer-spec.yaml + subPath: viewer-spec.yaml volumes: - - configMap: + - name: viewer-spec + configMap: name: {{ include "volumes.fullname" . }}-web-app-config - name: config-volume {{- with .Values.webApp.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/kubeflow/helm/volumes/templates/web-app/destination-rule.yaml b/kubeflow/helm/volumes/templates/web-app/destination-rule.yaml new file mode 100644 index 000000000..eb4889756 --- /dev/null +++ b/kubeflow/helm/volumes/templates/web-app/destination-rule.yaml @@ -0,0 +1,14 @@ +apiVersion: networking.istio.io/v1alpha3 +kind: DestinationRule +metadata: + name: {{ include "volumes.fullname" . }}-web-app + labels: {{- include "volumes.labels" . | nindent 4 }} + {{- with .Values.webApp.virtualService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ include "volumes.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/volumes/templates/web-app/clusterrole.yaml b/kubeflow/helm/volumes/templates/web-app/kubeflow-cluster-roles.yaml similarity index 52% rename from kubeflow/helm/volumes/templates/web-app/clusterrole.yaml rename to kubeflow/helm/volumes/templates/web-app/kubeflow-cluster-roles.yaml index 0b80d208a..2f7cb2f13 100644 --- a/kubeflow/helm/volumes/templates/web-app/clusterrole.yaml +++ b/kubeflow/helm/volumes/templates/web-app/kubeflow-cluster-roles.yaml @@ -1,86 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole -metadata: - labels: {{- include "volumes.labels" . | nindent 4 }} - name: {{ include "volumes.fullname" . }}-web-app-cluster-role -rules: - - apiGroups: - - "" - resources: - - namespaces - - pods - verbs: - - get - - list - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - create - - delete - - get - - list - - watch - - update - - patch - - apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshots - verbs: - - create - - delete - - get - - list - - watch - - update - - patch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - snapshot.storage.k8s.io - resources: - - volumesnapshotclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - list - - apiGroups: - - pvcviewer.kubeflow.org - resources: - - pvcviewers - - pvcviewers/finalizers - verbs: - - get - - list - - create - - delete ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole metadata: labels: {{- include "volumes.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: volumes-web-app-kubeflow-volume-ui-admin + name: {{ include "volumes.fullname" . }}-web-app-kubeflow-volume-ui-admin rules: [] --- apiVersion: rbac.authorization.k8s.io/v1 @@ -88,7 +11,7 @@ kind: ClusterRole metadata: labels: {{- include "volumes.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - name: volumes-web-app-kubeflow-volume-ui-edit + name: {{ include "volumes.fullname" . }}-web-app-kubeflow-volume-ui-edit rules: - apiGroups: - "" @@ -115,10 +38,9 @@ rules: - update - patch - apiGroups: - - pvcviewer.kubeflow.org + - kubeflow.org resources: - pvcviewers - - pvcviewers/finalizers verbs: - get - list @@ -130,7 +52,7 @@ kind: ClusterRole metadata: labels: {{- include "volumes.labels" . | nindent 4 }} rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: volumes-web-app-kubeflow-volume-ui-view + name: {{ include "volumes.fullname" . }}-web-app-kubeflow-volume-ui-view rules: - apiGroups: - "" @@ -165,7 +87,7 @@ rules: - list - watch - apiGroups: - - pvcviewer.kubeflow.org + - kubeflow.org resources: - pvcviewers - pvcviewers/finalizers diff --git a/kubeflow/helm/volumes/values.yaml b/kubeflow/helm/volumes/values.yaml index 9942cbf60..efa0feaab 100644 --- a/kubeflow/helm/volumes/values.yaml +++ b/kubeflow/helm/volumes/values.yaml @@ -27,14 +27,21 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +config: + volumeViewerImage: + repository: filebrowser/filebrowser + tag: v2.25.0 # TODO: check if we want to use the s6 image variant + rwoScheduling: + enabled: true + webApp: replicaCount: 1 image: - repository: davidspek/volumes-web-app + repository: docker.io/kubeflownotebookswg/volumes-web-app pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 0.5.2 # newer version with snapshot support causes error due to missing snapshot class + tag: v1.8.0-rc.0 # TODO: possibly contribute snapshot support upstream podAnnotations: sidecar.istio.io/inject: "true" @@ -84,20 +91,19 @@ webApp: affinity: {} controller: - - rwoScheduling: - enabled: true - replicaCount: 1 image: - repository: davidspek/kubeflow-pvcviewer-controller + repository: docker.io/kubeflownotebookswg/pvcviewer-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 0.7 + tag: v1.8.0-rc.0 service: - port: 8080 + metrics: + port: 8080 + webhook: + port: 443 podAnnotations: sidecar.istio.io/inject: "true" From c66821c09ed573ba51e2812ba829e19f8f84f18e Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 16:16:46 +0200 Subject: [PATCH 12/32] update training operator to latest version Signed-off-by: David van der Spek --- kubeflow/helm/training-operator/Chart.yaml | 2 +- .../crds/kubeflow.org_mpijobs.yaml | 3003 +++--- .../crds/kubeflow.org_mxjobs.yaml | 3010 +++--- .../crds/kubeflow.org_paddlejobs.yaml | 8372 +++++++++++++++++ .../crds/kubeflow.org_pytorchjobs.yaml | 3105 +++--- .../crds/kubeflow.org_tfjobs.yaml | 3007 +++--- .../crds/kubeflow.org_xgboostjobs.yaml | 3003 +++--- .../templates/cluster-role.yaml | 275 + .../templates/deployment.yaml | 12 +- ...roles.yaml => kubeflow-cluster-roles.yaml} | 96 +- .../training-operator/templates/service.yaml | 2 +- kubeflow/helm/training-operator/values.yaml | 4 +- kubeflow/helm/volumes/values.yaml | 2 +- 13 files changed, 18430 insertions(+), 5463 deletions(-) create mode 100644 kubeflow/helm/training-operator/crds/kubeflow.org_paddlejobs.yaml create mode 100644 kubeflow/helm/training-operator/templates/cluster-role.yaml rename kubeflow/helm/training-operator/templates/{clusterroles.yaml => kubeflow-cluster-roles.yaml} (53%) diff --git a/kubeflow/helm/training-operator/Chart.yaml b/kubeflow/helm/training-operator/Chart.yaml index 928ddea3d..d9992b60a 100644 --- a/kubeflow/helm/training-operator/Chart.yaml +++ b/kubeflow/helm/training-operator/Chart.yaml @@ -3,4 +3,4 @@ name: training-operator description: A Helm chart for Kubernetes type: application version: 0.1.3 -appVersion: "1.4.0" +appVersion: "v1.7.0-rc.0" diff --git a/kubeflow/helm/training-operator/crds/kubeflow.org_mpijobs.yaml b/kubeflow/helm/training-operator/crds/kubeflow.org_mpijobs.yaml index 3a3aefece..489c9a224 100644 --- a/kubeflow/helm/training-operator/crds/kubeflow.org_mpijobs.yaml +++ b/kubeflow/helm/training-operator/crds/kubeflow.org_mpijobs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: mpijobs.kubeflow.org spec: group: kubeflow.org @@ -115,12 +113,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -215,6 +208,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -328,10 +322,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -347,12 +343,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -424,12 +415,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -467,10 +533,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -539,11 +602,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -575,15 +707,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -655,12 +779,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -698,10 +897,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -770,11 +966,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -811,30 +1076,25 @@ spec: properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -851,16 +1111,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -886,6 +1145,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -905,6 +1165,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -934,6 +1195,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -956,6 +1218,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -989,6 +1252,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1008,10 +1272,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -1037,9 +1303,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1078,7 +1343,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1110,10 +1378,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1134,27 +1404,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1193,7 +1454,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1225,10 +1489,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1255,9 +1521,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1282,6 +1547,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1299,7 +1583,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1350,10 +1638,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1371,6 +1657,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1385,14 +1683,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1442,9 +1739,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1469,6 +1765,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1486,7 +1801,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1537,10 +1856,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1558,6 +1875,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1565,10 +1894,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1578,7 +1954,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -1592,12 +1968,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -1607,13 +1986,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -1634,7 +2016,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -1643,10 +2026,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -1654,7 +2041,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -1664,10 +2052,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -1676,7 +2061,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -1686,7 +2072,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -1709,7 +2097,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -1740,7 +2130,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -1754,6 +2146,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -1767,23 +2169,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1808,6 +2202,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1825,7 +2238,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1876,10 +2293,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1897,6 +2312,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1916,15 +2343,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -1935,7 +2354,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -1945,9 +2364,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2094,50 +2511,38 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is alpha-level and is only honored by servers - that enable the EphemeralContainers feature. items: - description: An EphemeralContainer is a container - that may be added temporarily to an existing pod - for user-initiated activities such as debugging. - Ephemeral containers have no resource or scheduling - guarantees, and they will not be restarted when - they exit or when a pod is removed or restarted. - If an ephemeral container causes a pod to exceed - its resource allocation, the pod may be evicted. - Ephemeral containers may not be added by directly - updating the pod spec. They must be added via the - pod's ephemeralcontainers subresource, and they - will appear in the pod spec once added. This is - an alpha feature enabled by the EphemeralContainers - feature flag. + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. + image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2154,16 +2559,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2189,6 +2593,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2208,6 +2613,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2237,6 +2643,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2259,6 +2666,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2292,6 +2700,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2311,10 +2720,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: description: 'Image pull policy. One of Always, @@ -2335,9 +2746,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2376,7 +2786,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2408,10 +2821,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2432,27 +2847,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2491,7 +2897,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2523,10 +2932,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2552,9 +2963,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2579,6 +2989,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2596,7 +3025,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2647,10 +3080,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2668,6 +3099,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2722,14 +3165,17 @@ spec: - containerPort type: object type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map readinessProbe: description: Probes are not allowed for ephemeral containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2754,6 +3200,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2771,7 +3236,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2822,10 +3291,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2843,6 +3310,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2850,11 +3329,58 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2864,7 +3390,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -2878,12 +3404,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: SecurityContext is not allowed for - ephemeral containers. + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: description: 'AllowPrivilegeEscalation controls @@ -2892,13 +3421,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -2919,7 +3451,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -2928,10 +3461,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -2939,7 +3476,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -2949,10 +3487,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2961,7 +3496,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -2971,7 +3507,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -2994,7 +3532,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -3025,7 +3565,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -3039,6 +3581,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -3056,9 +3608,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3083,6 +3634,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3100,7 +3670,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3151,10 +3725,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3172,6 +3744,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3191,24 +3775,16 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: - description: If set, the name of the container + description: "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set - then the ephemeral container is run in whatever - namespaces are shared for the pod. Note that - the container runtime must support this feature. + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3219,7 +3795,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3229,9 +3805,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3261,7 +3835,8 @@ spec: type: array volumeMounts: description: Pod volumes to mount into the container's - filesystem. Cannot be updated. + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. items: description: VolumeMount describes a mounting of a Volume within a container. @@ -3350,6 +3925,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3360,9 +3944,8 @@ spec: references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual - puller implementations for them to use. For example, - in the case of docker, only DockerConfig type secrets - are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: description: LocalObjectReference contains enough information to let you locate the referenced object @@ -3375,54 +3958,41 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -3439,16 +4009,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -3474,6 +4043,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -3493,6 +4063,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -3522,6 +4093,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -3544,6 +4116,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -3577,6 +4150,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -3596,10 +4170,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -3625,9 +4201,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3666,7 +4241,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3698,10 +4276,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3722,27 +4302,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3781,7 +4352,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3813,10 +4387,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3843,9 +4419,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3870,6 +4445,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3887,7 +4481,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3938,10 +4536,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3959,6 +4555,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3973,14 +4581,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4030,9 +4637,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4057,6 +4663,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4074,7 +4699,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4125,10 +4754,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4146,6 +4773,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4153,10 +4792,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4166,7 +4852,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -4180,12 +4866,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -4195,13 +4884,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -4222,7 +4914,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -4231,10 +4924,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -4242,7 +4939,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4252,10 +4950,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -4264,7 +4959,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -4274,7 +4970,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -4297,7 +4995,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -4328,7 +5028,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -4342,6 +5044,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -4355,23 +5067,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4396,6 +5100,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4413,7 +5136,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4464,10 +5191,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4485,6 +5210,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4504,15 +5241,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -4523,7 +5252,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -4533,9 +5262,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -4634,6 +5361,28 @@ spec: must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object overhead: additionalProperties: anyOf: @@ -4641,28 +5390,19 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md - This field is alpha-level as of Kubernetes v1.16, - and is only honored by servers that enable the PodOverhead - feature.' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field - is beta-level, gated by the NonPreemptingPriority - feature-gate. + Defaults to PreemptLowerPriority if unset. type: string priority: description: The priority value. Various system components @@ -4687,7 +5427,7 @@ spec: be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" - More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: description: PodReadinessGate contains the reference to a pod condition @@ -4700,10 +5440,57 @@ spec: - conditionType type: object type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to + those containers which consume them by name. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim + inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name + of a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is + the name of a ResourceClaimTemplate object + in the same namespace as this pod. \n The + template will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: description: 'Restart policy for all containers within - the pod. One of Always, OnFailure, Never. Default - to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + the pod. One of Always, OnFailure, Never. In some + contexts, only a subset of those values may be permitted. + Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: description: 'RuntimeClassName refers to a RuntimeClass @@ -4713,14 +5500,37 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md - This is a beta feature as of Kubernetes v1.14.' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in + the SchedulingGated state and the scheduler will not + attempt to schedule the pod. \n SchedulingGates can + only be set at pod creation time, and be removed only + afterwards. \n This is a beta feature enabled by the + PodSchedulingReadiness feature gate." + items: + description: PodSchedulingGate is associated to a + Pod to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each + scheduling gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: @@ -4734,9 +5544,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -4747,7 +5555,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified defaults to "Always".' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -4755,7 +5563,8 @@ spec: May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4765,9 +5574,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -4776,6 +5583,8 @@ spec: set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer seLinuxOptions: @@ -4785,7 +5594,8 @@ spec: for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that @@ -4806,7 +5616,8 @@ spec: type: object seccompProfile: description: The seccomp options to use by the containers - in this pod. + in this pod. Note that this field cannot be set + when spec.os.name is windows. properties: localhostProfile: description: localhostProfile indicates a profile @@ -4831,8 +5642,11 @@ spec: supplementalGroups: description: A list of groups applied to the first process run in each container, in addition to - the container's primary GID. If unspecified, - no groups will be added to any container. + the container's primary GID, the fsGroup (if specified), + and group memberships defined in the container + image for the uid of the container process. If + unspecified, no additional groups are added to + any container. items: format: int64 type: integer @@ -4841,6 +5655,8 @@ spec: description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. items: description: Sysctl defines a kernel parameter to be set @@ -4862,6 +5678,8 @@ spec: within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -4873,6 +5691,15 @@ spec: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults @@ -4899,11 +5726,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -4924,14 +5747,9 @@ spec: description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value - zero indicates delete immediately. If this value is - nil, the default grace period will be used instead. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5041,56 +5859,83 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The + same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 1/1/0: | zone1 - | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be - scheduled to zone3 to become 1/1/1; scheduling - it onto zone1(zone2) would make the ActualSkew(2-0) - on zone1(zone2) violate MaxSkew(1). - if MaxSkew - is 2, incoming pod can be scheduled onto any - zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into - each bucket. It's a required field. + each bucket. We define a domain as a particular + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assigment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -5111,77 +5956,78 @@ spec: pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents + description: 'awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty).' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and - set the ReadOnly property in VolumeMounts - to "true". If omitted, the default is "false". - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent - disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data + description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read - Only, Read Write.' + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' type: string diskName: - description: The Name of the data disk in - the blob storage + description: diskName is the Name of the data + disk in the blob storage type: string diskURI: - description: The URI the data disk in the - blob storage + description: diskURI is the URI of data disk + in the blob storage type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple - blob disks per storage account Dedicated: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean @@ -5190,56 +6036,59 @@ spec: - diskURI type: object azureFile: - description: AzureFile represents an Azure File + description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains - Azure Storage Account Name and Key + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key type: string shareName: - description: Share Name + description: shareName is the azure share + Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount + description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the - path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference - to the authentication secret for User, default - is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: description: 'Name of the referent. More @@ -5248,35 +6097,37 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'Optional: User is the rados - user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume + description: 'cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret - object containing parameters used to connect - to OpenStack.' + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' properties: name: description: 'Name of the referent. More @@ -5285,70 +6136,61 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: - description: 'volume id used to identify the + description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap + description: configMap represents a configMap that should populate this volume properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -5364,30 +6206,31 @@ spec: kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined + description: optional specify whether the + ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: - description: CSI (Container Storage Interface) + description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI + description: driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. - "ext4", "xfs", "ntfs". If not provided, - the empty value is passed to the associated - CSI driver which will determine the default - filesystem to apply. + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference + description: nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume @@ -5403,14 +6246,16 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific + description: volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. @@ -5419,7 +6264,7 @@ spec: - driver type: object downwardAPI: - description: DownwardAPI represents downward API + description: downwardAPI represents downward API about the pod that should populate this volume properties: defaultMode: @@ -5432,10 +6277,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -5463,6 +6305,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -5471,11 +6314,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -5514,70 +6353,50 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary + description: 'emptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium - should back this directory. The default - is "" which means to use the node''s default - medium. Must be an empty string (default) - or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage - required for this EmptyDir volume. The size - limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir - would be the minimum value between the SizeLimit - specified here and the sum of memory limits - of all containers in a pod. The default - is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + https://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that - is handled by a cluster storage driver (Alpha - feature). The volume's lifecycle is tied to - the pod that defines it - it will be created - before the pod starts, and deleted when the - pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features - of normal volumes like restoring from snapshot - or capacity tracking are needed, c) the storage - driver is specified through a storage class, - and d) the storage driver supports dynamic volume - provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information - on the connection between this volume type and - PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes - that persist for longer than the lifecycle of - an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is - meant to be used that way - see the documentation - of the driver for more information. \n A pod - can use both types of ephemeral volumes and - persistent volumes at the same time." + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. properties: - readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). - type: boolean volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -5585,23 +6404,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -5635,34 +6437,57 @@ spec: are also valid here. properties: accessModes: - description: 'AccessModes contains + description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used - to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot - - Beta) * An existing PVC (PersistentVolumeClaim) - * An existing custom resource/object - that implements data population - (Alpha) In order to use VolumeSnapshot - object types, the appropriate feature - gate must be enabled (VolumeSnapshotDataSource - or AnyVolumeDataSource) If the provisioner - or an external controller can support - the specified data source, it will - create a new volume based on the - contents of the specified data source. - If the specified data source is - not supported, the volume will not - be created and the failure will - be reported as an event. In the - future, we plan to support more - data source types and the behavior - of the provisioner may change.' + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -5681,15 +6506,64 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the + namespace of resource being + referenced Note that when a + namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object resources: - description: 'Resources represents + description: 'resources represents the minimum resources the volume - should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the + names of resources, defined + in spec.resourceClaims, that + are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field + is immutable. It can only be + set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry + in pod.spec.resourceClaims + of the Pod where this + field is used. It makes + that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5700,7 +6574,7 @@ spec: description: 'Limits describes the maximum amount of compute resources allowed. More info: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -5716,12 +6590,13 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. + description: selector is a label query + over volumes to consider for binding. properties: matchExpressions: description: matchExpressions @@ -5780,10 +6655,11 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: - description: 'Name of the StorageClass - required by the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: description: volumeMode defines what @@ -5792,7 +6668,7 @@ spec: when not included in claim spec. type: string volumeName: - description: VolumeName is the binding + description: volumeName is the binding reference to the PersistentVolume backing this claim. type: string @@ -5802,77 +6678,79 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource + description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem - from compromising the machine' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' type: string lun: - description: 'Optional: FC target lun number' + description: 'lun is Optional: FC target lun + number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide - names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide - identifiers (wwids) Either wwids or combination - of targetWWNs and lun must be set, but not - both simultaneously.' + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume + description: flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. properties: driver: - description: Driver is the name of the driver + description: driver is the name of the driver to use for this volume. type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - The default filesystem depends on FlexVolume - script. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options - if any.' + description: 'options is Optional: this field + holds extra command options if any.' type: object readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference - to the secret object containing sensitive - information to pass to the plugin scripts. - This may be empty if no secret object is - specified. If the secret object contains - more than one secret, all secrets are passed - to the plugin scripts.' + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' properties: name: description: 'Name of the referent. More @@ -5881,57 +6759,60 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object flocker: - description: Flocker represents a Flocker volume + description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running properties: datasetName: - description: Name of the dataset stored as - metadata -> name on the dataset for Flocker - should be considered as deprecated + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated type: string datasetUUID: - description: UUID of the dataset. This is - unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE + description: 'gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource - in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean @@ -5939,7 +6820,7 @@ spec: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository + description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer @@ -5947,39 +6828,39 @@ spec: EmptyDir into the Pod''s container.' properties: directory: - description: Target directory name. Must not - contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the - git repository in the subdirectory with - the given name. + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. type: string repository: - description: Repository URL + description: repository is the URL type: string revision: - description: Commit hash for the specified - revision. + description: revision is the commit hash for + the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs + description: 'glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint - name that details Glusterfs topology. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume + description: 'path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -5989,87 +6870,87 @@ spec: - path type: object hostPath: - description: 'HostPath represents a pre-existing + description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: - description: 'Path of the directory on the + description: 'path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults + description: 'type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource + description: 'iscsi represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery - CHAP authentication + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: whether support iSCSI Session - CHAP authentication + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication type: boolean fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for - the connection. + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. + description: iqn is the target iSCSI Qualified + Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses - an iSCSI transport. Defaults to 'default' - (tcp). + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. + description: lun represents iSCSI Target Lun + number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The - portal is either an IP or ip_addr:port if - the port is other than default (typically + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the + description: readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target - and initiator authentication + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication properties: name: description: 'Name of the referent. More @@ -6078,11 +6959,12 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: - description: iSCSI Target Portal. The Portal - is either an IP or ip_addr:port if the port - is other than default (typically TCP ports - 860 and 3260). + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). type: string required: - iqn @@ -6090,26 +6972,26 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the + description: 'nfs represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the + description: 'path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP + description: 'server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: @@ -6117,118 +6999,112 @@ spec: - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource + description: 'persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim + description: 'claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting - in VolumeMounts. Default false. + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a + description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk + description: pdID is the ID that identifies + Photon Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx + description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem + description: fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies + description: volumeID uniquely identifies a Portworx volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions - on created files by default. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. Directories - within the path are not affected by this - setting. This might be in conflict with - other options that affect the file mode, - like fsGroup, and the result can be other - mode bits set. + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. format: int32 type: integer sources: - description: list of volume projections + description: sources is the list of volume + projections items: description: Projection that may be projected along with other supported volume types properties: configMap: - description: information about the configMap - data to project + description: configMap information about + the configMap data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced ConfigMap will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6237,16 +7113,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6266,14 +7137,15 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - ConfigMap or its keys must be - defined + description: optional specify whether + the ConfigMap or its keys must + be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: - description: information about the downwardAPI - data to project + description: downwardAPI information + about the downwardAPI data to project properties: items: description: Items is a list of @@ -6304,6 +7176,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -6315,12 +7188,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -6364,41 +7232,37 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object secret: - description: information about the secret - data to project + description: secret information about + the secret data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced Secret will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6407,16 +7271,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6436,16 +7295,19 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - Secret or its key must be defined + description: optional field specify + whether the Secret or its key + must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken + description: serviceAccountToken is + information about the serviceAccountToken data to project properties: audience: - description: Audience is the intended + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in @@ -6455,7 +7317,7 @@ spec: of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, @@ -6471,7 +7333,7 @@ spec: format: int64 type: integer path: - description: Path is the path relative + description: path is the path relative to the mount point of the file to project the token into. type: string @@ -6480,41 +7342,39 @@ spec: type: object type: object type: array - required: - - sources type: object quobyte: - description: Quobyte represents a Quobyte mount + description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime properties: group: - description: Group to map volume access to + description: group to map volume access to Default is no group type: string readOnly: - description: ReadOnly here will force the + description: readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. type: boolean registry: - description: Registry represents a single + description: registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes type: string tenant: - description: Tenant owning the given Quobyte + description: tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to + description: user to map volume access to Defaults to serivceaccount user type: string volume: - description: Volume is a string that references + description: volume is a string that references an already created Quobyte volume by name. type: string required: @@ -6522,46 +7382,47 @@ spec: - volume type: object rbd: - description: 'RBD represents a Rados Block Device + description: 'rbd represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' type: string image: - description: 'The rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring + description: 'keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default - is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication + description: 'secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: @@ -6572,39 +7433,41 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'The rados user name. Default - is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent + description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Default is "xfs". + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". type: string gateway: - description: The host address of the ScaleIO - API Gateway. + description: gateway is the host address of + the ScaleIO API Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret + description: secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. @@ -6616,27 +7479,29 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false type: boolean storageMode: - description: Indicates whether the storage - for a volume should be ThickProvisioned + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: The name of the storage system - as configured in ScaleIO. + description: system is the name of the storage + system as configured in ScaleIO. type: string volumeName: - description: The name of a volume already - created in the ScaleIO system that is associated - with this volume source. + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. type: string required: - gateway @@ -6644,62 +7509,52 @@ spec: - system type: object secret: - description: 'Secret represents a secret that + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -6709,31 +7564,33 @@ spec: type: object type: array optional: - description: Specify whether the Secret or - its keys must be defined + description: optional field specify whether + the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s - namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS + description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret + description: secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. properties: @@ -6744,13 +7601,14 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: - description: VolumeName is the human-readable + description: volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the + description: volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the @@ -6758,32 +7616,33 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere + description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management - (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management - (SPBM) profile name. + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. type: string volumePath: - description: Path that identifies vSphere - volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -6818,7 +7677,7 @@ spec: type: integer cleanPodPolicy: description: CleanPodPolicy defines the policy to kill pods after - the job completes. Default to Running. + the job completes. Default to None. type: string schedulingPolicy: description: SchedulingPolicy defines the policy related to scheduling, @@ -6834,14 +7693,25 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. type: object priorityClass: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object + suspend: + default: false + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods and PodGroups + associated with this Job. Users must design their workload to + gracefully handle this. + type: boolean ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since @@ -6920,10 +7790,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -6966,6 +7833,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -6981,18 +7855,9 @@ spec: and is in UTC. format: date-time type: string - required: - - conditions - - replicaStatuses type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/training-operator/crds/kubeflow.org_mxjobs.yaml b/kubeflow/helm/training-operator/crds/kubeflow.org_mxjobs.yaml index f526b6a2c..18a7bd4c9 100644 --- a/kubeflow/helm/training-operator/crds/kubeflow.org_mxjobs.yaml +++ b/kubeflow/helm/training-operator/crds/kubeflow.org_mxjobs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: mxjobs.kubeflow.org spec: group: kubeflow.org @@ -113,12 +111,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -213,6 +206,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -326,10 +320,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -345,12 +341,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -422,12 +413,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -465,10 +531,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -537,11 +600,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -573,15 +705,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -653,12 +777,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -696,10 +895,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -768,11 +964,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -809,30 +1074,25 @@ spec: properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -849,16 +1109,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -884,6 +1143,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -903,6 +1163,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -932,6 +1193,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -954,6 +1216,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -987,6 +1250,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1006,10 +1270,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -1035,9 +1301,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1076,7 +1341,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1108,10 +1376,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1132,27 +1402,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1191,7 +1452,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1223,10 +1487,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1253,9 +1519,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1280,6 +1545,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1297,7 +1581,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1348,10 +1636,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1369,6 +1655,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1383,14 +1681,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1440,9 +1737,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1467,6 +1763,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1484,7 +1799,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1535,10 +1854,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1556,6 +1873,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1563,10 +1892,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1576,7 +1952,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -1590,12 +1966,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -1605,13 +1984,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -1632,7 +2014,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -1641,10 +2024,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -1652,7 +2039,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -1662,10 +2050,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -1674,7 +2059,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -1684,7 +2070,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -1707,7 +2095,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -1738,7 +2128,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -1752,6 +2144,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -1765,23 +2167,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1806,6 +2200,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1823,7 +2236,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1874,10 +2291,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1895,6 +2310,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1914,15 +2341,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -1933,7 +2352,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -1943,9 +2362,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2092,50 +2509,38 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is alpha-level and is only honored by servers - that enable the EphemeralContainers feature. items: - description: An EphemeralContainer is a container - that may be added temporarily to an existing pod - for user-initiated activities such as debugging. - Ephemeral containers have no resource or scheduling - guarantees, and they will not be restarted when - they exit or when a pod is removed or restarted. - If an ephemeral container causes a pod to exceed - its resource allocation, the pod may be evicted. - Ephemeral containers may not be added by directly - updating the pod spec. They must be added via the - pod's ephemeralcontainers subresource, and they - will appear in the pod spec once added. This is - an alpha feature enabled by the EphemeralContainers - feature flag. + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. + image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2152,16 +2557,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2187,6 +2591,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2206,6 +2611,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2235,6 +2641,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2257,6 +2664,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2290,6 +2698,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2309,10 +2718,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: description: 'Image pull policy. One of Always, @@ -2333,9 +2744,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2374,7 +2784,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2406,10 +2819,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2430,27 +2845,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2489,7 +2895,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2521,10 +2930,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2550,9 +2961,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2577,6 +2987,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2594,7 +3023,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2645,10 +3078,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2666,6 +3097,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2720,14 +3163,17 @@ spec: - containerPort type: object type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map readinessProbe: description: Probes are not allowed for ephemeral containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2752,6 +3198,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2769,7 +3234,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2820,10 +3289,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2841,6 +3308,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2848,11 +3327,58 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2862,7 +3388,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -2876,12 +3402,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: SecurityContext is not allowed for - ephemeral containers. + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: description: 'AllowPrivilegeEscalation controls @@ -2890,13 +3419,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -2917,7 +3449,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -2926,10 +3459,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -2937,7 +3474,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -2947,10 +3485,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2959,7 +3494,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -2969,7 +3505,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -2992,7 +3530,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -3023,7 +3563,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -3037,6 +3579,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -3054,9 +3606,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3081,6 +3632,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3098,7 +3668,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3149,10 +3723,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3170,6 +3742,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3189,24 +3773,16 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: - description: If set, the name of the container + description: "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set - then the ephemeral container is run in whatever - namespaces are shared for the pod. Note that - the container runtime must support this feature. + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3217,7 +3793,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3227,9 +3803,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3259,7 +3833,8 @@ spec: type: array volumeMounts: description: Pod volumes to mount into the container's - filesystem. Cannot be updated. + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. items: description: VolumeMount describes a mounting of a Volume within a container. @@ -3348,6 +3923,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3358,9 +3942,8 @@ spec: references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual - puller implementations for them to use. For example, - in the case of docker, only DockerConfig type secrets - are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: description: LocalObjectReference contains enough information to let you locate the referenced object @@ -3373,54 +3956,41 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -3437,16 +4007,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -3472,6 +4041,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -3491,6 +4061,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -3520,6 +4091,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -3542,6 +4114,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -3575,6 +4148,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -3594,10 +4168,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -3623,9 +4199,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3664,7 +4239,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3696,10 +4274,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3720,27 +4300,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3779,7 +4350,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3811,10 +4385,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3841,9 +4417,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3868,6 +4443,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3885,7 +4479,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3936,10 +4534,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3957,6 +4553,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3971,14 +4579,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4028,9 +4635,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4055,6 +4661,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4072,7 +4697,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4123,10 +4752,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4144,6 +4771,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4151,10 +4790,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4164,7 +4850,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -4178,12 +4864,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -4193,13 +4882,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -4220,7 +4912,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -4229,10 +4922,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -4240,7 +4937,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4250,10 +4948,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -4262,7 +4957,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -4272,7 +4968,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -4295,7 +4993,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -4326,7 +5026,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -4340,6 +5042,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -4353,23 +5065,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4394,6 +5098,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4411,7 +5134,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4462,10 +5189,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4483,6 +5208,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4502,15 +5239,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -4521,7 +5250,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -4531,9 +5260,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -4632,6 +5359,28 @@ spec: must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object overhead: additionalProperties: anyOf: @@ -4639,28 +5388,19 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md - This field is alpha-level as of Kubernetes v1.16, - and is only honored by servers that enable the PodOverhead - feature.' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field - is beta-level, gated by the NonPreemptingPriority - feature-gate. + Defaults to PreemptLowerPriority if unset. type: string priority: description: The priority value. Various system components @@ -4685,7 +5425,7 @@ spec: be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" - More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: description: PodReadinessGate contains the reference to a pod condition @@ -4698,10 +5438,57 @@ spec: - conditionType type: object type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to + those containers which consume them by name. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim + inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name + of a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is + the name of a ResourceClaimTemplate object + in the same namespace as this pod. \n The + template will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: description: 'Restart policy for all containers within - the pod. One of Always, OnFailure, Never. Default - to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + the pod. One of Always, OnFailure, Never. In some + contexts, only a subset of those values may be permitted. + Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: description: 'RuntimeClassName refers to a RuntimeClass @@ -4711,14 +5498,37 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md - This is a beta feature as of Kubernetes v1.14.' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in + the SchedulingGated state and the scheduler will not + attempt to schedule the pod. \n SchedulingGates can + only be set at pod creation time, and be removed only + afterwards. \n This is a beta feature enabled by the + PodSchedulingReadiness feature gate." + items: + description: PodSchedulingGate is associated to a + Pod to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each + scheduling gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: @@ -4732,9 +5542,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -4745,7 +5553,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified defaults to "Always".' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -4753,7 +5561,8 @@ spec: May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4763,9 +5572,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -4774,6 +5581,8 @@ spec: set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer seLinuxOptions: @@ -4783,7 +5592,8 @@ spec: for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that @@ -4804,7 +5614,8 @@ spec: type: object seccompProfile: description: The seccomp options to use by the containers - in this pod. + in this pod. Note that this field cannot be set + when spec.os.name is windows. properties: localhostProfile: description: localhostProfile indicates a profile @@ -4829,8 +5640,11 @@ spec: supplementalGroups: description: A list of groups applied to the first process run in each container, in addition to - the container's primary GID. If unspecified, - no groups will be added to any container. + the container's primary GID, the fsGroup (if specified), + and group memberships defined in the container + image for the uid of the container process. If + unspecified, no additional groups are added to + any container. items: format: int64 type: integer @@ -4839,6 +5653,8 @@ spec: description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. items: description: Sysctl defines a kernel parameter to be set @@ -4860,6 +5676,8 @@ spec: within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -4871,6 +5689,15 @@ spec: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults @@ -4897,11 +5724,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -4922,14 +5745,9 @@ spec: description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value - zero indicates delete immediately. If this value is - nil, the default grace period will be used instead. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5039,56 +5857,83 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The + same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 1/1/0: | zone1 - | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be - scheduled to zone3 to become 1/1/1; scheduling - it onto zone1(zone2) would make the ActualSkew(2-0) - on zone1(zone2) violate MaxSkew(1). - if MaxSkew - is 2, incoming pod can be scheduled onto any - zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into - each bucket. It's a required field. + each bucket. We define a domain as a particular + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assigment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -5109,77 +5954,78 @@ spec: pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents + description: 'awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty).' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and - set the ReadOnly property in VolumeMounts - to "true". If omitted, the default is "false". - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent - disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data + description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read - Only, Read Write.' + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' type: string diskName: - description: The Name of the data disk in - the blob storage + description: diskName is the Name of the data + disk in the blob storage type: string diskURI: - description: The URI the data disk in the - blob storage + description: diskURI is the URI of data disk + in the blob storage type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple - blob disks per storage account Dedicated: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean @@ -5188,56 +6034,59 @@ spec: - diskURI type: object azureFile: - description: AzureFile represents an Azure File + description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains - Azure Storage Account Name and Key + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key type: string shareName: - description: Share Name + description: shareName is the azure share + Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount + description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the - path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference - to the authentication secret for User, default - is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: description: 'Name of the referent. More @@ -5246,35 +6095,37 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'Optional: User is the rados - user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume + description: 'cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret - object containing parameters used to connect - to OpenStack.' + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' properties: name: description: 'Name of the referent. More @@ -5283,70 +6134,61 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: - description: 'volume id used to identify the + description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap + description: configMap represents a configMap that should populate this volume properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -5362,30 +6204,31 @@ spec: kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined + description: optional specify whether the + ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: - description: CSI (Container Storage Interface) + description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI + description: driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. - "ext4", "xfs", "ntfs". If not provided, - the empty value is passed to the associated - CSI driver which will determine the default - filesystem to apply. + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference + description: nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume @@ -5401,14 +6244,16 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific + description: volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. @@ -5417,7 +6262,7 @@ spec: - driver type: object downwardAPI: - description: DownwardAPI represents downward API + description: downwardAPI represents downward API about the pod that should populate this volume properties: defaultMode: @@ -5430,10 +6275,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -5461,6 +6303,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -5469,11 +6312,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -5512,70 +6351,50 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary + description: 'emptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium - should back this directory. The default - is "" which means to use the node''s default - medium. Must be an empty string (default) - or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage - required for this EmptyDir volume. The size - limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir - would be the minimum value between the SizeLimit - specified here and the sum of memory limits - of all containers in a pod. The default - is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + https://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that - is handled by a cluster storage driver (Alpha - feature). The volume's lifecycle is tied to - the pod that defines it - it will be created - before the pod starts, and deleted when the - pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features - of normal volumes like restoring from snapshot - or capacity tracking are needed, c) the storage - driver is specified through a storage class, - and d) the storage driver supports dynamic volume - provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information - on the connection between this volume type and - PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes - that persist for longer than the lifecycle of - an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is - meant to be used that way - see the documentation - of the driver for more information. \n A pod - can use both types of ephemeral volumes and - persistent volumes at the same time." + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. properties: - readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). - type: boolean volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -5583,23 +6402,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -5633,34 +6435,57 @@ spec: are also valid here. properties: accessModes: - description: 'AccessModes contains + description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used - to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot - - Beta) * An existing PVC (PersistentVolumeClaim) - * An existing custom resource/object - that implements data population - (Alpha) In order to use VolumeSnapshot - object types, the appropriate feature - gate must be enabled (VolumeSnapshotDataSource - or AnyVolumeDataSource) If the provisioner - or an external controller can support - the specified data source, it will - create a new volume based on the - contents of the specified data source. - If the specified data source is - not supported, the volume will not - be created and the failure will - be reported as an event. In the - future, we plan to support more - data source types and the behavior - of the provisioner may change.' + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -5679,15 +6504,64 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the + namespace of resource being + referenced Note that when a + namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object resources: - description: 'Resources represents + description: 'resources represents the minimum resources the volume - should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the + names of resources, defined + in spec.resourceClaims, that + are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field + is immutable. It can only be + set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry + in pod.spec.resourceClaims + of the Pod where this + field is used. It makes + that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5698,7 +6572,7 @@ spec: description: 'Limits describes the maximum amount of compute resources allowed. More info: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -5714,12 +6588,13 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. + description: selector is a label query + over volumes to consider for binding. properties: matchExpressions: description: matchExpressions @@ -5778,10 +6653,11 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: - description: 'Name of the StorageClass - required by the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: description: volumeMode defines what @@ -5790,7 +6666,7 @@ spec: when not included in claim spec. type: string volumeName: - description: VolumeName is the binding + description: volumeName is the binding reference to the PersistentVolume backing this claim. type: string @@ -5800,77 +6676,79 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource + description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem - from compromising the machine' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' type: string lun: - description: 'Optional: FC target lun number' + description: 'lun is Optional: FC target lun + number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide - names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide - identifiers (wwids) Either wwids or combination - of targetWWNs and lun must be set, but not - both simultaneously.' + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume + description: flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. properties: driver: - description: Driver is the name of the driver + description: driver is the name of the driver to use for this volume. type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - The default filesystem depends on FlexVolume - script. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options - if any.' + description: 'options is Optional: this field + holds extra command options if any.' type: object readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference - to the secret object containing sensitive - information to pass to the plugin scripts. - This may be empty if no secret object is - specified. If the secret object contains - more than one secret, all secrets are passed - to the plugin scripts.' + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' properties: name: description: 'Name of the referent. More @@ -5879,57 +6757,60 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object flocker: - description: Flocker represents a Flocker volume + description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running properties: datasetName: - description: Name of the dataset stored as - metadata -> name on the dataset for Flocker - should be considered as deprecated + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated type: string datasetUUID: - description: UUID of the dataset. This is - unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE + description: 'gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource - in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean @@ -5937,7 +6818,7 @@ spec: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository + description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer @@ -5945,39 +6826,39 @@ spec: EmptyDir into the Pod''s container.' properties: directory: - description: Target directory name. Must not - contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the - git repository in the subdirectory with - the given name. + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. type: string repository: - description: Repository URL + description: repository is the URL type: string revision: - description: Commit hash for the specified - revision. + description: revision is the commit hash for + the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs + description: 'glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint - name that details Glusterfs topology. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume + description: 'path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -5987,87 +6868,87 @@ spec: - path type: object hostPath: - description: 'HostPath represents a pre-existing + description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: - description: 'Path of the directory on the + description: 'path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults + description: 'type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource + description: 'iscsi represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery - CHAP authentication + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: whether support iSCSI Session - CHAP authentication + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication type: boolean fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for - the connection. + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. + description: iqn is the target iSCSI Qualified + Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses - an iSCSI transport. Defaults to 'default' - (tcp). + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. + description: lun represents iSCSI Target Lun + number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The - portal is either an IP or ip_addr:port if - the port is other than default (typically + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the + description: readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target - and initiator authentication + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication properties: name: description: 'Name of the referent. More @@ -6076,11 +6957,12 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: - description: iSCSI Target Portal. The Portal - is either an IP or ip_addr:port if the port - is other than default (typically TCP ports - 860 and 3260). + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). type: string required: - iqn @@ -6088,26 +6970,26 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the + description: 'nfs represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the + description: 'path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP + description: 'server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: @@ -6115,118 +6997,112 @@ spec: - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource + description: 'persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim + description: 'claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting - in VolumeMounts. Default false. + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a + description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk + description: pdID is the ID that identifies + Photon Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx + description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem + description: fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies + description: volumeID uniquely identifies a Portworx volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions - on created files by default. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. Directories - within the path are not affected by this - setting. This might be in conflict with - other options that affect the file mode, - like fsGroup, and the result can be other - mode bits set. + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. format: int32 type: integer sources: - description: list of volume projections + description: sources is the list of volume + projections items: description: Projection that may be projected along with other supported volume types properties: configMap: - description: information about the configMap - data to project + description: configMap information about + the configMap data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced ConfigMap will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6235,16 +7111,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6264,14 +7135,15 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - ConfigMap or its keys must be - defined + description: optional specify whether + the ConfigMap or its keys must + be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: - description: information about the downwardAPI - data to project + description: downwardAPI information + about the downwardAPI data to project properties: items: description: Items is a list of @@ -6302,6 +7174,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -6313,12 +7186,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -6362,41 +7230,37 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object secret: - description: information about the secret - data to project + description: secret information about + the secret data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced Secret will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6405,16 +7269,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6434,16 +7293,19 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - Secret or its key must be defined + description: optional field specify + whether the Secret or its key + must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken + description: serviceAccountToken is + information about the serviceAccountToken data to project properties: audience: - description: Audience is the intended + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in @@ -6453,7 +7315,7 @@ spec: of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, @@ -6469,7 +7331,7 @@ spec: format: int64 type: integer path: - description: Path is the path relative + description: path is the path relative to the mount point of the file to project the token into. type: string @@ -6478,41 +7340,39 @@ spec: type: object type: object type: array - required: - - sources type: object quobyte: - description: Quobyte represents a Quobyte mount + description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime properties: group: - description: Group to map volume access to + description: group to map volume access to Default is no group type: string readOnly: - description: ReadOnly here will force the + description: readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. type: boolean registry: - description: Registry represents a single + description: registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes type: string tenant: - description: Tenant owning the given Quobyte + description: tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to + description: user to map volume access to Defaults to serivceaccount user type: string volume: - description: Volume is a string that references + description: volume is a string that references an already created Quobyte volume by name. type: string required: @@ -6520,46 +7380,47 @@ spec: - volume type: object rbd: - description: 'RBD represents a Rados Block Device + description: 'rbd represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' type: string image: - description: 'The rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring + description: 'keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default - is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication + description: 'secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: @@ -6570,39 +7431,41 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'The rados user name. Default - is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent + description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Default is "xfs". + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". type: string gateway: - description: The host address of the ScaleIO - API Gateway. + description: gateway is the host address of + the ScaleIO API Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret + description: secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. @@ -6614,27 +7477,29 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false type: boolean storageMode: - description: Indicates whether the storage - for a volume should be ThickProvisioned + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: The name of the storage system - as configured in ScaleIO. + description: system is the name of the storage + system as configured in ScaleIO. type: string volumeName: - description: The name of a volume already - created in the ScaleIO system that is associated - with this volume source. + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. type: string required: - gateway @@ -6642,62 +7507,52 @@ spec: - system type: object secret: - description: 'Secret represents a secret that + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -6707,31 +7562,33 @@ spec: type: object type: array optional: - description: Specify whether the Secret or - its keys must be defined + description: optional field specify whether + the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s - namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS + description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret + description: secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. properties: @@ -6742,13 +7599,14 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: - description: VolumeName is the human-readable + description: volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the + description: volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the @@ -6756,32 +7614,33 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere + description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management - (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management - (SPBM) profile name. + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. type: string volumePath: - description: Path that identifies vSphere - volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -6795,10 +7654,9 @@ spec: type: object type: object type: object - description: 'MXReplicaSpecs is map of common.ReplicaType and common.ReplicaSpec - specifies the MX replicas to run. For example, { "Scheduler": - common.ReplicaSpec, "Server": common.ReplicaSpec, "Worker": - common.ReplicaSpec, }' + description: 'MXReplicaSpecs is map of ReplicaType and ReplicaSpec + specifies the MX replicas to run. For example, { "Scheduler": ReplicaSpec, + "Server": ReplicaSpec, "Worker": ReplicaSpec, }' type: object runPolicy: description: RunPolicy encapsulates various runtime policies of the @@ -6818,7 +7676,7 @@ spec: type: integer cleanPodPolicy: description: CleanPodPolicy defines the policy to kill pods after - the job completes. Default to Running. + the job completes. Default to None. type: string schedulingPolicy: description: SchedulingPolicy defines the policy related to scheduling, @@ -6834,14 +7692,25 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. type: object priorityClass: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object + suspend: + default: false + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods and PodGroups + associated with this Job. Users must design their workload to + gracefully handle this. + type: boolean ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since @@ -6916,10 +7785,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -6962,6 +7828,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -6977,18 +7850,9 @@ spec: and is in UTC. format: date-time type: string - required: - - conditions - - replicaStatuses type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/training-operator/crds/kubeflow.org_paddlejobs.yaml b/kubeflow/helm/training-operator/crds/kubeflow.org_paddlejobs.yaml new file mode 100644 index 000000000..e3dd348ab --- /dev/null +++ b/kubeflow/helm/training-operator/crds/kubeflow.org_paddlejobs.yaml @@ -0,0 +1,8372 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: paddlejobs.kubeflow.org +spec: + group: kubeflow.org + names: + kind: PaddleJob + listKind: PaddleJobList + plural: paddlejobs + singular: paddlejob + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[-1:].type + name: State + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: PaddleJob Represents a PaddleJob resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Specification of the desired state of the PaddleJob. + properties: + elasticPolicy: + description: ElasticPolicy holds the elastic policy for paddle job. + properties: + maxReplicas: + description: upper limit for the number of pods that can be set + by the autoscaler; cannot be smaller than MinReplicas, defaults + to null. + format: int32 + type: integer + maxRestarts: + description: MaxRestarts is the limit for restart times of pods + in elastic mode. + format: int32 + type: integer + metrics: + description: Metrics contains the specifications which are used + to calculate the desired replica count (the maximum replica + count across all metrics will be used). The desired replica + count is calculated with multiplying the ratio between the target + value and the current value by the current number of pods. Ergo, + metrics used must decrease as the pod count is increased, and + vice-versa. + items: + description: MetricSpec specifies how to scale based on a single + metric (only `type` and one other matching field should be + set at once). + properties: + containerResource: + description: containerResource refers to a resource metric + (such as those specified in requests and limits) known + to Kubernetes describing a single container in each pod + of the current scale target (e.g. CPU or memory). Such + metrics are built in to Kubernetes, and have special scaling + options on top of those available to normal per-pod metrics + using the "pods" source. + properties: + container: + description: container is the name of the container + in the pods of the scaling target + type: string + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object + external: + description: external refers to a global metric that is + not associated with any Kubernetes object. It allows autoscaling + based on information coming from components running outside + of cluster (for example length of queue in cloud messaging + service, or QPS from loadbalancer running outside of cluster). + properties: + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + object: + description: object refers to a metric describing a single + kubernetes object (for example, hits-per-second on an + Ingress object). + properties: + describedObject: + description: describedObject specifies the descriptions + of a object,such as kind,name apiVersion + properties: + apiVersion: + description: apiVersion is the API version of the + referent + type: string + kind: + description: 'kind is the kind of the referent; + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'name is the name of the referent; + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + required: + - kind + - name + type: object + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - describedObject + - metric + - target + type: object + pods: + description: pods refers to a metric describing each pod + in the current scale target (for example, transactions-processed-per-second). The + values will be averaged together before being compared + to the target value. + properties: + metric: + description: metric identifies the target metric by + name and selector + properties: + name: + description: name is the name of the given metric + type: string + selector: + description: selector is the string-encoded form + of a standard kubernetes label selector for the + given metric When set, it is passed as an additional + parameter to the metrics server for more specific + metrics scoping. When unset, just the metricName + will be used to gather metrics. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - name + type: object + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - metric + - target + type: object + resource: + description: resource refers to a resource metric (such + as those specified in requests and limits) known to Kubernetes + describing each pod in the current scale target (e.g. + CPU or memory). Such metrics are built in to Kubernetes, + and have special scaling options on top of those available + to normal per-pod metrics using the "pods" source. + properties: + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - name + - target + type: object + type: + description: 'type is the type of metric source. It should + be one of "ContainerResource", "External", "Object", "Pods" + or "Resource", each mapping to a matching field in the + object. Note: "ContainerResource" type is available on + when the feature-gate HPAContainerMetrics is enabled' + type: string + required: + - type + type: object + type: array + minReplicas: + description: minReplicas is the lower limit for the number of + replicas to which the training job can scale down. It defaults + to null. + format: int32 + type: integer + type: object + paddleReplicaSpecs: + additionalProperties: + description: ReplicaSpec is a description of the replica + properties: + replicas: + description: Replicas is the desired number of replicas of the + given template. If unspecified, defaults to 1. + format: int32 + type: integer + restartPolicy: + description: Restart policy for all replicas within the job. + One of Always, OnFailure, Never and ExitCode. Default to Never. + type: string + template: + description: Template is the object that describes the pod that + will be created for this replica. RestartPolicy in PodTemplateSpec + will be overide by RestartPolicy in ReplicaSpec + properties: + metadata: + description: 'Standard object''s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata' + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: 'Specification of the desired behavior of the + pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + properties: + activeDeadlineSeconds: + description: Optional duration in seconds the pod may + be active on the node relative to StartTime before + the system will actively try to mark it failed and + kill associated containers. Value must be a positive + integer. + format: int64 + type: integer + affinity: + description: If specified, the pod's scheduling constraints + properties: + nodeAffinity: + description: Describes node affinity scheduling + rules for the pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose + a node that violates one or more of the expressions. + The node that is most preferred is the one + with the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc. + items: + description: An empty preferred scheduling + term matches all objects with implicit weight + 0 (i.e. it's a no-op). A null preferred + scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated + with the corresponding weight. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching + the corresponding nodeSelectorTerm, + in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by + this field cease to be met at some point during + pod execution (e.g. due to an update), the + system may or may not try to eventually evict + the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector + terms. The terms are ORed. + items: + description: A null or empty node selector + term matches no objects. The requirements + of them are ANDed. The TopologySelectorTerm + type implements a subset of the NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector + requirements by node's labels. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector + requirements by node's fields. + items: + description: A node selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: The label key that + the selector applies to. + type: string + operator: + description: Represents a key's + relationship to a set of values. + Valid operators are In, NotIn, + Exists, DoesNotExist. Gt, + and Lt. + type: string + values: + description: An array of string + values. If the operator is + In or NotIn, the values array + must be non-empty. If the + operator is Exists or DoesNotExist, + the values array must be empty. + If the operator is Gt or Lt, + the values array must have + a single element, which will + be interpreted as an integer. + This array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules + (e.g. co-locate this pod in the same node, zone, + etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the affinity expressions + specified by this field, but it may choose + a node that violates one or more of the expressions. + The node that is most preferred is the one + with the greatest sum of weights, i.e. for + each node that meets all of the scheduling + requirements (resource request, requiredDuringScheduling + affinity expressions, etc. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified + by this field are not met at scheduling time, + the pod will not be scheduled onto the node. + If the affinity requirements specified by + this field cease to be met at some point during + pod execution (e.g. due to a pod label update), + the system may or may not try to eventually + evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling + rules (e.g. avoid putting this pod in the same + node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule + pods to nodes that satisfy the anti-affinity + expressions specified by this field, but it + may choose a node that violates one or more + of the expressions. The node that is most + preferred is the one with the greatest sum + of weights, i.e. + items: + description: The weights of all of the matched + WeightedPodAffinityTerm fields are added + per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity + term, associated with the corresponding + weight. + properties: + labelSelector: + description: A label query over a + set of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where + co-located is defined as running + on a node whose value of the label + with key topologyKey matches that + of any node on which any of the + selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching + the corresponding podAffinityTerm, in + the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements + specified by this field are not met at scheduling + time, the pod will not be scheduled onto the + node. If the anti-affinity requirements specified + by this field cease to be met at some point + during pod execution (e.g. due to a pod label + update), the system may or may not try to + eventually evict the pod from its node. + items: + description: Defines a set of pods (namely + those matching the labelSelector relative + to the given namespace(s)) that this pod + should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is + defined as running on a node whose value + of the label with key matches + that of any node on which a pod of the set + of pods is running + properties: + labelSelector: + description: A label query over a set + of resources, in this case pods. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located + (affinity) or not co-located (anti-affinity) + with the pods matching the labelSelector + in the specified namespaces, where co-located + is defined as running on a node whose + value of the label with key topologyKey + matches that of any node on which any + of the selected pods is running. Empty + topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates + whether a service account token should be automatically + mounted. + type: boolean + containers: + description: List of containers belonging to the pod. + Containers cannot currently be added or removed. There + must be at least one container in a Pod. Cannot be + updated. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + dnsConfig: + description: Specifies the DNS parameters of a pod. + Parameters specified here will be merged to the generated + DNS configuration based on DNSPolicy. + properties: + nameservers: + description: A list of DNS name server IP addresses. + This will be appended to the base nameservers + generated from DNSPolicy. Duplicated nameservers + will be removed. + items: + type: string + type: array + options: + description: A list of DNS resolver options. This + will be merged with the base options generated + from DNSPolicy. Duplicated entries will be removed. + Resolution options given in Options will override + those that appear in the base DNSPolicy. + items: + description: PodDNSConfigOption defines DNS resolver + options of a pod. + properties: + name: + description: Required. + type: string + value: + type: string + type: object + type: array + searches: + description: A list of DNS search domains for host-name + lookup. This will be appended to the base search + paths generated from DNSPolicy. Duplicated search + paths will be removed. + items: + type: string + type: array + type: object + dnsPolicy: + description: Set DNS policy for the pod. Defaults to + "ClusterFirst". Valid values are 'ClusterFirstWithHostNet', + 'ClusterFirst', 'Default' or 'None'. DNS parameters + given in DNSConfig will be merged with the policy + selected with DNSPolicy. To have DNS options set along + with hostNetwork, you have to specify DNS policy explicitly + to 'ClusterFirstWithHostNet'. + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information + about services should be injected into pod''s environment + variables, matching the syntax of Docker links. Optional: + Defaults to true.' + type: boolean + ephemeralContainers: + description: List of ephemeral containers run in this + pod. Ephemeral containers may be run in an existing + pod to perform user-initiated actions such as debugging. + This list cannot be specified when creating a pod, + and it cannot be modified by updating the pod spec. + In order to add an ephemeral container to an existing + pod, use the pod's ephemeralcontainers subresource. + items: + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. + properties: + args: + description: 'Arguments to the entrypoint. The + image''s CMD is used if this is not provided. + Variable references $(VAR_NAME) are expanded + using the container''s environment. If a variable + cannot be resolved, the reference in the input + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Lifecycle is not allowed for ephemeral + containers. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the ephemeral container specified + as a DNS_LABEL. This name must be unique among + all containers, init containers and ephemeral + containers. + type: string + ports: + description: Ports are not allowed for ephemeral + containers. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: Resources are not allowed for ephemeral + containers. Ephemeral containers use spare resources + already allocated to the pod. + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: Probes are not allowed for ephemeral + containers. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + targetContainerName: + description: "If set, the name of the container + from PodSpec that this ephemeral container targets. + The ephemeral container will be run in the namespaces + (IPC, PID, etc) of this container. If not set + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + hostAliases: + description: HostAliases is an optional list of hosts + and IPs that will be injected into the pod's hosts + file if specified. This is only valid for non-hostNetwork + pods. + items: + description: HostAlias holds the mapping between IP + and hostnames that will be injected as an entry + in the pod's hosts file. + properties: + hostnames: + description: Hostnames for the above IP address. + items: + type: string + type: array + ip: + description: IP address of the host file entry. + type: string + type: object + type: array + hostIPC: + description: 'Use the host''s ipc namespace. Optional: + Default to false.' + type: boolean + hostNetwork: + description: Host networking requested for this pod. + Use the host's network namespace. If this option is + set, the ports that will be used must be specified. + Default to false. + type: boolean + hostPID: + description: 'Use the host''s pid namespace. Optional: + Default to false.' + type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean + hostname: + description: Specifies the hostname of the Pod If not + specified, the pod's hostname will be set to a system-defined + value. + type: string + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of + references to secrets in the same namespace to use + for pulling any of the images used by this PodSpec. + If specified, these secrets will be passed to individual + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + items: + description: LocalObjectReference contains enough + information to let you locate the referenced object + inside the same namespace. + properties: + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, + uid?' + type: string + type: object + x-kubernetes-map-type: atomic + type: array + initContainers: + description: List of initialization containers belonging + to the pod. Init containers are executed in order + prior to containers being started. If any init container + fails, the pod is considered to have failed and is + handled according to its restartPolicy. The name for + an init container or normal container must be unique + among all containers. + items: + description: A single application container that you + want to run within a pod. + properties: + args: + description: 'Arguments to the entrypoint. The + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + command: + description: 'Entrypoint array. Not executed within + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references + $(VAR_NAME) are expanded using the container''s + environment. If a variable cannot be resolved, + the reference in the input string will be unchanged. + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' + items: + type: string + type: array + env: + description: List of environment variables to + set in the container. Cannot be updated. + items: + description: EnvVar represents an environment + variable present in a Container. + properties: + name: + description: Name of the environment variable. + Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) + are expanded using the previously defined + environment variables in the container + and any service environment variables. + If a variable cannot be resolved, the + reference in the input string will be + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' + type: string + valueFrom: + description: Source for the environment + variable's value. Cannot be used if value + is not empty. + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + ConfigMap or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + description: 'Selects a field of the + pod: supports metadata.name, metadata.namespace, + `metadata.labels['''']`, `metadata.annotations['''']`, + spec.nodeName, spec.serviceAccountName, + status.hostIP, status.podIP, status.podIPs.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + limits.ephemeral-storage, requests.cpu, + requests.memory and requests.ephemeral-storage) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret + in the pod's namespace + properties: + key: + description: The key of the secret + to select from. Must be a valid + secret key. + type: string + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the + Secret or its key must be defined + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + description: List of sources to populate environment + variables in the container. The keys defined + within a source must be a C_IDENTIFIER. All + invalid keys will be reported as an event when + the container is starting. When a key exists + in multiple sources, the value associated with + the last source will take precedence. Values + defined by an Env with a duplicate key will + take precedence. Cannot be updated. + items: + description: EnvFromSource represents the source + of a set of ConfigMaps + properties: + configMapRef: + description: The ConfigMap to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend + to each key in the ConfigMap. Must be + a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + properties: + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: Specify whether the Secret + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images + This field is optional to allow higher level + config management to default or override container + images in workload controllers like Deployments + and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, + Never, IfNotPresent. Defaults to Always if :latest + tag is specified, or IfNotPresent otherwise. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + lifecycle: + description: Actions that the management system + should take in response to container lifecycle + events. Cannot be updated. + properties: + postStart: + description: 'PostStart is called immediately + after a container is created. If the handler + fails, the container is terminated and restarted + according to its restart policy. Other management + of the container blocks until the hook completes. + More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + description: PreStop is called immediately + before a container is terminated due to + an API request or management event such + as liveness/startup probe failure, preemption, + resource contention, etc. The handler is + not called if the container crashes or exits. + The Pod's termination grace period countdown + begins before the PreStop hook is executed. + properties: + exec: + description: Exec specifies the action + to take. + properties: + command: + description: Command is the command + line to execute inside the container, + the working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it + is not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to + explicitly call out to that shell. + Exit status of 0 is treated as live/healthy + and non-zero is unhealthy. + items: + type: string + type: array + type: object + httpGet: + description: HTTPGet specifies the http + request to perform. + properties: + host: + description: Host name to connect + to, defaults to the pod IP. You + probably want to set "Host" in httpHeaders + instead. + type: string + httpHeaders: + description: Custom headers to set + in the request. HTTP allows repeated + headers. + items: + description: HTTPHeader describes + a custom header to be used in + HTTP probes + properties: + name: + description: The header field + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. + type: string + value: + description: The header field + value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the + HTTP server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + tcpSocket: + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. + properties: + host: + description: 'Optional: Host name + to connect to, defaults to the pod + IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the + port to access on the container. + Number must be in the range 1 to + 65535. Name must be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + description: 'Periodic probe of container liveness. + Container will be restarted if the probe fails. + Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + name: + description: Name of the container specified as + a DNS_LABEL. Each container in a pod must have + a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. + items: + description: ContainerPort represents a network + port in a single container. + properties: + containerPort: + description: Number of port to expose on + the pod's IP address. This must be a valid + port number, 0 < x < 65536. + format: int32 + type: integer + hostIP: + description: What host IP to bind the external + port to. + type: string + hostPort: + description: Number of port to expose on + the host. If specified, this must be a + valid port number, 0 < x < 65536. If HostNetwork + is specified, this must match ContainerPort. + Most containers do not need this. + format: int32 + type: integer + name: + description: If specified, this must be + an IANA_SVC_NAME and unique within the + pod. Each named port in a pod must have + a unique name. Name for the port that + can be referred to by services. + type: string + protocol: + default: TCP + description: Protocol for port. Must be + UDP, TCP, or SCTP. Defaults to "TCP". + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service + readiness. Container will be removed from service + endpoints if the probe fails. Cannot be updated. + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic + resources: + description: 'Compute Resources required by this + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum + amount of compute resources allowed. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum + amount of compute resources required. If + Requests is omitted for a container, it + defaults to Limits if that is explicitly + specified, otherwise to an implementation-defined + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + securityContext: + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. + More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls + whether a process can gain more privileges + than its parent process. This bool directly + controls if the no_new_privs flag will be + set on the container process. AllowPrivilegeEscalation + is true always when the container is: 1) + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop + when running containers. Defaults to the + default set of capabilities granted by the + container runtime. Note that this field + cannot be set when spec.os.name is windows. + properties: + add: + description: Added capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + drop: + description: Removed capabilities + items: + description: Capability represent POSIX + capabilities type + type: string + type: array + type: object + privileged: + description: Run container in privileged mode. + Processes in privileged containers are essentially + equivalent to root on the host. Defaults + to false. Note that this field cannot be + set when spec.os.name is windows. + type: boolean + procMount: + description: procMount denotes the type of + proc mount to use for the containers. The + default is DefaultProcMount which uses the + container runtime defaults for readonly + paths and masked paths. This requires the + ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. + type: string + readOnlyRootFilesystem: + description: Whether this container has a + read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint + of the container process. Uses runtime default + if unset. May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container + must run as a non-root user. If true, the + Kubelet will validate the image at runtime + to ensure that it does not run as UID 0 + (root) and fail to start the container if + it does. If unset or false, no such validation + will be performed. May also be set in PodSecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint + of the container process. Defaults to user + specified in image metadata if unspecified. + May also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied + to the container. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in + PodSecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. + properties: + level: + description: Level is SELinux level label + that applies to the container. + type: string + role: + description: Role is a SELinux role label + that applies to the container. + type: string + type: + description: Type is a SELinux type label + that applies to the container. + type: string + user: + description: User is a SELinux user label + that applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by + this container. If seccomp options are provided + at both the pod & container level, the container + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. + properties: + localhostProfile: + description: localhostProfile indicates + a profile defined in a file on the node + should be used. The profile must be + preconfigured on the node to work. Must + be a descending path, relative to the + kubelet's configured seccomp profile + location. Must only be set if type is + "Localhost". + type: string + type: + description: "type indicates which kind + of seccomp profile will be applied. + Valid options are: \n Localhost - a + profile defined in a file on the node + should be used. RuntimeDefault - the + container runtime default profile should + be used. Unconfined - no profile should + be applied." + type: string + required: + - type + type: object + windowsOptions: + description: The Windows specific settings + applied to all containers. If unspecified, + the options from the PodSecurityContext + will be used. If set in both SecurityContext + and PodSecurityContext, the value specified + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where + the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName + field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is + the name of the GMSA credential spec + to use. + type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to + run the entrypoint of the container + process. Defaults to the user specified + in image metadata if unspecified. May + also be set in PodSecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext + takes precedence. + type: string + type: object + type: object + startupProbe: + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, + no other probes are executed until this completes + successfully. If this probe fails, the Pod will + be restarted, just as if the livenessProbe failed. + properties: + exec: + description: Exec specifies the action to + take. + properties: + command: + description: Command is the command line + to execute inside the container, the + working directory for the command is + root ('/') in the container's filesystem. + The command is simply exec'd, it is + not run inside a shell, so traditional + shell instructions ('|', etc) won't + work. To use a shell, you need to explicitly + call out to that shell. Exit status + of 0 is treated as live/healthy and + non-zero is unhealthy. + items: + type: string + type: array + type: object + failureThreshold: + description: Minimum consecutive failures + for the probe to be considered failed after + having succeeded. Defaults to 3. Minimum + value is 1. + format: int32 + type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object + httpGet: + description: HTTPGet specifies the http request + to perform. + properties: + host: + description: Host name to connect to, + defaults to the pod IP. You probably + want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in + the request. HTTP allows repeated headers. + items: + description: HTTPHeader describes a + custom header to be used in HTTP probes + properties: + name: + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. + type: string + value: + description: The header field value + type: string + required: + - name + - value + type: object + type: array + path: + description: Path to access on the HTTP + server. + type: string + port: + anyOf: + - type: integer + - type: string + description: Name or number of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting + to the host. Defaults to HTTP. + type: string + required: + - port + type: object + initialDelaySeconds: + description: 'Number of seconds after the + container has started before liveness probes + are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + periodSeconds: + description: How often (in seconds) to perform + the probe. Default to 10 seconds. Minimum + value is 1. + format: int32 + type: integer + successThreshold: + description: Minimum consecutive successes + for the probe to be considered successful + after having failed. Defaults to 1. Must + be 1 for liveness and startup. Minimum value + is 1. + format: int32 + type: integer + tcpSocket: + description: TCPSocket specifies an action + involving a TCP port. + properties: + host: + description: 'Optional: Host name to connect + to, defaults to the pod IP.' + type: string + port: + anyOf: + - type: integer + - type: string + description: Number or name of the port + to access on the container. Number must + be in the range 1 to 65535. Name must + be an IANA_SVC_NAME. + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer + timeoutSeconds: + description: 'Number of seconds after which + the probe times out. Defaults to 1 second. + Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + format: int32 + type: integer + type: object + stdin: + description: Whether this container should allocate + a buffer for stdin in the container runtime. + If this is not set, reads from stdin in the + container will always result in EOF. Default + is false. + type: boolean + stdinOnce: + description: Whether the container runtime should + close the stdin channel after it has been opened + by a single attach. When stdin is true the stdin + stream will remain open across multiple attach + sessions. + type: boolean + terminationMessagePath: + description: 'Optional: Path at which the file + to which the container''s termination message + will be written is mounted into the container''s + filesystem. Message written is intended to be + brief final status, such as an assertion failure + message. Will be truncated by the node if greater + than 4096 bytes. The total message length across + all containers will be limited to 12kb. Defaults + to /dev/termination-log.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message + should be populated. File will use the contents + of terminationMessagePath to populate the container + status message on both success and failure. + FallbackToLogsOnError will use the last chunk + of container log output if the termination message + file is empty and the container exited with + an error. + type: string + tty: + description: Whether this container should allocate + a TTY for itself, also requires 'stdin' to be + true. Default is false. + type: boolean + volumeDevices: + description: volumeDevices is the list of block + devices to be used by the container. + items: + description: volumeDevice describes a mapping + of a raw block device within a container. + properties: + devicePath: + description: devicePath is the path inside + of the container that the device will + be mapped to. + type: string + name: + description: name must match the name of + a persistentVolumeClaim in the pod + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + description: Pod volumes to mount into the container's + filesystem. Cannot be updated. + items: + description: VolumeMount describes a mounting + of a Volume within a container. + properties: + mountPath: + description: Path within the container at + which the volume should be mounted. Must + not contain ':'. + type: string + mountPropagation: + description: mountPropagation determines + how mounts are propagated from the host + to container and the other way around. + When not set, MountPropagationNone is + used. This field is beta in 1.10. + type: string + name: + description: This must match the Name of + a Volume. + type: string + readOnly: + description: Mounted read-only if true, + read-write otherwise (false or unspecified). + Defaults to false. + type: boolean + subPath: + description: Path within the volume from + which the container's volume should be + mounted. Defaults to "" (volume's root). + type: string + subPathExpr: + description: Expanded path within the volume + from which the container's volume should + be mounted. Behaves similarly to SubPath + but environment variable references $(VAR_NAME) + are expanded using the container's environment. + Defaults to "" (volume's root). SubPathExpr + and SubPath are mutually exclusive. + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + description: Container's working directory. If + not specified, the container runtime's default + will be used, which might be configured in the + container image. Cannot be updated. + type: string + required: + - name + type: object + type: array + nodeName: + description: NodeName is a request to schedule this + pod onto a specific node. If it is non-empty, the + scheduler simply schedules this pod onto that node, + assuming that it fits resource requirements. + type: string + nodeSelector: + additionalProperties: + type: string + description: 'NodeSelector is a selector which must + be true for the pod to fit on a node. Selector which + must match a node''s labels for the pod to be scheduled + on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' + type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object + overhead: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Overhead represents the resource overhead + associated with running a pod for a given RuntimeClass. + This field will be autopopulated at admission time + by the RuntimeClass admission controller. If the RuntimeClass + admission controller is enabled, overhead must not + be set in Pod create requests. The RuntimeClass admission + controller will reject Pod create requests which have + the overhead already set. + type: object + preemptionPolicy: + description: PreemptionPolicy is the Policy for preempting + pods with lower priority. One of Never, PreemptLowerPriority. + Defaults to PreemptLowerPriority if unset. + type: string + priority: + description: The priority value. Various system components + use this field to find the priority of the pod. When + Priority Admission Controller is enabled, it prevents + users from setting this field. The admission controller + populates this field from PriorityClassName. The higher + the value, the higher the priority. + format: int32 + type: integer + priorityClassName: + description: If specified, indicates the pod's priority. + "system-node-critical" and "system-cluster-critical" + are two special keywords which indicate the highest + priorities with the former being the highest priority. + Any other name must be defined by creating a PriorityClass + object with that name. If not specified, the pod priority + will be default or zero if there is no default. + type: string + readinessGates: + description: 'If specified, all readiness gates will + be evaluated for pod readiness. A pod is ready when + all its containers are ready AND all conditions specified + in the readiness gates have status equal to "True" + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' + items: + description: PodReadinessGate contains the reference + to a pod condition + properties: + conditionType: + description: ConditionType refers to a condition + in the pod's condition list with matching type. + type: string + required: + - conditionType + type: object + type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to + those containers which consume them by name. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim + inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name + of a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is + the name of a ResourceClaimTemplate object + in the same namespace as this pod. \n The + template will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + restartPolicy: + description: 'Restart policy for all containers within + the pod. One of Always, OnFailure, Never. In some + contexts, only a subset of those values may be permitted. + Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + type: string + runtimeClassName: + description: 'RuntimeClassName refers to a RuntimeClass + object in the node.k8s.io group, which should be used + to run this pod. If no RuntimeClass resource matches + the named class, the pod will not be run. If unset + or empty, the "legacy" RuntimeClass will be used, + which is an implicit class with an empty definition + that uses the default runtime handler. More info: + https://git.k8s.' + type: string + schedulerName: + description: If specified, the pod will be dispatched + by specified scheduler. If not specified, the pod + will be dispatched by default scheduler. + type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in + the SchedulingGated state and the scheduler will not + attempt to schedule the pod. \n SchedulingGates can + only be set at pod creation time, and be removed only + afterwards. \n This is a beta feature enabled by the + PodSchedulingReadiness feature gate." + items: + description: PodSchedulingGate is associated to a + Pod to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each + scheduling gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + securityContext: + description: 'SecurityContext holds pod-level security + attributes and common container settings. Optional: + Defaults to empty. See type description for default + values of each field.' + properties: + fsGroup: + description: "A special supplemental group that + applies to all containers in a pod. Some volume + types allow the Kubelet to change the ownership + of that volume to be owned by the pod: \n 1. The + owning GID will be the FSGroup 2. The setgid bit + is set (new files created in the volume will be + owned by FSGroup) 3." + format: int64 + type: integer + fsGroupChangePolicy: + description: 'fsGroupChangePolicy defines behavior + of changing ownership and permission of the volume + before being exposed inside Pod. This field will + only apply to volume types which support fsGroup + based ownership(and permissions). It will have + no effect on ephemeral volume types such as: secret, + configmaps and emptydir. Valid values are "OnRootMismatch" + and "Always". If not specified, "Always" is used.' + type: string + runAsGroup: + description: The GID to run the entrypoint of the + container process. Uses runtime default if unset. + May also be set in SecurityContext. If set in + both SecurityContext and PodSecurityContext, the + value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + format: int64 + type: integer + runAsNonRoot: + description: Indicates that the container must run + as a non-root user. If true, the Kubelet will + validate the image at runtime to ensure that it + does not run as UID 0 (root) and fail to start + the container if it does. If unset or false, no + such validation will be performed. May also be + set in SecurityContext. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the + container process. Defaults to user specified + in image metadata if unspecified. May also be + set in SecurityContext. If set in both SecurityContext + and PodSecurityContext, the value specified in + SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. + format: int64 + type: integer + seLinuxOptions: + description: The SELinux context to be applied to + all containers. If unspecified, the container + runtime will allocate a random SELinux context + for each container. May also be set in SecurityContext. If + set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence + for that container. Note that this field cannot + be set when spec.os.name is windows. + properties: + level: + description: Level is SELinux level label that + applies to the container. + type: string + role: + description: Role is a SELinux role label that + applies to the container. + type: string + type: + description: Type is a SELinux type label that + applies to the container. + type: string + user: + description: User is a SELinux user label that + applies to the container. + type: string + type: object + seccompProfile: + description: The seccomp options to use by the containers + in this pod. Note that this field cannot be set + when spec.os.name is windows. + properties: + localhostProfile: + description: localhostProfile indicates a profile + defined in a file on the node should be used. + The profile must be preconfigured on the node + to work. Must be a descending path, relative + to the kubelet's configured seccomp profile + location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp + profile will be applied. Valid options are: + \n Localhost - a profile defined in a file + on the node should be used. RuntimeDefault + - the container runtime default profile should + be used. Unconfined - no profile should be + applied." + type: string + required: + - type + type: object + supplementalGroups: + description: A list of groups applied to the first + process run in each container, in addition to + the container's primary GID, the fsGroup (if specified), + and group memberships defined in the container + image for the uid of the container process. If + unspecified, no additional groups are added to + any container. + items: + format: int64 + type: integer + type: array + sysctls: + description: Sysctls hold a list of namespaced sysctls + used for the pod. Pods with unsupported sysctls + (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. + items: + description: Sysctl defines a kernel parameter + to be set + properties: + name: + description: Name of a property to set + type: string + value: + description: Value of a property to set + type: string + required: + - name + - value + type: object + type: array + windowsOptions: + description: The Windows specific settings applied + to all containers. If unspecified, the options + within a container's SecurityContext will be used. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. + properties: + gmsaCredentialSpec: + description: GMSACredentialSpec is where the + GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) + inlines the contents of the GMSA credential + spec named by the GMSACredentialSpecName field. + type: string + gmsaCredentialSpecName: + description: GMSACredentialSpecName is the name + of the GMSA credential spec to use. + type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean + runAsUserName: + description: The UserName in Windows to run + the entrypoint of the container process. Defaults + to the user specified in image metadata if + unspecified. May also be set in PodSecurityContext. + If set in both SecurityContext and PodSecurityContext, + the value specified in SecurityContext takes + precedence. + type: string + type: object + type: object + serviceAccount: + description: 'DeprecatedServiceAccount is a depreciated + alias for ServiceAccountName. Deprecated: Use serviceAccountName + instead.' + type: string + serviceAccountName: + description: 'ServiceAccountName is the name of the + ServiceAccount to use to run this pod. More info: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + setHostnameAsFQDN: + description: If true the pod's hostname will be configured + as the pod's FQDN, rather than the leaf name (the + default). In Linux containers, this means setting + the FQDN in the hostname field of the kernel (the + nodename field of struct utsname). + type: boolean + shareProcessNamespace: + description: 'Share a single process namespace between + all of the containers in a pod. When this is set containers + will be able to view and signal processes from other + containers in the same pod, and the first process + in each container will not be assigned PID 1. HostPID + and ShareProcessNamespace cannot both be set. Optional: + Default to false.' + type: boolean + subdomain: + description: If specified, the fully qualified Pod hostname + will be "...svc.". If not specified, the pod will not have + a domainname at all. + type: string + terminationGracePeriodSeconds: + description: Optional duration in seconds the pod needs + to terminate gracefully. May be decreased in delete + request. Value must be non-negative integer. The value + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. + format: int64 + type: integer + tolerations: + description: If specified, the pod's tolerations. + items: + description: The pod this Toleration is attached to + tolerates any taint that matches the triple + using the matching operator . + properties: + effect: + description: Effect indicates the taint effect + to match. Empty means match all taint effects. + When specified, allowed values are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration + applies to. Empty means match all taint keys. + If the key is empty, operator must be Exists; + this combination means to match all values and + all keys. + type: string + operator: + description: Operator represents a key's relationship + to the value. Valid operators are Exists and + Equal. Defaults to Equal. Exists is equivalent + to wildcard for value, so that a pod can tolerate + all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the + period of time the toleration (which must be + of effect NoExecute, otherwise this field is + ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever + (do not evict). Zero and negative values will + be treated as 0 (evict immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration + matches to. If the operator is Exists, the value + should be empty, otherwise just a regular string. + type: string + type: object + type: array + topologySpreadConstraints: + description: TopologySpreadConstraints describes how + a group of pods ought to spread across topology domains. + Scheduler will schedule pods in a way which abides + by the constraints. All topologySpreadConstraints + are ANDed. + items: + description: TopologySpreadConstraint specifies how + to spread matching pods among the given topology. + properties: + labelSelector: + description: LabelSelector is used to find matching + pods. Pods that match this label selector are + counted to determine the number of pods in their + corresponding topology domain. + properties: + matchExpressions: + description: matchExpressions is a list of + label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, a + key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The + same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic + maxSkew: + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string + topologyKey: + description: TopologyKey is the key of node labels. + Nodes that have a label with this key and identical + values are considered to be in the same topology. + We consider each as a "bucket", + and try to put balanced number of pods into + each bucket. We define a domain as a particular + instance of a topology. + type: string + whenUnsatisfiable: + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway + tells the scheduler to schedule the pod in any + location, but giving higher precedence to topologies + that would help reduce the skew. + type: string + required: + - maxSkew + - topologyKey + - whenUnsatisfiable + type: object + type: array + x-kubernetes-list-map-keys: + - topologyKey + - whenUnsatisfiable + x-kubernetes-list-type: map + volumes: + description: 'List of volumes that can be mounted by + containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + items: + description: Volume represents a named volume in a + pod that may be accessed by any container in the + pod. + properties: + awsElasticBlockStore: + description: 'awsElasticBlockStore represents + an AWS Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' + format: int32 + type: integer + readOnly: + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: boolean + volumeID: + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + type: string + required: + - volumeID + type: object + azureDisk: + description: azureDisk represents an Azure Data + Disk mount on the host and bind mount to the + pod. + properties: + cachingMode: + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' + type: string + diskName: + description: diskName is the Name of the data + disk in the blob storage + type: string + diskURI: + description: diskURI is the URI of data disk + in the blob storage + type: string + fsType: + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + kind: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: + single blob disk per storage account Managed: + azure managed data disk (only in managed + availability set). defaults to shared' + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + description: azureFile represents an Azure File + Service mount on the host and bind mount to + the pod. + properties: + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretName: + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key + type: string + shareName: + description: shareName is the azure share + Name + type: string + required: + - secretName + - shareName + type: object + cephfs: + description: cephFS represents a Ceph FS mount + on the host that shares a pod's lifetime + properties: + monitors: + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + items: + type: string + type: array + path: + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' + type: string + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: boolean + secretFile: + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + secretRef: + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + type: string + required: + - monitors + type: object + cinder: + description: 'cinder represents a cinder volume + attached and mounted on kubelets host machine. + More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + readOnly: + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: boolean + secretRef: + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + description: 'volumeID used to identify the + volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + type: string + required: + - volumeID + type: object + configMap: + description: configMap represents a configMap + that should populate this volume + properties: + defaultMode: + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items if unspecified, each key-value + pair in the Data field of the referenced + ConfigMap will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. More info: + https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + optional: + description: optional specify whether the + ConfigMap or its keys must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + description: csi (Container Storage Interface) + represents ephemeral storage that is handled + by certain external CSI drivers (Beta feature). + properties: + driver: + description: driver is the name of the CSI + driver that handles this volume. Consult + with your admin for the correct name as + registered in the cluster. + type: string + fsType: + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. + type: string + nodePublishSecretRef: + description: nodePublishSecretRef is a reference + to the secret object containing sensitive + information to pass to the CSI driver to + complete the CSI NodePublishVolume and NodeUnpublishVolume + calls. This field is optional, and may + be empty if no secret is required. If the + secret object contains more than one secret, + all secret references are passed. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). + type: boolean + volumeAttributes: + additionalProperties: + type: string + description: volumeAttributes stores driver-specific + properties that are passed to the CSI driver. + Consult your driver's documentation for + supported values. + type: object + required: + - driver + type: object + downwardAPI: + description: downwardAPI represents downward API + about the pod that should populate this volume + properties: + defaultMode: + description: 'Optional: mode bits to use on + created files by default. Must be a Optional: + mode bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: Items is a list of downward API + volume file + items: + description: DownwardAPIVolumeFile represents + information to create the file containing + the pod field + properties: + fieldRef: + description: 'Required: Selects a field + of the pod: only annotations, labels, + name and namespace are supported.' + properties: + apiVersion: + description: Version of the schema + the FieldPath is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to + select in the specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used + to set permissions on this file, must + be an octal value between 0000 and + 0777 or a decimal value between 0 + and 511. YAML accepts both octal and + decimal values, JSON requires decimal + values for mode bits. If not specified, + the volume defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path is the + relative path name of the file to + be created. Must not be absolute or + contain the ''..'' path. Must be utf-8 + encoded. The first item of the relative + path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of + the container: only resources limits + and requests (limits.cpu, limits.memory, + requests.cpu and requests.memory) + are currently supported.' + properties: + containerName: + description: 'Container name: required + for volumes, optional for env + vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies the output + format of the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource + to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + description: 'emptyDir represents a temporary + directory that shares a pod''s lifetime. More + info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + properties: + medium: + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + https://kubernetes.' + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. + properties: + volumeClaimTemplate: + description: Will be used to create a stand-alone + PVC to provision the volume. The pod in + which this EphemeralVolumeSource is embedded + will be the owner of the PVC, i.e. the PVC + will be deleted together with the pod. The + name of the PVC will be `-` where `` is the name + from the `PodSpec.Volumes` array entry. + properties: + metadata: + description: May contain labels and annotations + that will be copied into the PVC when + creating it. No other fields are allowed + and will be rejected during validation. + properties: + annotations: + additionalProperties: + type: string + type: object + finalizers: + items: + type: string + type: array + labels: + additionalProperties: + type: string + type: object + name: + type: string + namespace: + type: string + type: object + spec: + description: The specification for the + PersistentVolumeClaim. The entire content + is copied unchanged into the PVC that + gets created from this template. The + same fields as in a PersistentVolumeClaim + are also valid here. + properties: + accessModes: + description: 'accessModes contains + the desired access modes the volume + should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' + items: + type: string + type: array + dataSource: + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + namespace: + description: Namespace is the + namespace of resource being + referenced Note that when a + namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string + required: + - kind + - name + type: object + resources: + description: 'resources represents + the minimum resources the volume + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + properties: + claims: + description: "Claims lists the + names of resources, defined + in spec.resourceClaims, that + are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field + is immutable. It can only be + set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry + in pod.spec.resourceClaims + of the Pod where this + field is used. It makes + that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes + the maximum amount of compute + resources allowed. More info: + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes + the minimum amount of compute + resources required. If Requests + is omitted for a container, + it defaults to Limits if that + is explicitly specified, otherwise + to an implementation-defined + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + selector: + description: selector is a label query + over volumes to consider for binding. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + type: string + volumeMode: + description: volumeMode defines what + type of volume is required by the + claim. Value of Filesystem is implied + when not included in claim spec. + type: string + volumeName: + description: volumeName is the binding + reference to the PersistentVolume + backing this claim. + type: string + type: object + required: + - spec + type: object + type: object + fc: + description: fc represents a Fibre Channel resource + that is attached to a kubelet's host machine + and then exposed to the pod. + properties: + fsType: + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' + type: string + lun: + description: 'lun is Optional: FC target lun + number' + format: int32 + type: integer + readOnly: + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + targetWWNs: + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' + items: + type: string + type: array + wwids: + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' + items: + type: string + type: array + type: object + flexVolume: + description: flexVolume represents a generic volume + resource that is provisioned/attached using + an exec based plugin. + properties: + driver: + description: driver is the name of the driver + to use for this volume. + type: string + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. + type: string + options: + additionalProperties: + type: string + description: 'options is Optional: this field + holds extra command options if any.' + type: object + readOnly: + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' + type: boolean + secretRef: + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + description: flocker represents a Flocker volume + attached to a kubelet's host machine. This depends + on the Flocker control service being running + properties: + datasetName: + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated + type: string + datasetUUID: + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset + type: string + type: object + gcePersistentDisk: + description: 'gcePersistentDisk represents a GCE + Disk resource that is attached to a kubelet''s + host machine and then exposed to the pod. More + info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + properties: + fsType: + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + partition: + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + format: int32 + type: integer + pdName: + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + type: boolean + required: + - pdName + type: object + gitRepo: + description: 'gitRepo represents a git repository + at a particular revision. DEPRECATED: GitRepo + is deprecated. To provision a container with + a git repo, mount an EmptyDir into an InitContainer + that clones the repo using git, then mount the + EmptyDir into the Pod''s container.' + properties: + directory: + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. + type: string + repository: + description: repository is the URL + type: string + revision: + description: revision is the commit hash for + the specified revision. + type: string + required: + - repository + type: object + glusterfs: + description: 'glusterfs represents a Glusterfs + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/glusterfs/README.md' + properties: + endpoints: + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + path: + description: 'path is the Glusterfs volume + path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: string + readOnly: + description: 'readOnly here will force the + Glusterfs volume to be mounted with read-only + permissions. Defaults to false. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + type: boolean + required: + - endpoints + - path + type: object + hostPath: + description: 'hostPath represents a pre-existing + file or directory on the host machine that is + directly exposed to the container. This is generally + used for system agents or other privileged things + that are allowed to see the host machine. Most + containers will NOT need this. More info: https://kubernetes.' + properties: + path: + description: 'path of the directory on the + host. If the path is a symlink, it will + follow the link to the real path. More info: + https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + type: + description: 'type for HostPath Volume Defaults + to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' + type: string + required: + - path + type: object + iscsi: + description: 'iscsi represents an ISCSI Disk resource + that is attached to a kubelet''s host machine + and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' + properties: + chapAuthDiscovery: + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication + type: boolean + chapAuthSession: + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication + type: boolean + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + initiatorName: + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. + type: string + iqn: + description: iqn is the target iSCSI Qualified + Name. + type: string + iscsiInterface: + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). + type: string + lun: + description: lun represents iSCSI Target Lun + number. + format: int32 + type: integer + portals: + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + items: + type: string + type: array + readOnly: + description: readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. + type: boolean + secretRef: + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + description: 'name of the volume. Must be a DNS_LABEL + and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + nfs: + description: 'nfs represents an NFS mount on the + host that shares a pod''s lifetime More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + properties: + path: + description: 'path that is exported by the + NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + readOnly: + description: 'readOnly here will force the + NFS export to be mounted with read-only + permissions. Defaults to false. More info: + https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: boolean + server: + description: 'server is the hostname or IP + address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + description: 'persistentVolumeClaimVolumeSource + represents a reference to a PersistentVolumeClaim + in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + properties: + claimName: + description: 'claimName is the name of a PersistentVolumeClaim + in the same namespace as the pod using this + volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' + type: string + readOnly: + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + description: photonPersistentDisk represents a + PhotonController persistent disk attached and + mounted on kubelets host machine + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + pdID: + description: pdID is the ID that identifies + Photon Controller persistent disk + type: string + required: + - pdID + type: object + portworxVolume: + description: portworxVolume represents a portworx + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fSType represents the filesystem + type to mount Must be a filesystem type + supported by the host operating system. + Ex. "ext4", "xfs". Implicitly inferred to + be "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + volumeID: + description: volumeID uniquely identifies + a Portworx volume + type: string + required: + - volumeID + type: object + projected: + description: projected items for all in one resources + secrets, configmaps, and downward API + properties: + defaultMode: + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. + format: int32 + type: integer + sources: + description: sources is the list of volume + projections + items: + description: Projection that may be projected + along with other supported volume types + properties: + configMap: + description: configMap information about + the configMap data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether + the ConfigMap or its keys must + be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information + about the downwardAPI data to project + properties: + items: + description: Items is a list of + DownwardAPIVolume file + items: + description: DownwardAPIVolumeFile + represents information to create + the file containing the pod + field + properties: + fieldRef: + description: 'Required: Selects + a field of the pod: only + annotations, labels, name + and namespace are supported.' + properties: + apiVersion: + description: Version of + the schema the FieldPath + is written in terms + of, defaults to "v1". + type: string + fieldPath: + description: Path of the + field to select in the + specified API version. + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode + bits used to set permissions + on this file, must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: 'Required: Path + is the relative path name + of the file to be created. + Must not be absolute or + contain the ''..'' path. + Must be utf-8 encoded. The + first item of the relative + path must not start with + ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource + of the container: only resources + limits and requests (limits.cpu, + limits.memory, requests.cpu + and requests.memory) are + currently supported.' + properties: + containerName: + description: 'Container + name: required for volumes, + optional for env vars' + type: string + divisor: + anyOf: + - type: integer + - type: string + description: Specifies + the output format of + the exposed resources, + defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + description: 'Required: + resource to select' + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + description: secret information about + the secret data to project + properties: + items: + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, + the listed keys will be projected + into the specified paths, and + unlisted keys will not be present. + items: + description: Maps a string key + to a path within a volume. + properties: + key: + description: key is the key + to project. + type: string + mode: + description: 'mode is Optional: + mode bits used to set permissions + on this file. Must be an + octal value between 0000 + and 0777 or a decimal value + between 0 and 511. YAML + accepts both octal and decimal + values, JSON requires decimal + values for mode bits. If + not specified, the volume + defaultMode will be used.' + format: int32 + type: integer + path: + description: path is the relative + path of the file to map + the key to. May not be an + absolute path. May not contain + the path element '..'. May + not start with the string + '..'. + type: string + required: + - key + - path + type: object + type: array + name: + description: 'Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. + apiVersion, kind, uid?' + type: string + optional: + description: optional field specify + whether the Secret or its key + must be defined + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is + information about the serviceAccountToken + data to project + properties: + audience: + description: audience is the intended + audience of the token. A recipient + of a token must identify itself + with an identifier specified in + the audience of the token, and + otherwise should reject the token. + The audience defaults to the identifier + of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is + the requested duration of validity + of the service account token. + As the token approaches expiration, + the kubelet volume plugin will + proactively rotate the service + account token. The kubelet will + start trying to rotate the token + if the token is older than 80 + percent of its time to live or + if the token is older than 24 + hours.Defaults to 1 hour and must + be at least 10 minutes. + format: int64 + type: integer + path: + description: path is the path relative + to the mount point of the file + to project the token into. + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + description: quobyte represents a Quobyte mount + on the host that shares a pod's lifetime + properties: + group: + description: group to map volume access to + Default is no group + type: string + readOnly: + description: readOnly here will force the + Quobyte volume to be mounted with read-only + permissions. Defaults to false. + type: boolean + registry: + description: registry represents a single + or multiple Quobyte Registry services specified + as a string as host:port pair (multiple + entries are separated with commas) which + acts as the central registry for volumes + type: string + tenant: + description: tenant owning the given Quobyte + volume in the Backend Used with dynamically + provisioned Quobyte volumes, value is set + by the plugin + type: string + user: + description: user to map volume access to + Defaults to serivceaccount user + type: string + volume: + description: volume is a string that references + an already created Quobyte volume by name. + type: string + required: + - registry + - volume + type: object + rbd: + description: 'rbd represents a Rados Block Device + mount on the host that shares a pod''s lifetime. + More info: https://examples.k8s.io/volumes/rbd/README.md' + properties: + fsType: + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd + TODO: how do we prevent errors in the filesystem + from compromising the machine' + type: string + image: + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + keyring: + description: 'keyring is the path to key ring + for RBDUser. Default is /etc/ceph/keyring. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + monitors: + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + items: + type: string + type: array + pool: + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + readOnly: + description: 'readOnly here will force the + ReadOnly setting in VolumeMounts. Defaults + to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: boolean + secretRef: + description: 'secretRef is name of the authentication + secret for RBDUser. If provided overrides + keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + user: + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + type: string + required: + - image + - monitors + type: object + scaleIO: + description: scaleIO represents a ScaleIO persistent + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". + type: string + gateway: + description: gateway is the host address of + the ScaleIO API Gateway. + type: string + protectionDomain: + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. + type: string + readOnly: + description: readOnly Defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef references to the secret + for ScaleIO user and other sensitive information. + If this is not provided, Login operation + will fail. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false + type: boolean + storageMode: + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned + or ThinProvisioned. Default is ThinProvisioned. + type: string + storagePool: + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. + type: string + system: + description: system is the name of the storage + system as configured in ScaleIO. + type: string + volumeName: + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + description: 'secret represents a secret that + should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + properties: + defaultMode: + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' + format: int32 + type: integer + items: + description: items If unspecified, each key-value + pair in the Data field of the referenced + Secret will be projected into the volume + as a file whose name is the key and content + is the value. If specified, the listed keys + will be projected into the specified paths, + and unlisted keys will not be present. + items: + description: Maps a string key to a path + within a volume. + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' + format: int32 + type: integer + path: + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain + the path element '..'. May not start + with the string '..'. + type: string + required: + - key + - path + type: object + type: array + optional: + description: optional field specify whether + the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + type: object + storageos: + description: storageOS represents a StorageOS + volume attached and mounted on Kubernetes nodes. + properties: + fsType: + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + readOnly: + description: readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. + type: boolean + secretRef: + description: secretRef specifies the secret + to use for obtaining the StorageOS API credentials. If + not specified, default values will be attempted. + properties: + name: + description: 'Name of the referent. More + info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, + kind, uid?' + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + description: volumeName is the human-readable + name of the StorageOS volume. Volume names + are only unique within a namespace. + type: string + volumeNamespace: + description: volumeNamespace specifies the + scope of the volume within StorageOS. If + no namespace is specified then the Pod's + namespace will be used. This allows the + Kubernetes name scoping to be mirrored within + StorageOS for tighter integration. Set VolumeName + to any name to override the default behaviour. + Set to "default" if you are not using namespaces + within StorageOS. + type: string + type: object + vsphereVolume: + description: vsphereVolume represents a vSphere + volume attached and mounted on kubelets host + machine + properties: + fsType: + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. + type: string + storagePolicyID: + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. + type: string + storagePolicyName: + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. + type: string + volumePath: + description: volumePath is the path that identifies + vSphere volume vmdk + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + type: object + type: object + description: 'A map of PaddleReplicaType (type) to ReplicaSpec (value). + Specifies the Paddle cluster configuration. For example, { "Master": + PaddleReplicaSpec, "Worker": PaddleReplicaSpec, }' + type: object + runPolicy: + description: RunPolicy encapsulates various runtime policies of the + distributed training job, for example how to clean up resources + and how long the job can stay active. + properties: + activeDeadlineSeconds: + description: Specifies the duration in seconds relative to the + startTime that the job may be active before the system tries + to terminate it; value must be positive integer. + format: int64 + type: integer + backoffLimit: + description: Optional number of retries before marking this job + failed. + format: int32 + type: integer + cleanPodPolicy: + description: CleanPodPolicy defines the policy to kill pods after + the job completes. Default to None. + type: string + schedulingPolicy: + description: SchedulingPolicy defines the policy related to scheduling, + e.g. gang-scheduling + properties: + minAvailable: + format: int32 + type: integer + minResources: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + priorityClass: + type: string + queue: + type: string + scheduleTimeoutSeconds: + format: int32 + type: integer + type: object + suspend: + default: false + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods and PodGroups + associated with this Job. Users must design their workload to + gracefully handle this. + type: boolean + ttlSecondsAfterFinished: + description: TTLSecondsAfterFinished is the TTL to clean up jobs. + It may take extra ReconcilePeriod seconds for the cleanup, since + reconcile gets called periodically. Default to infinite. + format: int32 + type: integer + type: object + required: + - paddleReplicaSpecs + type: object + status: + description: Most recently observed status of the PaddleJob. Read-only + (modified by the system). + properties: + completionTime: + description: Represents time when the job was completed. It is not + guaranteed to be set in happens-before order across separate operations. + It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + conditions: + description: Conditions is an array of current observed job conditions. + items: + description: JobCondition describes the state of the job at a certain + point. + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + lastUpdateTime: + description: The last time this condition was updated. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of job condition. + type: string + required: + - status + - type + type: object + type: array + lastReconcileTime: + description: Represents last time when the job was reconciled. It + is not guaranteed to be set in happens-before order across separate + operations. It is represented in RFC3339 form and is in UTC. + format: date-time + type: string + replicaStatuses: + additionalProperties: + description: ReplicaStatus represents the current observed state + of the replica. + properties: + active: + description: The number of actively running pods. + format: int32 + type: integer + failed: + description: The number of pods which reached phase Failed. + format: int32 + type: integer + labelSelector: + description: 'Deprecated: Use Selector instead' + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. This + array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string + succeeded: + description: The number of pods which reached phase Succeeded. + format: int32 + type: integer + type: object + description: ReplicaStatuses is map of ReplicaType and ReplicaStatus, + specifies the status of each replica. + type: object + startTime: + description: Represents time when the job was acknowledged by the + job controller. It is not guaranteed to be set in happens-before + order across separate operations. It is represented in RFC3339 form + and is in UTC. + format: date-time + type: string + type: object + type: object + served: true + storage: true + subresources: + scale: + labelSelectorPath: .status.replicaStatuses.Worker.selector + specReplicasPath: .spec.paddleReplicaSpecs.Worker.replicas + statusReplicasPath: .status.replicaStatuses.Worker.active + status: {} diff --git a/kubeflow/helm/training-operator/crds/kubeflow.org_pytorchjobs.yaml b/kubeflow/helm/training-operator/crds/kubeflow.org_pytorchjobs.yaml index daedf9b93..455d59af9 100644 --- a/kubeflow/helm/training-operator/crds/kubeflow.org_pytorchjobs.yaml +++ b/kubeflow/helm/training-operator/crds/kubeflow.org_pytorchjobs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: pytorchjobs.kubeflow.org spec: group: kubeflow.org @@ -61,14 +59,70 @@ spec: count is calculated with multiplying the ratio between the target value and the current value by the current number of pods. Ergo, metrics used must decrease as the pod count is increased, and - vice-versa. See the individual metric source types for more - information about how each type of metric must respond. If not - set, the HPA will not be created. + vice-versa. items: description: MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once). properties: + containerResource: + description: containerResource refers to a resource metric + (such as those specified in requests and limits) known + to Kubernetes describing a single container in each pod + of the current scale target (e.g. CPU or memory). Such + metrics are built in to Kubernetes, and have special scaling + options on top of those available to normal per-pod metrics + using the "pods" source. + properties: + container: + description: container is the name of the container + in the pods of the scaling target + type: string + name: + description: name is the name of the resource in question. + type: string + target: + description: target specifies the target value for the + given metric + properties: + averageUtilization: + description: averageUtilization is the target value + of the average of the resource metric across all + relevant pods, represented as a percentage of + the requested value of the resource for the pods. + Currently only valid for Resource metric source + type + format: int32 + type: integer + averageValue: + anyOf: + - type: integer + - type: string + description: averageValue is the target value of + the average of the metric across all relevant + pods (as a quantity) + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: + description: type represents whether the metric + type is Utilization, Value, or AverageValue + type: string + value: + anyOf: + - type: integer + - type: string + description: value is the target value of the metric + (as a quantity). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + required: + - type + type: object + required: + - container + - name + - target + type: object external: description: external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling @@ -138,6 +192,7 @@ spec: The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - name type: object @@ -188,17 +243,20 @@ spec: Ingress object). properties: describedObject: - description: CrossVersionObjectReference contains enough - information to let you identify the referred resource. + description: describedObject specifies the descriptions + of a object,such as kind,name apiVersion properties: apiVersion: - description: API version of the referent + description: apiVersion is the API version of the + referent type: string kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + description: 'kind is the kind of the referent; + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: - description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' + description: 'name is the name of the referent; + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string required: - kind @@ -266,6 +324,7 @@ spec: The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - name type: object @@ -379,6 +438,7 @@ spec: The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic required: - name type: object @@ -476,9 +536,11 @@ spec: - target type: object type: - description: type is the type of metric source. It should - be one of "Object", "Pods" or "Resource", each mapping - to a matching field in the object. + description: 'type is the type of metric source. It should + be one of "ContainerResource", "External", "Object", "Pods" + or "Resource", each mapping to a matching field in the + object. Note: "ContainerResource" type is available on + when the feature-gate HPAContainerMetrics is enabled' type: string required: - type @@ -492,7 +554,8 @@ spec: type: integer nProcPerNode: description: 'Number of workers per node; supported values: [auto, - cpu, gpu, int].' + cpu, gpu, int]. Deprecated: This API is deprecated in v1.7+ + Use .spec.nprocPerNode instead.' format: int32 type: integer rdzvBackend: @@ -523,6 +586,11 @@ spec: set values are ignored. type: boolean type: object + nprocPerNode: + description: 'Number of workers per node; supported values: [auto, + cpu, gpu, int]. For more, https://github.com/pytorch/pytorch/blob/26f7f470df64d90e092081e39507e4ac751f55d6/torch/distributed/run.py#L629-L658. + Defaults to auto.' + type: string pytorchReplicaSpecs: additionalProperties: description: ReplicaSpec is a description of the replica @@ -589,12 +657,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -689,6 +752,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -802,10 +866,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -821,12 +887,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -898,12 +959,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -941,10 +1077,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -1013,11 +1146,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -1049,15 +1251,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -1129,12 +1323,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -1172,10 +1441,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -1244,11 +1510,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -1285,30 +1620,25 @@ spec: properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -1325,16 +1655,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -1360,6 +1689,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -1379,6 +1709,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -1408,6 +1739,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1430,6 +1762,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1463,6 +1796,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1482,10 +1816,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -1511,9 +1847,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1552,7 +1887,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1584,10 +1922,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1608,27 +1948,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1667,7 +1998,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1699,10 +2033,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1729,9 +2065,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1756,6 +2091,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1773,7 +2127,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1824,10 +2182,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1845,6 +2201,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1859,14 +2227,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1916,9 +2283,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1943,6 +2309,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1960,7 +2345,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2011,10 +2400,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2032,6 +2419,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2039,10 +2438,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2052,7 +2498,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -2066,12 +2512,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -2081,13 +2530,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -2108,7 +2560,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -2117,10 +2570,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -2128,7 +2585,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -2138,10 +2596,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -2150,7 +2605,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -2160,7 +2616,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -2183,7 +2641,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -2214,7 +2674,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -2228,6 +2690,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -2241,23 +2713,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2282,6 +2746,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2299,7 +2782,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2350,10 +2837,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2371,6 +2856,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2390,15 +2887,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -2409,7 +2898,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -2419,9 +2908,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2568,50 +3055,38 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is alpha-level and is only honored by servers - that enable the EphemeralContainers feature. items: - description: An EphemeralContainer is a container - that may be added temporarily to an existing pod - for user-initiated activities such as debugging. - Ephemeral containers have no resource or scheduling - guarantees, and they will not be restarted when - they exit or when a pod is removed or restarted. - If an ephemeral container causes a pod to exceed - its resource allocation, the pod may be evicted. - Ephemeral containers may not be added by directly - updating the pod spec. They must be added via the - pod's ephemeralcontainers subresource, and they - will appear in the pod spec once added. This is - an alpha feature enabled by the EphemeralContainers - feature flag. + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. + image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2628,16 +3103,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2663,6 +3137,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2682,6 +3157,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2711,6 +3187,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2733,6 +3210,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2766,6 +3244,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2785,10 +3264,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: description: 'Image pull policy. One of Always, @@ -2809,9 +3290,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2850,7 +3330,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2882,10 +3365,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2906,27 +3391,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2965,7 +3441,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2997,10 +3476,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3026,9 +3507,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3053,6 +3533,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3070,7 +3569,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3121,10 +3624,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3142,6 +3643,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3196,14 +3709,17 @@ spec: - containerPort type: object type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map readinessProbe: description: Probes are not allowed for ephemeral containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3228,6 +3744,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3245,7 +3780,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3296,10 +3835,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3317,6 +3854,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3324,11 +3873,58 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3338,7 +3934,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -3352,12 +3948,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: SecurityContext is not allowed for - ephemeral containers. + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: description: 'AllowPrivilegeEscalation controls @@ -3366,13 +3965,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -3393,7 +3995,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -3402,10 +4005,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -3413,7 +4020,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -3423,10 +4031,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3435,7 +4040,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -3445,7 +4051,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -3468,7 +4076,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -3499,7 +4109,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -3513,6 +4125,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -3530,9 +4152,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3557,6 +4178,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3574,7 +4214,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3625,10 +4269,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3646,6 +4288,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3665,24 +4319,16 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: - description: If set, the name of the container + description: "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set - then the ephemeral container is run in whatever - namespaces are shared for the pod. Note that - the container runtime must support this feature. + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3693,7 +4339,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3703,9 +4349,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3735,7 +4379,8 @@ spec: type: array volumeMounts: description: Pod volumes to mount into the container's - filesystem. Cannot be updated. + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. items: description: VolumeMount describes a mounting of a Volume within a container. @@ -3824,6 +4469,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3834,9 +4488,8 @@ spec: references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual - puller implementations for them to use. For example, - in the case of docker, only DockerConfig type secrets - are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: description: LocalObjectReference contains enough information to let you locate the referenced object @@ -3849,54 +4502,41 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -3913,16 +4553,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -3948,6 +4587,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -3967,6 +4607,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -3996,6 +4637,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -4018,6 +4660,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -4051,6 +4694,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -4070,10 +4714,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -4099,9 +4745,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -4140,7 +4785,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -4172,10 +4820,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -4196,27 +4846,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -4255,7 +4896,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -4287,10 +4931,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -4317,9 +4963,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4344,6 +4989,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4361,7 +5025,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4412,10 +5080,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4433,6 +5099,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4447,14 +5125,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4504,9 +5181,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4531,6 +5207,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4548,7 +5243,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4599,10 +5298,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4620,6 +5317,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4627,10 +5336,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4640,7 +5396,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -4654,12 +5410,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -4669,13 +5428,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -4696,7 +5458,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -4705,10 +5468,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -4716,7 +5483,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4726,10 +5494,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -4738,7 +5503,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -4748,7 +5514,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -4771,7 +5539,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -4802,7 +5572,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -4816,6 +5588,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -4829,23 +5611,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4870,6 +5644,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4887,7 +5680,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4938,10 +5735,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4959,6 +5754,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4978,15 +5785,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -4997,7 +5796,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -5007,9 +5806,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -5108,6 +5905,28 @@ spec: must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object overhead: additionalProperties: anyOf: @@ -5115,28 +5934,19 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md - This field is alpha-level as of Kubernetes v1.16, - and is only honored by servers that enable the PodOverhead - feature.' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field - is beta-level, gated by the NonPreemptingPriority - feature-gate. + Defaults to PreemptLowerPriority if unset. type: string priority: description: The priority value. Various system components @@ -5161,7 +5971,7 @@ spec: be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" - More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: description: PodReadinessGate contains the reference to a pod condition @@ -5174,10 +5984,57 @@ spec: - conditionType type: object type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to + those containers which consume them by name. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim + inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name + of a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is + the name of a ResourceClaimTemplate object + in the same namespace as this pod. \n The + template will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: description: 'Restart policy for all containers within - the pod. One of Always, OnFailure, Never. Default - to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + the pod. One of Always, OnFailure, Never. In some + contexts, only a subset of those values may be permitted. + Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: description: 'RuntimeClassName refers to a RuntimeClass @@ -5187,14 +6044,37 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md - This is a beta feature as of Kubernetes v1.14.' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in + the SchedulingGated state and the scheduler will not + attempt to schedule the pod. \n SchedulingGates can + only be set at pod creation time, and be removed only + afterwards. \n This is a beta feature enabled by the + PodSchedulingReadiness feature gate." + items: + description: PodSchedulingGate is associated to a + Pod to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each + scheduling gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: @@ -5208,9 +6088,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -5221,7 +6099,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified defaults to "Always".' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -5229,7 +6107,8 @@ spec: May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -5239,9 +6118,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -5250,6 +6127,8 @@ spec: set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer seLinuxOptions: @@ -5259,7 +6138,8 @@ spec: for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that @@ -5280,7 +6160,8 @@ spec: type: object seccompProfile: description: The seccomp options to use by the containers - in this pod. + in this pod. Note that this field cannot be set + when spec.os.name is windows. properties: localhostProfile: description: localhostProfile indicates a profile @@ -5305,8 +6186,11 @@ spec: supplementalGroups: description: A list of groups applied to the first process run in each container, in addition to - the container's primary GID. If unspecified, - no groups will be added to any container. + the container's primary GID, the fsGroup (if specified), + and group memberships defined in the container + image for the uid of the container process. If + unspecified, no additional groups are added to + any container. items: format: int64 type: integer @@ -5315,6 +6199,8 @@ spec: description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. items: description: Sysctl defines a kernel parameter to be set @@ -5336,6 +6222,8 @@ spec: within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -5347,6 +6235,15 @@ spec: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults @@ -5373,11 +6270,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -5398,14 +6291,9 @@ spec: description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value - zero indicates delete immediately. If this value is - nil, the default grace period will be used instead. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5515,56 +6403,83 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The + same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 1/1/0: | zone1 - | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be - scheduled to zone3 to become 1/1/1; scheduling - it onto zone1(zone2) would make the ActualSkew(2-0) - on zone1(zone2) violate MaxSkew(1). - if MaxSkew - is 2, incoming pod can be scheduled onto any - zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. + format: int32 + type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into - each bucket. It's a required field. + each bucket. We define a domain as a particular + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assigment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -5585,77 +6500,78 @@ spec: pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents + description: 'awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty).' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and - set the ReadOnly property in VolumeMounts - to "true". If omitted, the default is "false". - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent - disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data + description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read - Only, Read Write.' + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' type: string diskName: - description: The Name of the data disk in - the blob storage + description: diskName is the Name of the data + disk in the blob storage type: string diskURI: - description: The URI the data disk in the - blob storage + description: diskURI is the URI of data disk + in the blob storage type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple - blob disks per storage account Dedicated: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean @@ -5664,56 +6580,59 @@ spec: - diskURI type: object azureFile: - description: AzureFile represents an Azure File + description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains - Azure Storage Account Name and Key + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key type: string shareName: - description: Share Name + description: shareName is the azure share + Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount + description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the - path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference - to the authentication secret for User, default - is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: description: 'Name of the referent. More @@ -5722,35 +6641,37 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'Optional: User is the rados - user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume + description: 'cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret - object containing parameters used to connect - to OpenStack.' + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' properties: name: description: 'Name of the referent. More @@ -5759,70 +6680,61 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: - description: 'volume id used to identify the + description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap + description: configMap represents a configMap that should populate this volume properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -5838,30 +6750,31 @@ spec: kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined + description: optional specify whether the + ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: - description: CSI (Container Storage Interface) + description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI + description: driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. - "ext4", "xfs", "ntfs". If not provided, - the empty value is passed to the associated - CSI driver which will determine the default - filesystem to apply. + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference + description: nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume @@ -5877,14 +6790,16 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific + description: volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. @@ -5893,7 +6808,7 @@ spec: - driver type: object downwardAPI: - description: DownwardAPI represents downward API + description: downwardAPI represents downward API about the pod that should populate this volume properties: defaultMode: @@ -5906,10 +6821,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -5937,6 +6849,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -5945,11 +6858,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -5988,70 +6897,50 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary + description: 'emptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium - should back this directory. The default - is "" which means to use the node''s default - medium. Must be an empty string (default) - or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage - required for this EmptyDir volume. The size - limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir - would be the minimum value between the SizeLimit - specified here and the sum of memory limits - of all containers in a pod. The default - is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + https://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that - is handled by a cluster storage driver (Alpha - feature). The volume's lifecycle is tied to - the pod that defines it - it will be created - before the pod starts, and deleted when the - pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features - of normal volumes like restoring from snapshot - or capacity tracking are needed, c) the storage - driver is specified through a storage class, - and d) the storage driver supports dynamic volume - provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information - on the connection between this volume type and - PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes - that persist for longer than the lifecycle of - an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is - meant to be used that way - see the documentation - of the driver for more information. \n A pod - can use both types of ephemeral volumes and - persistent volumes at the same time." + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. properties: - readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). - type: boolean volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -6059,23 +6948,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -6109,34 +6981,57 @@ spec: are also valid here. properties: accessModes: - description: 'AccessModes contains + description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used - to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot - - Beta) * An existing PVC (PersistentVolumeClaim) - * An existing custom resource/object - that implements data population - (Alpha) In order to use VolumeSnapshot - object types, the appropriate feature - gate must be enabled (VolumeSnapshotDataSource - or AnyVolumeDataSource) If the provisioner - or an external controller can support - the specified data source, it will - create a new volume based on the - contents of the specified data source. - If the specified data source is - not supported, the volume will not - be created and the failure will - be reported as an event. In the - future, we plan to support more - data source types and the behavior - of the provisioner may change.' + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -6155,15 +7050,64 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the + namespace of resource being + referenced Note that when a + namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object resources: - description: 'Resources represents + description: 'resources represents the minimum resources the volume - should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the + names of resources, defined + in spec.resourceClaims, that + are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field + is immutable. It can only be + set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry + in pod.spec.resourceClaims + of the Pod where this + field is used. It makes + that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -6174,7 +7118,7 @@ spec: description: 'Limits describes the maximum amount of compute resources allowed. More info: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -6190,12 +7134,13 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. + description: selector is a label query + over volumes to consider for binding. properties: matchExpressions: description: matchExpressions @@ -6254,10 +7199,11 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: - description: 'Name of the StorageClass - required by the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: description: volumeMode defines what @@ -6266,7 +7212,7 @@ spec: when not included in claim spec. type: string volumeName: - description: VolumeName is the binding + description: volumeName is the binding reference to the PersistentVolume backing this claim. type: string @@ -6276,77 +7222,79 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource + description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem - from compromising the machine' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' type: string lun: - description: 'Optional: FC target lun number' + description: 'lun is Optional: FC target lun + number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide - names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide - identifiers (wwids) Either wwids or combination - of targetWWNs and lun must be set, but not - both simultaneously.' + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume + description: flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. properties: driver: - description: Driver is the name of the driver + description: driver is the name of the driver to use for this volume. type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - The default filesystem depends on FlexVolume - script. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options - if any.' + description: 'options is Optional: this field + holds extra command options if any.' type: object readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference - to the secret object containing sensitive - information to pass to the plugin scripts. - This may be empty if no secret object is - specified. If the secret object contains - more than one secret, all secrets are passed - to the plugin scripts.' + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' properties: name: description: 'Name of the referent. More @@ -6355,57 +7303,60 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object flocker: - description: Flocker represents a Flocker volume + description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running properties: datasetName: - description: Name of the dataset stored as - metadata -> name on the dataset for Flocker - should be considered as deprecated + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated type: string datasetUUID: - description: UUID of the dataset. This is - unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE + description: 'gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource - in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean @@ -6413,7 +7364,7 @@ spec: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository + description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer @@ -6421,39 +7372,39 @@ spec: EmptyDir into the Pod''s container.' properties: directory: - description: Target directory name. Must not - contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the - git repository in the subdirectory with - the given name. + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. type: string repository: - description: Repository URL + description: repository is the URL type: string revision: - description: Commit hash for the specified - revision. + description: revision is the commit hash for + the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs + description: 'glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint - name that details Glusterfs topology. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume + description: 'path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -6463,87 +7414,87 @@ spec: - path type: object hostPath: - description: 'HostPath represents a pre-existing + description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: - description: 'Path of the directory on the + description: 'path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults + description: 'type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource + description: 'iscsi represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery - CHAP authentication + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: whether support iSCSI Session - CHAP authentication + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication type: boolean fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for - the connection. + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. + description: iqn is the target iSCSI Qualified + Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses - an iSCSI transport. Defaults to 'default' - (tcp). + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. + description: lun represents iSCSI Target Lun + number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The - portal is either an IP or ip_addr:port if - the port is other than default (typically + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the + description: readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target - and initiator authentication + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication properties: name: description: 'Name of the referent. More @@ -6552,11 +7503,12 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: - description: iSCSI Target Portal. The Portal - is either an IP or ip_addr:port if the port - is other than default (typically TCP ports - 860 and 3260). + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). type: string required: - iqn @@ -6564,26 +7516,26 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the + description: 'nfs represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the + description: 'path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP + description: 'server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: @@ -6591,118 +7543,112 @@ spec: - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource + description: 'persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim + description: 'claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting - in VolumeMounts. Default false. + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a + description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk + description: pdID is the ID that identifies + Photon Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx + description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem + description: fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies + description: volumeID uniquely identifies a Portworx volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions - on created files by default. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. Directories - within the path are not affected by this - setting. This might be in conflict with - other options that affect the file mode, - like fsGroup, and the result can be other - mode bits set. + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. format: int32 type: integer sources: - description: list of volume projections + description: sources is the list of volume + projections items: description: Projection that may be projected along with other supported volume types properties: configMap: - description: information about the configMap - data to project + description: configMap information about + the configMap data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced ConfigMap will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6711,16 +7657,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6740,14 +7681,15 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - ConfigMap or its keys must be - defined + description: optional specify whether + the ConfigMap or its keys must + be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: - description: information about the downwardAPI - data to project + description: downwardAPI information + about the downwardAPI data to project properties: items: description: Items is a list of @@ -6778,6 +7720,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -6789,12 +7732,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -6838,41 +7776,37 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object secret: - description: information about the secret - data to project + description: secret information about + the secret data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced Secret will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6881,16 +7815,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6910,16 +7839,19 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - Secret or its key must be defined + description: optional field specify + whether the Secret or its key + must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken + description: serviceAccountToken is + information about the serviceAccountToken data to project properties: audience: - description: Audience is the intended + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in @@ -6929,7 +7861,7 @@ spec: of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, @@ -6945,7 +7877,7 @@ spec: format: int64 type: integer path: - description: Path is the path relative + description: path is the path relative to the mount point of the file to project the token into. type: string @@ -6954,41 +7886,39 @@ spec: type: object type: object type: array - required: - - sources type: object quobyte: - description: Quobyte represents a Quobyte mount + description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime properties: group: - description: Group to map volume access to + description: group to map volume access to Default is no group type: string readOnly: - description: ReadOnly here will force the + description: readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. type: boolean registry: - description: Registry represents a single + description: registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes type: string tenant: - description: Tenant owning the given Quobyte + description: tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to + description: user to map volume access to Defaults to serivceaccount user type: string volume: - description: Volume is a string that references + description: volume is a string that references an already created Quobyte volume by name. type: string required: @@ -6996,46 +7926,47 @@ spec: - volume type: object rbd: - description: 'RBD represents a Rados Block Device + description: 'rbd represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' type: string image: - description: 'The rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring + description: 'keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default - is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication + description: 'secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: @@ -7046,39 +7977,41 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'The rados user name. Default - is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent + description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Default is "xfs". + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". type: string gateway: - description: The host address of the ScaleIO - API Gateway. + description: gateway is the host address of + the ScaleIO API Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret + description: secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. @@ -7090,27 +8023,29 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false type: boolean storageMode: - description: Indicates whether the storage - for a volume should be ThickProvisioned + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: The name of the storage system - as configured in ScaleIO. + description: system is the name of the storage + system as configured in ScaleIO. type: string volumeName: - description: The name of a volume already - created in the ScaleIO system that is associated - with this volume source. + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. type: string required: - gateway @@ -7118,62 +8053,52 @@ spec: - system type: object secret: - description: 'Secret represents a secret that + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -7183,31 +8108,33 @@ spec: type: object type: array optional: - description: Specify whether the Secret or - its keys must be defined + description: optional field specify whether + the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s - namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS + description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret + description: secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. properties: @@ -7218,13 +8145,14 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: - description: VolumeName is the human-readable + description: volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the + description: volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the @@ -7232,32 +8160,33 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere + description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management - (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management - (SPBM) profile name. + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. type: string volumePath: - description: Path that identifies vSphere - volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -7272,8 +8201,8 @@ spec: type: object type: object description: 'A map of PyTorchReplicaType (type) to ReplicaSpec (value). - Specifies the PyTorch cluster configuration. For example, { "Master": - PyTorchReplicaSpec, "Worker": PyTorchReplicaSpec, }' + Specifies the PyTorch cluster configuration. For example, { "Master": + PyTorchReplicaSpec, "Worker": PyTorchReplicaSpec, }' type: object runPolicy: description: RunPolicy encapsulates various runtime policies of the @@ -7293,7 +8222,7 @@ spec: type: integer cleanPodPolicy: description: CleanPodPolicy defines the policy to kill pods after - the job completes. Default to Running. + the job completes. Default to None. type: string schedulingPolicy: description: SchedulingPolicy defines the policy related to scheduling, @@ -7309,14 +8238,25 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. type: object priorityClass: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object + suspend: + default: false + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods and PodGroups + associated with this Job. Users must design their workload to + gracefully handle this. + type: boolean ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since @@ -7390,10 +8330,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -7436,6 +8373,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -7451,22 +8395,13 @@ spec: and is in UTC. format: date-time type: string - required: - - conditions - - replicaStatuses type: object type: object served: true storage: true subresources: scale: - labelSelectorPath: .status.labelSelector + labelSelectorPath: .status.replicaStatuses.Worker.selector specReplicasPath: .spec.pytorchReplicaSpecs.Worker.replicas - statusReplicasPath: .status.replicaStatuses.Active + statusReplicasPath: .status.replicaStatuses.Worker.active status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/training-operator/crds/kubeflow.org_tfjobs.yaml b/kubeflow/helm/training-operator/crds/kubeflow.org_tfjobs.yaml index d1419d6ee..320313056 100644 --- a/kubeflow/helm/training-operator/crds/kubeflow.org_tfjobs.yaml +++ b/kubeflow/helm/training-operator/crds/kubeflow.org_tfjobs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: tfjobs.kubeflow.org spec: group: kubeflow.org @@ -64,7 +62,7 @@ spec: type: integer cleanPodPolicy: description: CleanPodPolicy defines the policy to kill pods after - the job completes. Default to Running. + the job completes. Default to None. type: string schedulingPolicy: description: SchedulingPolicy defines the policy related to scheduling, @@ -80,14 +78,25 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. type: object priorityClass: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object + suspend: + default: false + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods and PodGroups + associated with this Job. Users must design their workload to + gracefully handle this. + type: boolean ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since @@ -165,12 +174,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -265,6 +269,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -378,10 +383,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -397,12 +404,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -474,12 +476,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -517,10 +594,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -589,11 +663,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -625,15 +768,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -705,12 +840,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -748,10 +958,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -820,11 +1027,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -861,30 +1137,25 @@ spec: properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -901,16 +1172,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -936,6 +1206,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -955,6 +1226,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -984,6 +1256,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -1006,6 +1279,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1039,6 +1313,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1058,10 +1333,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -1087,9 +1364,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1128,7 +1404,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1160,10 +1439,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1184,27 +1465,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1243,7 +1515,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1275,10 +1550,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1305,9 +1582,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1332,6 +1608,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1349,7 +1644,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1400,10 +1699,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1421,6 +1718,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1435,14 +1744,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1492,9 +1800,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1519,6 +1826,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1536,7 +1862,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1587,10 +1917,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1608,6 +1936,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1615,10 +1955,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1628,7 +2015,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -1642,12 +2029,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -1657,13 +2047,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -1684,7 +2077,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -1693,10 +2087,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -1704,7 +2102,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -1714,10 +2113,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -1726,7 +2122,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -1736,7 +2133,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -1759,7 +2158,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -1790,7 +2191,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -1804,6 +2207,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -1817,23 +2230,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1858,6 +2263,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1875,7 +2299,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1926,10 +2354,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1947,6 +2373,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1966,15 +2404,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -1985,7 +2415,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -1995,9 +2425,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2144,50 +2572,38 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is alpha-level and is only honored by servers - that enable the EphemeralContainers feature. items: - description: An EphemeralContainer is a container - that may be added temporarily to an existing pod - for user-initiated activities such as debugging. - Ephemeral containers have no resource or scheduling - guarantees, and they will not be restarted when - they exit or when a pod is removed or restarted. - If an ephemeral container causes a pod to exceed - its resource allocation, the pod may be evicted. - Ephemeral containers may not be added by directly - updating the pod spec. They must be added via the - pod's ephemeralcontainers subresource, and they - will appear in the pod spec once added. This is - an alpha feature enabled by the EphemeralContainers - feature flag. + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. + image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2204,16 +2620,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2239,6 +2654,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2258,6 +2674,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2287,6 +2704,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2309,6 +2727,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2342,6 +2761,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2361,10 +2781,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: description: 'Image pull policy. One of Always, @@ -2385,9 +2807,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2426,7 +2847,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2458,10 +2882,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2482,27 +2908,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2541,7 +2958,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2573,10 +2993,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2602,9 +3024,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2629,6 +3050,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2646,7 +3086,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2697,10 +3141,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2718,6 +3160,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2772,14 +3226,17 @@ spec: - containerPort type: object type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map readinessProbe: description: Probes are not allowed for ephemeral containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2804,6 +3261,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2821,7 +3297,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2872,10 +3352,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2893,6 +3371,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2900,11 +3390,58 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2914,7 +3451,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -2928,12 +3465,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: SecurityContext is not allowed for - ephemeral containers. + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: description: 'AllowPrivilegeEscalation controls @@ -2942,13 +3482,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -2969,7 +3512,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -2978,10 +3522,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -2989,7 +3537,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -2999,10 +3548,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3011,7 +3557,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -3021,7 +3568,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -3044,7 +3593,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -3075,7 +3626,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -3089,6 +3642,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -3106,9 +3669,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3133,6 +3695,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3150,7 +3731,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3201,10 +3786,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3222,6 +3805,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3241,24 +3836,16 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: - description: If set, the name of the container + description: "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set - then the ephemeral container is run in whatever - namespaces are shared for the pod. Note that - the container runtime must support this feature. + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3269,7 +3856,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3279,9 +3866,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3311,7 +3896,8 @@ spec: type: array volumeMounts: description: Pod volumes to mount into the container's - filesystem. Cannot be updated. + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. items: description: VolumeMount describes a mounting of a Volume within a container. @@ -3400,6 +3986,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3410,9 +4005,8 @@ spec: references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual - puller implementations for them to use. For example, - in the case of docker, only DockerConfig type secrets - are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: description: LocalObjectReference contains enough information to let you locate the referenced object @@ -3425,54 +4019,41 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -3489,16 +4070,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -3524,6 +4104,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -3543,6 +4124,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -3572,6 +4154,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -3594,6 +4177,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -3627,6 +4211,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -3646,10 +4231,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -3675,9 +4262,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3716,7 +4302,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3748,10 +4337,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3772,27 +4363,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3831,7 +4413,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3863,10 +4448,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3893,9 +4480,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3920,6 +4506,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3937,7 +4542,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3988,10 +4597,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4009,6 +4616,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4023,14 +4642,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4080,9 +4698,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4107,6 +4724,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4124,7 +4760,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4175,10 +4815,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4196,6 +4834,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4203,10 +4853,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4216,7 +4913,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -4230,12 +4927,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -4245,13 +4945,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -4272,7 +4975,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -4281,10 +4985,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -4292,7 +5000,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4302,10 +5011,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -4314,7 +5020,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -4324,7 +5031,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -4347,7 +5056,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -4378,7 +5089,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -4392,6 +5105,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -4405,23 +5128,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4446,6 +5161,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4463,7 +5197,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4514,10 +5252,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4535,6 +5271,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4554,15 +5302,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -4573,7 +5313,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -4583,9 +5323,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -4684,6 +5422,28 @@ spec: must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object overhead: additionalProperties: anyOf: @@ -4691,28 +5451,19 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md - This field is alpha-level as of Kubernetes v1.16, - and is only honored by servers that enable the PodOverhead - feature.' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field - is beta-level, gated by the NonPreemptingPriority - feature-gate. + Defaults to PreemptLowerPriority if unset. type: string priority: description: The priority value. Various system components @@ -4737,7 +5488,7 @@ spec: be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" - More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: description: PodReadinessGate contains the reference to a pod condition @@ -4750,10 +5501,57 @@ spec: - conditionType type: object type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to + those containers which consume them by name. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim + inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name + of a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is + the name of a ResourceClaimTemplate object + in the same namespace as this pod. \n The + template will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: description: 'Restart policy for all containers within - the pod. One of Always, OnFailure, Never. Default - to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + the pod. One of Always, OnFailure, Never. In some + contexts, only a subset of those values may be permitted. + Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: description: 'RuntimeClassName refers to a RuntimeClass @@ -4763,14 +5561,37 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md - This is a beta feature as of Kubernetes v1.14.' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in + the SchedulingGated state and the scheduler will not + attempt to schedule the pod. \n SchedulingGates can + only be set at pod creation time, and be removed only + afterwards. \n This is a beta feature enabled by the + PodSchedulingReadiness feature gate." + items: + description: PodSchedulingGate is associated to a + Pod to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each + scheduling gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: @@ -4784,9 +5605,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -4797,7 +5616,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified defaults to "Always".' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -4805,7 +5624,8 @@ spec: May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4815,9 +5635,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -4826,6 +5644,8 @@ spec: set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer seLinuxOptions: @@ -4835,7 +5655,8 @@ spec: for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that @@ -4856,7 +5677,8 @@ spec: type: object seccompProfile: description: The seccomp options to use by the containers - in this pod. + in this pod. Note that this field cannot be set + when spec.os.name is windows. properties: localhostProfile: description: localhostProfile indicates a profile @@ -4881,8 +5703,11 @@ spec: supplementalGroups: description: A list of groups applied to the first process run in each container, in addition to - the container's primary GID. If unspecified, - no groups will be added to any container. + the container's primary GID, the fsGroup (if specified), + and group memberships defined in the container + image for the uid of the container process. If + unspecified, no additional groups are added to + any container. items: format: int64 type: integer @@ -4891,6 +5716,8 @@ spec: description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. items: description: Sysctl defines a kernel parameter to be set @@ -4912,6 +5739,8 @@ spec: within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -4923,6 +5752,15 @@ spec: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults @@ -4949,11 +5787,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -4974,14 +5808,9 @@ spec: description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value - zero indicates delete immediately. If this value is - nil, the default grace period will be used instead. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5091,56 +5920,83 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The + same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 1/1/0: | zone1 - | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be - scheduled to zone3 to become 1/1/1; scheduling - it onto zone1(zone2) would make the ActualSkew(2-0) - on zone1(zone2) violate MaxSkew(1). - if MaxSkew - is 2, incoming pod can be scheduled onto any - zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. format: int32 type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into - each bucket. It's a required field. + each bucket. We define a domain as a particular + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assigment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -5161,77 +6017,78 @@ spec: pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents + description: 'awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty).' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and - set the ReadOnly property in VolumeMounts - to "true". If omitted, the default is "false". - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent - disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data + description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read - Only, Read Write.' + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' type: string diskName: - description: The Name of the data disk in - the blob storage + description: diskName is the Name of the data + disk in the blob storage type: string diskURI: - description: The URI the data disk in the - blob storage + description: diskURI is the URI of data disk + in the blob storage type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple - blob disks per storage account Dedicated: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean @@ -5240,56 +6097,59 @@ spec: - diskURI type: object azureFile: - description: AzureFile represents an Azure File + description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains - Azure Storage Account Name and Key + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key type: string shareName: - description: Share Name + description: shareName is the azure share + Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount + description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the - path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference - to the authentication secret for User, default - is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: description: 'Name of the referent. More @@ -5298,35 +6158,37 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'Optional: User is the rados - user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume + description: 'cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret - object containing parameters used to connect - to OpenStack.' + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' properties: name: description: 'Name of the referent. More @@ -5335,70 +6197,61 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: - description: 'volume id used to identify the + description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap + description: configMap represents a configMap that should populate this volume properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -5414,30 +6267,31 @@ spec: kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined + description: optional specify whether the + ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: - description: CSI (Container Storage Interface) + description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI + description: driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. - "ext4", "xfs", "ntfs". If not provided, - the empty value is passed to the associated - CSI driver which will determine the default - filesystem to apply. + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference + description: nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume @@ -5453,14 +6307,16 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific + description: volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. @@ -5469,7 +6325,7 @@ spec: - driver type: object downwardAPI: - description: DownwardAPI represents downward API + description: downwardAPI represents downward API about the pod that should populate this volume properties: defaultMode: @@ -5482,10 +6338,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -5513,6 +6366,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -5521,11 +6375,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -5564,70 +6414,50 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary + description: 'emptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium - should back this directory. The default - is "" which means to use the node''s default - medium. Must be an empty string (default) - or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage - required for this EmptyDir volume. The size - limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir - would be the minimum value between the SizeLimit - specified here and the sum of memory limits - of all containers in a pod. The default - is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + https://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that - is handled by a cluster storage driver (Alpha - feature). The volume's lifecycle is tied to - the pod that defines it - it will be created - before the pod starts, and deleted when the - pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features - of normal volumes like restoring from snapshot - or capacity tracking are needed, c) the storage - driver is specified through a storage class, - and d) the storage driver supports dynamic volume - provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information - on the connection between this volume type and - PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes - that persist for longer than the lifecycle of - an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is - meant to be used that way - see the documentation - of the driver for more information. \n A pod - can use both types of ephemeral volumes and - persistent volumes at the same time." + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. properties: - readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). - type: boolean volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -5635,23 +6465,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -5685,34 +6498,57 @@ spec: are also valid here. properties: accessModes: - description: 'AccessModes contains + description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used - to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot - - Beta) * An existing PVC (PersistentVolumeClaim) - * An existing custom resource/object - that implements data population - (Alpha) In order to use VolumeSnapshot - object types, the appropriate feature - gate must be enabled (VolumeSnapshotDataSource - or AnyVolumeDataSource) If the provisioner - or an external controller can support - the specified data source, it will - create a new volume based on the - contents of the specified data source. - If the specified data source is - not supported, the volume will not - be created and the failure will - be reported as an event. In the - future, we plan to support more - data source types and the behavior - of the provisioner may change.' + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -5731,15 +6567,64 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the + namespace of resource being + referenced Note that when a + namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object resources: - description: 'Resources represents + description: 'resources represents the minimum resources the volume - should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the + names of resources, defined + in spec.resourceClaims, that + are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field + is immutable. It can only be + set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry + in pod.spec.resourceClaims + of the Pod where this + field is used. It makes + that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5750,7 +6635,7 @@ spec: description: 'Limits describes the maximum amount of compute resources allowed. More info: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -5766,12 +6651,13 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. + description: selector is a label query + over volumes to consider for binding. properties: matchExpressions: description: matchExpressions @@ -5830,10 +6716,11 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: - description: 'Name of the StorageClass - required by the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: description: volumeMode defines what @@ -5842,7 +6729,7 @@ spec: when not included in claim spec. type: string volumeName: - description: VolumeName is the binding + description: volumeName is the binding reference to the PersistentVolume backing this claim. type: string @@ -5852,77 +6739,79 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource + description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem - from compromising the machine' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' type: string lun: - description: 'Optional: FC target lun number' + description: 'lun is Optional: FC target lun + number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide - names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide - identifiers (wwids) Either wwids or combination - of targetWWNs and lun must be set, but not - both simultaneously.' + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume + description: flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. properties: driver: - description: Driver is the name of the driver + description: driver is the name of the driver to use for this volume. type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - The default filesystem depends on FlexVolume - script. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options - if any.' + description: 'options is Optional: this field + holds extra command options if any.' type: object readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference - to the secret object containing sensitive - information to pass to the plugin scripts. - This may be empty if no secret object is - specified. If the secret object contains - more than one secret, all secrets are passed - to the plugin scripts.' + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' properties: name: description: 'Name of the referent. More @@ -5931,57 +6820,60 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object flocker: - description: Flocker represents a Flocker volume + description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running properties: datasetName: - description: Name of the dataset stored as - metadata -> name on the dataset for Flocker - should be considered as deprecated + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated type: string datasetUUID: - description: UUID of the dataset. This is - unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE + description: 'gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource - in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean @@ -5989,7 +6881,7 @@ spec: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository + description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer @@ -5997,39 +6889,39 @@ spec: EmptyDir into the Pod''s container.' properties: directory: - description: Target directory name. Must not - contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the - git repository in the subdirectory with - the given name. + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. type: string repository: - description: Repository URL + description: repository is the URL type: string revision: - description: Commit hash for the specified - revision. + description: revision is the commit hash for + the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs + description: 'glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint - name that details Glusterfs topology. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume + description: 'path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -6039,87 +6931,87 @@ spec: - path type: object hostPath: - description: 'HostPath represents a pre-existing + description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: - description: 'Path of the directory on the + description: 'path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults + description: 'type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource + description: 'iscsi represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery - CHAP authentication + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: whether support iSCSI Session - CHAP authentication + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication type: boolean fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for - the connection. + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. + description: iqn is the target iSCSI Qualified + Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses - an iSCSI transport. Defaults to 'default' - (tcp). + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. + description: lun represents iSCSI Target Lun + number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The - portal is either an IP or ip_addr:port if - the port is other than default (typically + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the + description: readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target - and initiator authentication + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication properties: name: description: 'Name of the referent. More @@ -6128,11 +7020,12 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: - description: iSCSI Target Portal. The Portal - is either an IP or ip_addr:port if the port - is other than default (typically TCP ports - 860 and 3260). + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). type: string required: - iqn @@ -6140,26 +7033,26 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the + description: 'nfs represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the + description: 'path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP + description: 'server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: @@ -6167,118 +7060,112 @@ spec: - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource + description: 'persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim + description: 'claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting - in VolumeMounts. Default false. + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a + description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk + description: pdID is the ID that identifies + Photon Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx + description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem + description: fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies + description: volumeID uniquely identifies a Portworx volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions - on created files by default. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. Directories - within the path are not affected by this - setting. This might be in conflict with - other options that affect the file mode, - like fsGroup, and the result can be other - mode bits set. + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. format: int32 type: integer sources: - description: list of volume projections + description: sources is the list of volume + projections items: description: Projection that may be projected along with other supported volume types properties: configMap: - description: information about the configMap - data to project + description: configMap information about + the configMap data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced ConfigMap will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6287,16 +7174,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6316,14 +7198,15 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - ConfigMap or its keys must be - defined + description: optional specify whether + the ConfigMap or its keys must + be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: - description: information about the downwardAPI - data to project + description: downwardAPI information + about the downwardAPI data to project properties: items: description: Items is a list of @@ -6354,6 +7237,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -6365,12 +7249,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -6414,41 +7293,37 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object secret: - description: information about the secret - data to project + description: secret information about + the secret data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced Secret will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6457,16 +7332,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6486,16 +7356,19 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - Secret or its key must be defined + description: optional field specify + whether the Secret or its key + must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken + description: serviceAccountToken is + information about the serviceAccountToken data to project properties: audience: - description: Audience is the intended + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in @@ -6505,7 +7378,7 @@ spec: of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, @@ -6521,7 +7394,7 @@ spec: format: int64 type: integer path: - description: Path is the path relative + description: path is the path relative to the mount point of the file to project the token into. type: string @@ -6530,41 +7403,39 @@ spec: type: object type: object type: array - required: - - sources type: object quobyte: - description: Quobyte represents a Quobyte mount + description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime properties: group: - description: Group to map volume access to + description: group to map volume access to Default is no group type: string readOnly: - description: ReadOnly here will force the + description: readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. type: boolean registry: - description: Registry represents a single + description: registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes type: string tenant: - description: Tenant owning the given Quobyte + description: tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to + description: user to map volume access to Defaults to serivceaccount user type: string volume: - description: Volume is a string that references + description: volume is a string that references an already created Quobyte volume by name. type: string required: @@ -6572,46 +7443,47 @@ spec: - volume type: object rbd: - description: 'RBD represents a Rados Block Device + description: 'rbd represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' type: string image: - description: 'The rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring + description: 'keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default - is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication + description: 'secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: @@ -6622,39 +7494,41 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'The rados user name. Default - is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent + description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Default is "xfs". + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". type: string gateway: - description: The host address of the ScaleIO - API Gateway. + description: gateway is the host address of + the ScaleIO API Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret + description: secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. @@ -6666,27 +7540,29 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false type: boolean storageMode: - description: Indicates whether the storage - for a volume should be ThickProvisioned + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: The name of the storage system - as configured in ScaleIO. + description: system is the name of the storage + system as configured in ScaleIO. type: string volumeName: - description: The name of a volume already - created in the ScaleIO system that is associated - with this volume source. + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. type: string required: - gateway @@ -6694,62 +7570,52 @@ spec: - system type: object secret: - description: 'Secret represents a secret that + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -6759,31 +7625,33 @@ spec: type: object type: array optional: - description: Specify whether the Secret or - its keys must be defined + description: optional field specify whether + the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s - namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS + description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret + description: secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. properties: @@ -6794,13 +7662,14 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: - description: VolumeName is the human-readable + description: volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the + description: volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the @@ -6808,32 +7677,33 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere + description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management - (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management - (SPBM) profile name. + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. type: string volumePath: - description: Path that identifies vSphere - volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -6848,8 +7718,8 @@ spec: type: object type: object description: 'A map of TFReplicaType (type) to ReplicaSpec (value). - Specifies the TF cluster configuration. For example, { "PS": - ReplicaSpec, "Worker": ReplicaSpec, }' + Specifies the TF cluster configuration. For example, { "PS": ReplicaSpec, + "Worker": ReplicaSpec, }' type: object required: - tfReplicaSpecs @@ -6917,10 +7787,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -6963,6 +7830,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -6978,18 +7852,9 @@ spec: and is in UTC. format: date-time type: string - required: - - conditions - - replicaStatuses type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/training-operator/crds/kubeflow.org_xgboostjobs.yaml b/kubeflow/helm/training-operator/crds/kubeflow.org_xgboostjobs.yaml index 83ee077ea..a88a6fa8b 100644 --- a/kubeflow/helm/training-operator/crds/kubeflow.org_xgboostjobs.yaml +++ b/kubeflow/helm/training-operator/crds/kubeflow.org_xgboostjobs.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.6.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: xgboostjobs.kubeflow.org spec: group: kubeflow.org @@ -60,7 +58,7 @@ spec: type: integer cleanPodPolicy: description: CleanPodPolicy defines the policy to kill pods after - the job completes. Default to Running. + the job completes. Default to None. type: string schedulingPolicy: description: SchedulingPolicy defines the policy related to scheduling, @@ -76,14 +74,25 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: ResourceList is a set of (resource name, quantity) - pairs. type: object priorityClass: type: string queue: type: string + scheduleTimeoutSeconds: + format: int32 + type: integer type: object + suspend: + default: false + description: suspend specifies whether the Job controller should + create Pods or not. If a Job is created with suspend set to + true, no Pods are created by the Job controller. If a Job is + suspended after creation (i.e. the flag goes from false to true), + the Job controller will delete all active Pods and PodGroups + associated with this Job. Users must design their workload to + gracefully handle this. + type: boolean ttlSecondsAfterFinished: description: TTLSecondsAfterFinished is the TTL to clean up jobs. It may take extra ReconcilePeriod seconds for the cleanup, since @@ -157,12 +166,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node matches the corresponding matchExpressions; - the node(s) with the highest sum are the most - preferred. + affinity expressions, etc. items: description: An empty preferred scheduling term matches all objects with implicit weight @@ -257,6 +261,7 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic weight: description: Weight associated with matching the corresponding nodeSelectorTerm, @@ -370,10 +375,12 @@ spec: type: object type: array type: object + x-kubernetes-map-type: atomic type: array required: - nodeSelectorTerms type: object + x-kubernetes-map-type: atomic type: object podAffinity: description: Describes pod affinity scheduling rules @@ -389,12 +396,7 @@ spec: with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling - affinity expressions, etc.), compute a sum - by iterating through the elements of this - field and adding "weight" to the sum if the - node has pods which matches the corresponding - podAffinityTerm; the node(s) with the highest - sum are the most preferred. + affinity expressions, etc. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -466,12 +468,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -509,10 +586,7 @@ spec: this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually - evict the pod from its node. When there are - multiple elements, the lists of nodes corresponding - to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. + evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -581,11 +655,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -617,15 +760,7 @@ spec: may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum - of weights, i.e. for each node that meets - all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity - expressions, etc.), compute a sum by iterating - through the elements of this field and adding - "weight" to the sum if the node has pods which - matches the corresponding podAffinityTerm; - the node(s) with the highest sum are the most - preferred. + of weights, i.e. items: description: The weights of all of the matched WeightedPodAffinityTerm fields are added @@ -697,12 +832,87 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the + set of namespaces that the term + applies to. The term is applied + to the union of the namespaces selected + by this field and the ones listed + in the namespaces field. null selector + and null or empty namespaces list + means "this pod's namespace". An + empty selector ({}) matches all + namespaces. + properties: + matchExpressions: + description: matchExpressions + is a list of label selector + requirements. The requirements + are ANDed. + items: + description: A label selector + requirement is a selector + that contains values, a key, + and an operator that relates + the key and values. + properties: + key: + description: key is the + label key that the selector + applies to. + type: string + operator: + description: operator represents + a key's relationship to + a set of values. Valid + operators are In, NotIn, + Exists and DoesNotExist. + type: string + values: + description: values is an + array of string values. + If the operator is In + or NotIn, the values array + must be non-empty. If + the operator is Exists + or DoesNotExist, the values + array must be empty. This + array is replaced during + a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a + map of {key,value} pairs. A + single {key,value} in the matchLabels + map is equivalent to an element + of matchExpressions, whose key + field is "key", the operator + is "In", and the values array + contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: description: namespaces specifies - which namespaces the labelSelector - applies to (matches against); null - or empty list means "this pod's - namespace" + a static list of namespace names + that the term applies to. The term + is applied to the union of the namespaces + listed in this field and the ones + selected by namespaceSelector. null + or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -740,10 +950,7 @@ spec: by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to - eventually evict the pod from its node. When - there are multiple elements, the lists of - nodes corresponding to each podAffinityTerm - are intersected, i.e. all terms must be satisfied. + eventually evict the pod from its node. items: description: Defines a set of pods (namely those matching the labelSelector relative @@ -812,11 +1019,80 @@ spec: ANDed. type: object type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set + of namespaces that the term applies + to. The term is applied to the union + of the namespaces selected by this field + and the ones listed in the namespaces + field. null selector and null or empty + namespaces list means "this pod's namespace". + An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a + list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label + key that the selector applies + to. + type: string + operator: + description: operator represents + a key's relationship to a + set of values. Valid operators + are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array + of string values. If the operator + is In or NotIn, the values + array must be non-empty. If + the operator is Exists or + DoesNotExist, the values array + must be empty. This array + is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map + of {key,value} pairs. A single {key,value} + in the matchLabels map is equivalent + to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are + ANDed. + type: object + type: object + x-kubernetes-map-type: atomic namespaces: - description: namespaces specifies which - namespaces the labelSelector applies - to (matches against); null or empty - list means "this pod's namespace" + description: namespaces specifies a static + list of namespace names that the term + applies to. The term is applied to the + union of the namespaces listed in this + field and the ones selected by namespaceSelector. + null or empty namespaces list and null + namespaceSelector means "this pod's + namespace". items: type: string type: array @@ -853,30 +1129,25 @@ spec: properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -893,16 +1164,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -928,6 +1198,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -947,6 +1218,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -976,6 +1248,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -998,6 +1271,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -1031,6 +1305,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -1050,10 +1325,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -1079,9 +1356,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1120,7 +1396,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1152,10 +1431,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1176,27 +1457,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -1235,7 +1507,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -1267,10 +1542,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -1297,9 +1574,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1324,6 +1600,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1341,7 +1636,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1392,10 +1691,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1413,6 +1710,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1427,14 +1736,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -1484,9 +1792,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1511,6 +1818,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1528,7 +1854,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1579,10 +1909,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1600,6 +1928,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1607,10 +1947,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -1620,7 +2007,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -1634,12 +2021,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -1649,13 +2039,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -1676,7 +2069,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -1685,10 +2079,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -1696,7 +2094,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -1706,10 +2105,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -1718,7 +2114,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -1728,7 +2125,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -1751,7 +2150,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -1782,7 +2183,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -1796,6 +2199,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -1809,23 +2222,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -1850,6 +2255,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -1867,7 +2291,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -1918,10 +2346,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -1939,6 +2365,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -1958,15 +2396,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -1977,7 +2407,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -1987,9 +2417,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -2136,50 +2564,38 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is alpha-level and is only honored by servers - that enable the EphemeralContainers feature. items: - description: An EphemeralContainer is a container - that may be added temporarily to an existing pod - for user-initiated activities such as debugging. - Ephemeral containers have no resource or scheduling - guarantees, and they will not be restarted when - they exit or when a pod is removed or restarted. - If an ephemeral container causes a pod to exceed - its resource allocation, the pod may be evicted. - Ephemeral containers may not be added by directly - updating the pod spec. They must be added via the - pod's ephemeralcontainers subresource, and they - will appear in the pod spec once added. This is - an alpha feature enabled by the EphemeralContainers - feature flag. + description: An EphemeralContainer is a temporary + container that you may add to an existing Pod for + user-initiated activities such as debugging. Ephemeral + containers have no resource or scheduling guarantees, + and they will not be restarted when they exit or + when a Pod is removed or restarted. The kubelet + may evict a Pod if an ephemeral container causes + the Pod to exceed its resource allocation. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. + image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + string will be unchanged. Double $$ are reduced + to a single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will + produce the string literal "$(VAR_NAME)".' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references - $(VAR_NAME) are expanded using the container''s - environment. If a variable cannot be resolved, - the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + a shell. The image''s ENTRYPOINT is used if + this is not provided. Variable references $(VAR_NAME) + are expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -2196,16 +2612,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -2231,6 +2646,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -2250,6 +2666,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -2279,6 +2696,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -2301,6 +2719,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -2334,6 +2753,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -2353,10 +2773,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images' + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images' type: string imagePullPolicy: description: 'Image pull policy. One of Always, @@ -2377,9 +2799,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2418,7 +2839,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2450,10 +2874,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2474,27 +2900,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -2533,7 +2950,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -2565,10 +2985,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -2594,9 +3016,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2621,6 +3042,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2638,7 +3078,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2689,10 +3133,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2710,6 +3152,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2764,14 +3218,17 @@ spec: - containerPort type: object type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map readinessProbe: description: Probes are not allowed for ephemeral containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -2796,6 +3253,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -2813,7 +3289,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -2864,10 +3344,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -2885,6 +3363,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -2892,11 +3382,58 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: Resources are not allowed for ephemeral containers. Ephemeral containers use spare resources already allocated to the pod. properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -2906,7 +3443,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -2920,12 +3457,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: SecurityContext is not allowed for - ephemeral containers. + description: 'Optional: SecurityContext defines + the security options the ephemeral container + should be run with. If set, the fields of SecurityContext + override the equivalent fields of PodSecurityContext.' properties: allowPrivilegeEscalation: description: 'AllowPrivilegeEscalation controls @@ -2934,13 +3474,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -2961,7 +3504,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -2970,10 +3514,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -2981,7 +3529,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -2991,10 +3540,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -3003,7 +3549,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -3013,7 +3560,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -3036,7 +3585,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -3067,7 +3618,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -3081,6 +3634,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -3098,9 +3661,8 @@ spec: containers. properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3125,6 +3687,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3142,7 +3723,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3193,10 +3778,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -3214,6 +3797,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -3233,24 +3828,16 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean targetContainerName: - description: If set, the name of the container + description: "If set, the name of the container from PodSpec that this ephemeral container targets. The ephemeral container will be run in the namespaces (IPC, PID, etc) of this container. If not set - then the ephemeral container is run in whatever - namespaces are shared for the pod. Note that - the container runtime must support this feature. + then the ephemeral container uses the namespaces + configured in the Pod spec. \n The container + runtime must implement support for this feature." type: string terminationMessagePath: description: 'Optional: Path at which the file @@ -3261,7 +3848,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -3271,9 +3858,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -3303,7 +3888,8 @@ spec: type: array volumeMounts: description: Pod volumes to mount into the container's - filesystem. Cannot be updated. + filesystem. Subpath mounts are not allowed for + ephemeral containers. Cannot be updated. items: description: VolumeMount describes a mounting of a Volume within a container. @@ -3392,6 +3978,15 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, the + pod will be run in the host user namespace, useful + for when the pod needs a feature only available to + the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a new + userns is created for the pod.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to a system-defined @@ -3402,9 +3997,8 @@ spec: references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual - puller implementations for them to use. For example, - in the case of docker, only DockerConfig type secrets - are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + puller implementations for them to use. More info: + https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' items: description: LocalObjectReference contains enough information to let you locate the referenced object @@ -3417,54 +4011,41 @@ spec: uid?' type: string type: object + x-kubernetes-map-type: atomic type: array initContainers: - description: 'List of initialization containers belonging + description: List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique - among all containers. Init containers may not have - Lifecycle actions, Readiness probes, Liveness probes, - or Startup probes. The resourceRequirements of an - init container are taken into account during scheduling - by finding the highest request/limit for each resource - type, and then using the max of of that value or the - sum of the normal containers. Limits are applied to - init containers in a similar fashion. Init containers - cannot currently be added or removed. Cannot be updated. - More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + among all containers. items: description: A single application container that you want to run within a pod. properties: args: description: 'Arguments to the entrypoint. The - docker image''s CMD is used if this is not provided. - Variable references $(VAR_NAME) are expanded - using the container''s environment. If a variable - cannot be resolved, the reference in the input - string will be unchanged. The $(VAR_NAME) syntax - can be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, regardless - of whether the variable exists or not. Cannot - be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + container image''s CMD is used if this is not + provided. Variable references $(VAR_NAME) are + expanded using the container''s environment. + If a variable cannot be resolved, the reference + in the input string will be unchanged. Double + $$ are reduced to a single $, which allows for + escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array command: description: 'Entrypoint array. Not executed within - a shell. The docker image''s ENTRYPOINT is used - if this is not provided. Variable references + a shell. The container image''s ENTRYPOINT is + used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. - The $(VAR_NAME) syntax can be escaped with a - double $$, ie: $$(VAR_NAME). Escaped references - will never be expanded, regardless of whether - the variable exists or not. Cannot be updated. - More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + Double $$ are reduced to a single $, which allows + for escaping the $(VAR_NAME) syntax: i.e.' items: type: string type: array @@ -3481,16 +4062,15 @@ spec: type: string value: description: 'Variable references $(VAR_NAME) - are expanded using the previous defined + are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be - unchanged. The $(VAR_NAME) syntax can - be escaped with a double $$, ie: $$(VAR_NAME). - Escaped references will never be expanded, - regardless of whether the variable exists - or not. Defaults to "".' + unchanged. Double $$ are reduced to a + single $, which allows for escaping the + $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" + will produce the string literal "$(VAR_NAME)".' type: string valueFrom: description: Source for the environment @@ -3516,6 +4096,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic fieldRef: description: 'Selects a field of the pod: supports metadata.name, metadata.namespace, @@ -3535,6 +4116,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic resourceFieldRef: description: 'Selects a resource of the container: only resources limits @@ -3564,6 +4146,7 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic secretKeyRef: description: Selects a key of a secret in the pod's namespace @@ -3586,6 +4169,7 @@ spec: required: - key type: object + x-kubernetes-map-type: atomic type: object required: - name @@ -3619,6 +4203,7 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic prefix: description: An optional identifier to prepend to each key in the ConfigMap. Must be @@ -3638,10 +4223,12 @@ spec: must be defined type: boolean type: object + x-kubernetes-map-type: atomic type: object type: array image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images + description: 'Container image name. More info: + https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments @@ -3667,9 +4254,8 @@ spec: More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3708,7 +4294,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3740,10 +4329,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3764,27 +4355,18 @@ spec: type: object type: object preStop: - description: 'PreStop is called immediately + description: PreStop is called immediately before a container is terminated due to an API request or management event such as liveness/startup probe failure, preemption, resource contention, etc. The handler is not called if the container crashes or exits. - The reason for termination is passed to - the handler. The Pod''s termination grace - period countdown begins before the PreStop - hooked is executed. Regardless of the outcome - of the handler, the container will eventually - terminate within the Pod''s termination - grace period. Other management of the container - blocks until the hook completes or until - the termination grace period is reached. - More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks' + The Pod's termination grace period countdown + begins before the PreStop hook is executed. properties: exec: - description: One and only one of the following - should be specified. Exec specifies - the action to take. + description: Exec specifies the action + to take. properties: command: description: Command is the command @@ -3823,7 +4405,10 @@ spec: properties: name: description: The header field - name + name. This will be canonicalized + upon output, so case-variant + names will be understood as + the same header. type: string value: description: The header field @@ -3855,10 +4440,12 @@ spec: - port type: object tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not - yet supported TODO: implement a realistic - TCP lifecycle hook' + description: Deprecated. TCPSocket is + NOT supported as a LifecycleHandler + and kept for the backward compatibility. + There are no validation of this field + and lifecycle hooks will fail in runtime + when tcp handler is specified. properties: host: description: 'Optional: Host name @@ -3885,9 +4472,8 @@ spec: Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -3912,6 +4498,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -3929,7 +4534,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -3980,10 +4589,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4001,6 +4608,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4015,14 +4634,13 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the system - additional information about the network connections - a container uses, but is primarily informational. - Not specifying a port here DOES NOT prevent - that port from being exposed. Any port which - is listening on the default "0.0.0.0" address - inside a container will be accessible from the - network. Cannot be updated. + container. Not specifying a port here DOES NOT + prevent that port from being exposed. Any port + which is listening on the default "0.0.0.0" + address inside a container will be accessible + from the network. Modifying this array with + strategic merge patch may corrupt the data. + For more information See https://github.com/kubernetes/kubernetes/issues/108255. items: description: ContainerPort represents a network port in a single container. @@ -4072,9 +4690,8 @@ spec: More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4099,6 +4716,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4116,7 +4752,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4167,10 +4807,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4188,6 +4826,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4195,10 +4845,57 @@ spec: format: int32 type: integer type: object + resizePolicy: + description: Resources resize policy for the container. + items: + description: ContainerResizePolicy represents + resource resize policy for the container. + properties: + resourceName: + description: 'Name of the resource to which + this resource resize policy applies. Supported + values: cpu, memory.' + type: string + restartPolicy: + description: Restart policy to apply when + specified resource is resized. If not + specified, it defaults to NotRequired. + type: string + required: + - resourceName + - restartPolicy + type: object + type: array + x-kubernetes-list-type: atomic resources: description: 'Compute Resources required by this - container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' properties: + claims: + description: "Claims lists the names of resources, + defined in spec.resourceClaims, that are + used by this container. \n This is an alpha + field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable. + It can only be set for containers." + items: + description: ResourceClaim references one + entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match the name + of one entry in pod.spec.resourceClaims + of the Pod where this field is used. + It makes that resource available inside + a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4208,7 +4905,7 @@ spec: x-kubernetes-int-or-string: true description: 'Limits describes the maximum amount of compute resources allowed. More - info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -4222,12 +4919,15 @@ spec: Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed Limits. More + info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object securityContext: - description: 'Security options the pod should - run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ + description: 'SecurityContext defines the security + options the container should be run with. If + set, the fields of SecurityContext override + the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' properties: allowPrivilegeEscalation: @@ -4237,13 +4937,16 @@ spec: controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) - run as Privileged 2) has CAP_SYS_ADMIN' + run as Privileged 2) has CAP_SYS_ADMIN Note + that this field cannot be set when spec.os.name + is windows.' type: boolean capabilities: description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the - container runtime. + container runtime. Note that this field + cannot be set when spec.os.name is windows. properties: add: description: Added capabilities @@ -4264,7 +4967,8 @@ spec: description: Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults - to false. + to false. Note that this field cannot be + set when spec.os.name is windows. type: boolean procMount: description: procMount denotes the type of @@ -4273,10 +4977,14 @@ spec: container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. + Note that this field cannot be set when + spec.os.name is windows. type: string readOnlyRootFilesystem: description: Whether this container has a read-only root filesystem. Default is false. + Note that this field cannot be set when + spec.os.name is windows. type: boolean runAsGroup: description: The GID to run the entrypoint @@ -4284,7 +4992,8 @@ spec: if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4294,10 +5003,7 @@ spec: to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation - will be performed. May also be set in PodSecurityContext. If - set in both SecurityContext and PodSecurityContext, - the value specified in SecurityContext takes - precedence. + will be performed. May also be set in PodSecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint @@ -4306,7 +5012,8 @@ spec: May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes - precedence. + precedence. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer seLinuxOptions: @@ -4316,7 +5023,9 @@ spec: for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is windows. properties: level: description: Level is SELinux level label @@ -4339,7 +5048,9 @@ spec: description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container - options override the pod options. + options override the pod options. Note that + this field cannot be set when spec.os.name + is windows. properties: localhostProfile: description: localhostProfile indicates @@ -4370,7 +5081,9 @@ spec: the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified - in SecurityContext takes precedence. + in SecurityContext takes precedence. Note + that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where @@ -4384,6 +5097,16 @@ spec: the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if + a container should be run as a 'Host + Process' container. This field is alpha-level + and will only be honored by components + that enable the WindowsHostProcessContainers + feature flag. Setting this field without + the feature flag will result in errors + when validating the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container @@ -4397,23 +5120,15 @@ spec: type: object type: object startupProbe: - description: 'StartupProbe indicates that the - Pod has successfully initialized. If specified, + description: StartupProbe indicates that the Pod + has successfully initialized. If specified, no other probes are executed until this completes successfully. If this probe fails, the Pod will be restarted, just as if the livenessProbe failed. - This can be used to provide different probe - parameters at the beginning of a Pod''s lifecycle, - when it might take a long time to load data - or warm a cache, than during steady-state operation. - This cannot be updated. This is a beta feature - enabled by the StartupProbe feature flag. More - info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' properties: exec: - description: One and only one of the following - should be specified. Exec specifies the - action to take. + description: Exec specifies the action to + take. properties: command: description: Command is the command line @@ -4438,6 +5153,25 @@ spec: value is 1. format: int32 type: integer + grpc: + description: GRPC specifies an action involving + a GRPC port. + properties: + port: + description: Port number of the gRPC service. + Number must be in the range 1 to 65535. + format: int32 + type: integer + service: + description: "Service is the name of the + service to place in the gRPC HealthCheckRequest + (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). + \n If this is not specified, the default + behavior is defined by gRPC." + type: string + required: + - port + type: object httpGet: description: HTTPGet specifies the http request to perform. @@ -4455,7 +5189,11 @@ spec: custom header to be used in HTTP probes properties: name: - description: The header field name + description: The header field name. + This will be canonicalized upon + output, so case-variant names + will be understood as the same + header. type: string value: description: The header field value @@ -4506,10 +5244,8 @@ spec: format: int32 type: integer tcpSocket: - description: 'TCPSocket specifies an action - involving a TCP port. TCP hooks not yet - supported TODO: implement a realistic TCP - lifecycle hook' + description: TCPSocket specifies an action + involving a TCP port. properties: host: description: 'Optional: Host name to connect @@ -4527,6 +5263,18 @@ spec: required: - port type: object + terminationGracePeriodSeconds: + description: Optional duration in seconds + the pod needs to terminate gracefully upon + probe failure. The grace period is the duration + in seconds after the processes running in + the pod are sent a termination signal and + the time when the processes are forcibly + halted with a kill signal. Set this value + longer than the expected cleanup time for + your process. + format: int64 + type: integer timeoutSeconds: description: 'Number of seconds after which the probe times out. Defaults to 1 second. @@ -4546,15 +5294,7 @@ spec: close the stdin channel after it has been opened by a single attach. When stdin is true the stdin stream will remain open across multiple attach - sessions. If stdinOnce is set to true, stdin - is opened on container start, is empty until - the first client attaches to stdin, and then - remains open and accepts data until the client - disconnects, at which time stdin is closed and - remains closed until the container is restarted. - If this flag is false, a container processes - that reads from stdin will never receive an - EOF. Default is false + sessions. type: boolean terminationMessagePath: description: 'Optional: Path at which the file @@ -4565,7 +5305,7 @@ spec: message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults - to /dev/termination-log. Cannot be updated.' + to /dev/termination-log.' type: string terminationMessagePolicy: description: Indicate how the termination message @@ -4575,9 +5315,7 @@ spec: FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with - an error. The log output is limited to 2048 - bytes or 80 lines, whichever is smaller. Defaults - to File. Cannot be updated. + an error. type: string tty: description: Whether this container should allocate @@ -4676,6 +5414,28 @@ spec: must match a node''s labels for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/' type: object + x-kubernetes-map-type: atomic + os: + description: "Specifies the OS of the containers in + the pod. Some pod and container fields are restricted + if this is set. \n If the OS field is set to linux, + the following fields must be unset: -securityContext.windowsOptions + \n If the OS field is set to windows, following fields + must be unset: - spec.hostPID - spec.hostIPC - spec.hostUsers + - spec.securityContext.seLinuxOptions - spec.securityContext." + properties: + name: + description: 'Name is the name of the operating + system. The currently supported values are linux + and windows. Additional value may be defined in + future and can be one of: https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration + Clients should expect to handle additional values + and treat unrecognized values in this field as + os: null' + type: string + required: + - name + type: object overhead: additionalProperties: anyOf: @@ -4683,28 +5443,19 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Overhead represents the resource overhead + description: Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have - the overhead already set. If RuntimeClass is configured - and selected in the PodSpec, Overhead will be set - to the value defined in the corresponding RuntimeClass, - otherwise it will remain unset and treated as zero. - More info: https://git.k8s.io/enhancements/keps/sig-node/20190226-pod-overhead.md - This field is alpha-level as of Kubernetes v1.16, - and is only honored by servers that enable the PodOverhead - feature.' + the overhead already set. type: object preemptionPolicy: description: PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. - Defaults to PreemptLowerPriority if unset. This field - is beta-level, gated by the NonPreemptingPriority - feature-gate. + Defaults to PreemptLowerPriority if unset. type: string priority: description: The priority value. Various system components @@ -4729,7 +5480,7 @@ spec: be evaluated for pod readiness. A pod is ready when all its containers are ready AND all conditions specified in the readiness gates have status equal to "True" - More info: https://git.k8s.io/enhancements/keps/sig-network/0007-pod-ready%2B%2B.md' + More info: https://git.k8s.io/enhancements/keps/sig-network/580-pod-readiness-gates' items: description: PodReadinessGate contains the reference to a pod condition @@ -4742,10 +5493,57 @@ spec: - conditionType type: object type: array + resourceClaims: + description: "ResourceClaims defines which ResourceClaims + must be allocated and reserved before the Pod is allowed + to start. The resources will be made available to + those containers which consume them by name. \n This + is an alpha field and requires enabling the DynamicResourceAllocation + feature gate. \n This field is immutable." + items: + description: PodResourceClaim references exactly one + ResourceClaim through a ClaimSource. It adds a name + to it that uniquely identifies the ResourceClaim + inside the Pod. Containers that need access to the + ResourceClaim reference it with this name. + properties: + name: + description: Name uniquely identifies this resource + claim inside the pod. This must be a DNS_LABEL. + type: string + source: + description: Source describes where to find the + ResourceClaim. + properties: + resourceClaimName: + description: ResourceClaimName is the name + of a ResourceClaim object in the same namespace + as this pod. + type: string + resourceClaimTemplateName: + description: "ResourceClaimTemplateName is + the name of a ResourceClaimTemplate object + in the same namespace as this pod. \n The + template will be used to create a new ResourceClaim, + which will be bound to this pod. When this + pod is deleted, the ResourceClaim will also + be deleted. The name of the ResourceClaim + will be -, where + is the PodResourceClaim.Name." + type: string + type: object + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map restartPolicy: description: 'Restart policy for all containers within - the pod. One of Always, OnFailure, Never. Default - to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' + the pod. One of Always, OnFailure, Never. In some + contexts, only a subset of those values may be permitted. + Default to Always. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#restart-policy' type: string runtimeClassName: description: 'RuntimeClassName refers to a RuntimeClass @@ -4755,14 +5553,37 @@ spec: or empty, the "legacy" RuntimeClass will be used, which is an implicit class with an empty definition that uses the default runtime handler. More info: - https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md - This is a beta feature as of Kubernetes v1.14.' + https://git.k8s.' type: string schedulerName: description: If specified, the pod will be dispatched by specified scheduler. If not specified, the pod will be dispatched by default scheduler. type: string + schedulingGates: + description: "SchedulingGates is an opaque list of values + that if specified will block scheduling the pod. If + schedulingGates is not empty, the pod will stay in + the SchedulingGated state and the scheduler will not + attempt to schedule the pod. \n SchedulingGates can + only be set at pod creation time, and be removed only + afterwards. \n This is a beta feature enabled by the + PodSchedulingReadiness feature gate." + items: + description: PodSchedulingGate is associated to a + Pod to guard its scheduling. + properties: + name: + description: Name of the scheduling gate. Each + scheduling gate must have a unique name field. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map securityContext: description: 'SecurityContext holds pod-level security attributes and common container settings. Optional: @@ -4776,9 +5597,7 @@ spec: of that volume to be owned by the pod: \n 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be - owned by FSGroup) 3. The permission bits are OR'd - with rw-rw---- \n If unset, the Kubelet will not - modify the ownership and permissions of any volume." + owned by FSGroup) 3." format: int64 type: integer fsGroupChangePolicy: @@ -4789,7 +5608,7 @@ spec: based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are "OnRootMismatch" - and "Always". If not specified defaults to "Always".' + and "Always". If not specified, "Always" is used.' type: string runAsGroup: description: The GID to run the entrypoint of the @@ -4797,7 +5616,8 @@ spec: May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. format: int64 type: integer runAsNonRoot: @@ -4807,9 +5627,7 @@ spec: does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be - set in SecurityContext. If set in both SecurityContext - and PodSecurityContext, the value specified in - SecurityContext takes precedence. + set in SecurityContext. type: boolean runAsUser: description: The UID to run the entrypoint of the @@ -4818,6 +5636,8 @@ spec: set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. + Note that this field cannot be set when spec.os.name + is windows. format: int64 type: integer seLinuxOptions: @@ -4827,7 +5647,8 @@ spec: for each container. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence - for that container. + for that container. Note that this field cannot + be set when spec.os.name is windows. properties: level: description: Level is SELinux level label that @@ -4848,7 +5669,8 @@ spec: type: object seccompProfile: description: The seccomp options to use by the containers - in this pod. + in this pod. Note that this field cannot be set + when spec.os.name is windows. properties: localhostProfile: description: localhostProfile indicates a profile @@ -4873,8 +5695,11 @@ spec: supplementalGroups: description: A list of groups applied to the first process run in each container, in addition to - the container's primary GID. If unspecified, - no groups will be added to any container. + the container's primary GID, the fsGroup (if specified), + and group memberships defined in the container + image for the uid of the container process. If + unspecified, no additional groups are added to + any container. items: format: int64 type: integer @@ -4883,6 +5708,8 @@ spec: description: Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. + Note that this field cannot be set when spec.os.name + is windows. items: description: Sysctl defines a kernel parameter to be set @@ -4904,6 +5731,8 @@ spec: within a container's SecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + Note that this field cannot be set when spec.os.name + is linux. properties: gmsaCredentialSpec: description: GMSACredentialSpec is where the @@ -4915,6 +5744,15 @@ spec: description: GMSACredentialSpecName is the name of the GMSA credential spec to use. type: string + hostProcess: + description: HostProcess determines if a container + should be run as a 'Host Process' container. + This field is alpha-level and will only be + honored by components that enable the WindowsHostProcessContainers + feature flag. Setting this field without the + feature flag will result in errors when validating + the Pod. + type: boolean runAsUserName: description: The UserName in Windows to run the entrypoint of the container process. Defaults @@ -4941,11 +5779,7 @@ spec: as the pod's FQDN, rather than the leaf name (the default). In Linux containers, this means setting the FQDN in the hostname field of the kernel (the - nodename field of struct utsname). In Windows containers, - this means setting the registry value of hostname - for the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters - to FQDN. If a pod does not have FQDN, this has no - effect. Default to false. + nodename field of struct utsname). type: boolean shareProcessNamespace: description: 'Share a single process namespace between @@ -4966,14 +5800,9 @@ spec: description: Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value - zero indicates delete immediately. If this value is - nil, the default grace period will be used instead. - The grace period is the duration in seconds after - the processes running in the pod are sent a termination - signal and the time when the processes are forcibly - halted with a kill signal. Set this value longer than - the expected cleanup time for your process. Defaults - to 30 seconds. + zero indicates stop immediately via the kill signal + (no opportunity to shut down). If this value is nil, + the default grace period will be used instead. format: int64 type: integer tolerations: @@ -5083,56 +5912,83 @@ spec: "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label + keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those key-value + labels are ANDed with labelSelector to select + the group of existing pods over which spreading + will be calculated for the incoming pod. The + same key is forbidden to exist in both MatchLabelKeys + and LabelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: - description: 'MaxSkew describes the degree to - which pods may be unevenly distributed. When - `whenUnsatisfiable=DoNotSchedule`, it is the - maximum permitted difference between the number - of matching pods in the target topology and - the global minimum. For example, in a 3-zone - cluster, MaxSkew is set to 1, and pods with - the same labelSelector spread as 1/1/0: | zone1 - | zone2 | zone3 | | P | P | | - - if MaxSkew is 1, incoming pod can only be - scheduled to zone3 to become 1/1/1; scheduling - it onto zone1(zone2) would make the ActualSkew(2-0) - on zone1(zone2) violate MaxSkew(1). - if MaxSkew - is 2, incoming pod can be scheduled onto any - zone. When `whenUnsatisfiable=ScheduleAnyway`, - it is used to give higher precedence to topologies - that satisfy it. It''s a required field. Default - value is 1 and 0 is not allowed.' + description: MaxSkew describes the degree to which + pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, + it is the maximum permitted difference between + the number of matching pods in the target topology + and the global minimum. The global minimum is + the minimum number of matching pods in an eligible + domain or zero if the number of eligible domains + is less than MinDomains. format: int32 type: integer + minDomains: + description: MinDomains indicates a minimum number + of eligible domains. When the number of eligible + domains with matching topology keys is less + than minDomains, Pod Topology Spread treats + "global minimum" as 0, and then the calculation + of Skew is performed. And when the number of + eligible domains with matching topology keys + equals or greater than minDomains, this value + has no effect on scheduling. + format: int32 + type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. Options + are: - Honor: only nodes matching nodeAffinity/nodeSelector + are included in the calculations. - Ignore: + nodeAffinity/nodeSelector are ignored. All nodes + are included in the calculations. \n If this + value is nil, the behavior is equivalent to + the Honor policy." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how we + will treat node taints when calculating pod + topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each as a "bucket", and try to put balanced number of pods into - each bucket. It's a required field. + each bucket. We define a domain as a particular + instance of a topology. type: string whenUnsatisfiable: - description: 'WhenUnsatisfiable indicates how - to deal with a pod if it doesn''t satisfy the - spread constraint. - DoNotSchedule (default) - tells the scheduler not to schedule it. - ScheduleAnyway + description: WhenUnsatisfiable indicates how to + deal with a pod if it doesn't satisfy the spread + constraint. - DoNotSchedule (default) tells + the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any - location, but giving higher precedence to - topologies that would help reduce the skew. - A constraint is considered "Unsatisfiable" for - an incoming pod if and only if every possible - node assigment for that pod would violate "MaxSkew" - on some topology. For example, in a 3-zone cluster, - MaxSkew is set to 1, and pods with the same - labelSelector spread as 3/1/1: | zone1 | zone2 - | zone3 | | P P P | P | P | If WhenUnsatisfiable - is set to DoNotSchedule, incoming pod can only - be scheduled to zone2(zone3) to become 3/2/1(3/1/2) - as ActualSkew(2-1) on zone2(zone3) satisfies - MaxSkew(1). In other words, the cluster can - still be imbalanced, but scheduler won''t make - it *more* imbalanced. It''s a required field.' + location, but giving higher precedence to topologies + that would help reduce the skew. type: string required: - maxSkew @@ -5153,77 +6009,78 @@ spec: pod. properties: awsElasticBlockStore: - description: 'AWSElasticBlockStore represents + description: 'awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty).' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty).' format: int32 type: integer readOnly: - description: 'Specify "true" to force and - set the ReadOnly property in VolumeMounts - to "true". If omitted, the default is "false". - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'readOnly value true will force + the readOnly setting in VolumeMounts. More + info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: boolean volumeID: - description: 'Unique ID of the persistent - disk resource in AWS (Amazon EBS volume). - More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' + description: 'volumeID is unique ID of the + persistent disk resource in AWS (Amazon + EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore' type: string required: - volumeID type: object azureDisk: - description: AzureDisk represents an Azure Data + description: azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. properties: cachingMode: - description: 'Host Caching mode: None, Read - Only, Read Write.' + description: 'cachingMode is the Host Caching + mode: None, Read Only, Read Write.' type: string diskName: - description: The Name of the data disk in - the blob storage + description: diskName is the Name of the data + disk in the blob storage type: string diskURI: - description: The URI the data disk in the - blob storage + description: diskURI is the URI of data disk + in the blob storage type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is Filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string kind: - description: 'Expected values Shared: multiple - blob disks per storage account Dedicated: + description: 'kind expected values are Shared: + multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared' type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean @@ -5232,56 +6089,59 @@ spec: - diskURI type: object azureFile: - description: AzureFile represents an Azure File + description: azureFile represents an Azure File Service mount on the host and bind mount to the pod. properties: readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretName: - description: the name of secret that contains - Azure Storage Account Name and Key + description: secretName is the name of secret + that contains Azure Storage Account Name + and Key type: string shareName: - description: Share Name + description: shareName is the azure share + Name type: string required: - secretName - shareName type: object cephfs: - description: CephFS represents a Ceph FS mount + description: cephFS represents a Ceph FS mount on the host that shares a pod's lifetime properties: monitors: - description: 'Required: Monitors is a collection - of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'monitors is Required: Monitors + is a collection of Ceph monitors More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' items: type: string type: array path: - description: 'Optional: Used as the mounted - root, rather than the full Ceph tree, default - is /' + description: 'path is Optional: Used as the + mounted root, rather than the full Ceph + tree, default is /' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts. + More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: boolean secretFile: - description: 'Optional: SecretFile is the - path to key ring for User, default is /etc/ceph/user.secret - More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretFile is Optional: SecretFile + is the path to key ring for User, default + is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string secretRef: - description: 'Optional: SecretRef is reference - to the authentication secret for User, default - is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'secretRef is Optional: SecretRef + is reference to the authentication secret + for User, default is empty. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' properties: name: description: 'Name of the referent. More @@ -5290,35 +6150,37 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'Optional: User is the rados - user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' + description: 'user is optional: User is the + rados user name, default is admin More info: + https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it' type: string required: - monitors type: object cinder: - description: 'Cinder represents a cinder volume + description: 'cinder represents a cinder volume attached and mounted on kubelets host machine. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Examples: "ext4", "xfs", - "ntfs". Implicitly inferred to be "ext4" - if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://examples.k8s.io/mysql-cinder-pd/README.md' type: string readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts. More info: - https://examples.k8s.io/mysql-cinder-pd/README.md' + description: 'readOnly defaults to false (read/write). + ReadOnly here will force the ReadOnly setting + in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: boolean secretRef: - description: 'Optional: points to a secret - object containing parameters used to connect - to OpenStack.' + description: 'secretRef is optional: points + to a secret object containing parameters + used to connect to OpenStack.' properties: name: description: 'Name of the referent. More @@ -5327,70 +6189,61 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeID: - description: 'volume id used to identify the + description: 'volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md' type: string required: - volumeID type: object configMap: - description: ConfigMap represents a configMap + description: configMap represents a configMap that should populate this volume properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the ConfigMap, the volume setup will - error unless it is marked optional. Paths - must be relative and may not contain the - '..' path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -5406,30 +6259,31 @@ spec: kind, uid?' type: string optional: - description: Specify whether the ConfigMap - or its keys must be defined + description: optional specify whether the + ConfigMap or its keys must be defined type: boolean type: object + x-kubernetes-map-type: atomic csi: - description: CSI (Container Storage Interface) + description: csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers (Beta feature). properties: driver: - description: Driver is the name of the CSI + description: driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster. type: string fsType: - description: Filesystem type to mount. Ex. - "ext4", "xfs", "ntfs". If not provided, - the empty value is passed to the associated - CSI driver which will determine the default - filesystem to apply. + description: fsType to mount. Ex. "ext4", + "xfs", "ntfs". If not provided, the empty + value is passed to the associated CSI driver + which will determine the default filesystem + to apply. type: string nodePublishSecretRef: - description: NodePublishSecretRef is a reference + description: nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume @@ -5445,14 +6299,16 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). + description: readOnly specifies a read-only + configuration for the volume. Defaults to + false (read/write). type: boolean volumeAttributes: additionalProperties: type: string - description: VolumeAttributes stores driver-specific + description: volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. @@ -5461,7 +6317,7 @@ spec: - driver type: object downwardAPI: - description: DownwardAPI represents downward API + description: downwardAPI represents downward API about the pod that should populate this volume properties: defaultMode: @@ -5474,10 +6330,7 @@ spec: and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected - by this setting. This might be in conflict - with other options that affect the file - mode, like fsGroup, and the result can be - other mode bits set.' + by this setting.' format: int32 type: integer items: @@ -5505,6 +6358,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions on this file, must @@ -5513,11 +6367,7 @@ spec: and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + the volume defaultMode will be used.' format: int32 type: integer path: @@ -5556,70 +6406,50 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object emptyDir: - description: 'EmptyDir represents a temporary + description: 'emptyDir represents a temporary directory that shares a pod''s lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' properties: medium: - description: 'What type of storage medium - should back this directory. The default - is "" which means to use the node''s default - medium. Must be an empty string (default) - or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' + description: 'medium represents what type + of storage medium should back this directory. + The default is "" which means to use the + node''s default medium. Must be an empty + string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir' type: string sizeLimit: anyOf: - type: integer - type: string - description: 'Total amount of local storage - required for this EmptyDir volume. The size - limit is also applicable for memory medium. - The maximum usage on memory medium EmptyDir - would be the minimum value between the SizeLimit - specified here and the sum of memory limits - of all containers in a pod. The default - is nil which means that the limit is undefined. - More info: http://kubernetes.io/docs/user-guide/volumes#emptydir' + description: 'sizeLimit is the total amount + of local storage required for this EmptyDir + volume. The size limit is also applicable + for memory medium. The maximum usage on + memory medium EmptyDir would be the minimum + value between the SizeLimit specified here + and the sum of memory limits of all containers + in a pod. The default is nil which means + that the limit is undefined. More info: + https://kubernetes.' pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true type: object ephemeral: - description: "Ephemeral represents a volume that - is handled by a cluster storage driver (Alpha - feature). The volume's lifecycle is tied to - the pod that defines it - it will be created - before the pod starts, and deleted when the - pod is removed. \n Use this if: a) the volume - is only needed while the pod runs, b) features - of normal volumes like restoring from snapshot - or capacity tracking are needed, c) the storage - driver is specified through a storage class, - and d) the storage driver supports dynamic volume - provisioning through a PersistentVolumeClaim - (see EphemeralVolumeSource for more information - on the connection between this volume type and - PersistentVolumeClaim). \n Use PersistentVolumeClaim - or one of the vendor-specific APIs for volumes - that persist for longer than the lifecycle of - an individual pod. \n Use CSI for light-weight - local ephemeral volumes if the CSI driver is - meant to be used that way - see the documentation - of the driver for more information. \n A pod - can use both types of ephemeral volumes and - persistent volumes at the same time." + description: ephemeral represents a volume that + is handled by a cluster storage driver. The + volume's lifecycle is tied to the pod that defines + it - it will be created before the pod starts, + and deleted when the pod is removed. properties: - readOnly: - description: Specifies a read-only configuration - for the volume. Defaults to false (read/write). - type: boolean volumeClaimTemplate: - description: "Will be used to create a stand-alone + description: Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC @@ -5627,23 +6457,6 @@ spec: name of the PVC will be `-` where `` is the name from the `PodSpec.Volumes` array entry. - Pod validation will reject the pod if the - concatenated name is not valid for a PVC - (for example, too long). \n An existing - PVC with that name that is not owned by - the pod will *not* be used for the pod to - avoid using an unrelated volume by mistake. - Starting the pod is then blocked until the - unrelated PVC is removed. If such a pre-created - PVC is meant to be used by the pod, the - PVC has to updated with an owner reference - to the pod once the pod exists. Normally - this should not be necessary, but it may - be useful when manually reconstructing a - broken cluster. \n This field is read-only - and no changes will be made by Kubernetes - to the PVC after it has been created. \n - Required, must not be nil." properties: metadata: description: May contain labels and annotations @@ -5677,34 +6490,57 @@ spec: are also valid here. properties: accessModes: - description: 'AccessModes contains + description: 'accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1' items: type: string type: array dataSource: - description: 'This field can be used - to specify either: * An existing - VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot - - Beta) * An existing PVC (PersistentVolumeClaim) - * An existing custom resource/object - that implements data population - (Alpha) In order to use VolumeSnapshot - object types, the appropriate feature - gate must be enabled (VolumeSnapshotDataSource - or AnyVolumeDataSource) If the provisioner - or an external controller can support - the specified data source, it will - create a new volume based on the - contents of the specified data source. - If the specified data source is - not supported, the volume will not - be created and the failure will - be reported as an event. In the - future, we plan to support more - data source types and the behavior - of the provisioner may change.' + description: 'dataSource field can + be used to specify either: * An + existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot) + * An existing PVC (PersistentVolumeClaim) + If the provisioner or an external + controller can support the specified + data source, it will create a new + volume based on the contents of + the specified data source.' + properties: + apiGroup: + description: APIGroup is the group + for the resource being referenced. + If APIGroup is not specified, + the specified Kind must be in + the core API group. For any + other third-party types, APIGroup + is required. + type: string + kind: + description: Kind is the type + of resource being referenced + type: string + name: + description: Name is the name + of resource being referenced + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + description: dataSourceRef specifies + the object from which to populate + the volume with data, if a non-empty + volume is desired. This may be any + object from a non-empty API group + (non core object) or a PersistentVolumeClaim + object. When this field is specified, + volume binding will only succeed + if the type of the specified object + matches some installed volume populator + or dynamic provisioner. properties: apiGroup: description: APIGroup is the group @@ -5723,15 +6559,64 @@ spec: description: Name is the name of resource being referenced type: string + namespace: + description: Namespace is the + namespace of resource being + referenced Note that when a + namespace is specified, a gateway.networking.k8s.io/ReferenceGrant + object is required in the referent + namespace to allow that namespace's + owner to accept the reference. + See the ReferenceGrant documentation + for details. (Alpha) This field + requires the CrossNamespaceVolumeDataSource + feature gate to be enabled. + type: string required: - kind - name type: object resources: - description: 'Resources represents + description: 'resources represents the minimum resources the volume - should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' + should have. If RecoverVolumeExpansionFailure + feature is enabled users are allowed + to specify resource requirements + that are lower than previous value + but must still be higher than capacity + recorded in the status field of + the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#resources' properties: + claims: + description: "Claims lists the + names of resources, defined + in spec.resourceClaims, that + are used by this container. + \n This is an alpha field and + requires enabling the DynamicResourceAllocation + feature gate. \n This field + is immutable. It can only be + set for containers." + items: + description: ResourceClaim references + one entry in PodSpec.ResourceClaims. + properties: + name: + description: Name must match + the name of one entry + in pod.spec.resourceClaims + of the Pod where this + field is used. It makes + that resource available + inside a container. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -5742,7 +6627,7 @@ spec: description: 'Limits describes the maximum amount of compute resources allowed. More info: - https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object requests: additionalProperties: @@ -5758,12 +6643,13 @@ spec: it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined - value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/' + value. Requests cannot exceed + Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' type: object type: object selector: - description: A label query over volumes - to consider for binding. + description: selector is a label query + over volumes to consider for binding. properties: matchExpressions: description: matchExpressions @@ -5822,10 +6708,11 @@ spec: are ANDed. type: object type: object + x-kubernetes-map-type: atomic storageClassName: - description: 'Name of the StorageClass - required by the claim. More info: - https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' + description: 'storageClassName is + the name of the StorageClass required + by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1' type: string volumeMode: description: volumeMode defines what @@ -5834,7 +6721,7 @@ spec: when not included in claim spec. type: string volumeName: - description: VolumeName is the binding + description: volumeName is the binding reference to the PersistentVolume backing this claim. type: string @@ -5844,77 +6731,79 @@ spec: type: object type: object fc: - description: FC represents a Fibre Channel resource + description: fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod. properties: fsType: - description: 'Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. - TODO: how do we prevent errors in the filesystem - from compromising the machine' + description: 'fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. TODO: how do we prevent + errors in the filesystem from compromising + the machine' type: string lun: - description: 'Optional: FC target lun number' + description: 'lun is Optional: FC target lun + number' format: int32 type: integer readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: Defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean targetWWNs: - description: 'Optional: FC target worldwide - names (WWNs)' + description: 'targetWWNs is Optional: FC target + worldwide names (WWNs)' items: type: string type: array wwids: - description: 'Optional: FC volume world wide - identifiers (wwids) Either wwids or combination - of targetWWNs and lun must be set, but not - both simultaneously.' + description: 'wwids Optional: FC volume world + wide identifiers (wwids) Either wwids or + combination of targetWWNs and lun must be + set, but not both simultaneously.' items: type: string type: array type: object flexVolume: - description: FlexVolume represents a generic volume + description: flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. properties: driver: - description: Driver is the name of the driver + description: driver is the name of the driver to use for this volume. type: string fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - The default filesystem depends on FlexVolume - script. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". The default filesystem depends + on FlexVolume script. type: string options: additionalProperties: type: string - description: 'Optional: Extra command options - if any.' + description: 'options is Optional: this field + holds extra command options if any.' type: object readOnly: - description: 'Optional: Defaults to false - (read/write). ReadOnly here will force the - ReadOnly setting in VolumeMounts.' + description: 'readOnly is Optional: defaults + to false (read/write). ReadOnly here will + force the ReadOnly setting in VolumeMounts.' type: boolean secretRef: - description: 'Optional: SecretRef is reference - to the secret object containing sensitive - information to pass to the plugin scripts. - This may be empty if no secret object is - specified. If the secret object contains - more than one secret, all secrets are passed - to the plugin scripts.' + description: 'secretRef is Optional: secretRef + is reference to the secret object containing + sensitive information to pass to the plugin + scripts. This may be empty if no secret + object is specified. If the secret object + contains more than one secret, all secrets + are passed to the plugin scripts.' properties: name: description: 'Name of the referent. More @@ -5923,57 +6812,60 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic required: - driver type: object flocker: - description: Flocker represents a Flocker volume + description: flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running properties: datasetName: - description: Name of the dataset stored as - metadata -> name on the dataset for Flocker - should be considered as deprecated + description: datasetName is Name of the dataset + stored as metadata -> name on the dataset + for Flocker should be considered as deprecated type: string datasetUUID: - description: UUID of the dataset. This is - unique identifier of a Flocker dataset + description: datasetUUID is the UUID of the + dataset. This is unique identifier of a + Flocker dataset type: string type: object gcePersistentDisk: - description: 'GCEPersistentDisk represents a GCE + description: 'gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk + description: 'fsType is filesystem type of + the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine' type: string partition: - description: 'The partition in the volume - that you want to mount. If omitted, the - default is to mount by volume name. Examples: - For volume /dev/sda1, you specify the partition - as "1". Similarly, the volume partition - for /dev/sda is "0" (or you can leave the - property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'partition is the partition in + the volume that you want to mount. If omitted, + the default is to mount by volume name. + Examples: For volume /dev/sda1, you specify + the partition as "1". Similarly, the volume + partition for /dev/sda is "0" (or you can + leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' format: int32 type: integer pdName: - description: 'Unique name of the PD resource - in GCE. Used to identify the disk in GCE. - More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' + description: 'pdName is unique name of the + PD resource in GCE. Used to identify the + disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk' type: boolean @@ -5981,7 +6873,7 @@ spec: - pdName type: object gitRepo: - description: 'GitRepo represents a git repository + description: 'gitRepo represents a git repository at a particular revision. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer @@ -5989,39 +6881,39 @@ spec: EmptyDir into the Pod''s container.' properties: directory: - description: Target directory name. Must not - contain or start with '..'. If '.' is supplied, - the volume directory will be the git repository. Otherwise, - if specified, the volume will contain the - git repository in the subdirectory with - the given name. + description: directory is the target directory + name. Must not contain or start with '..'. If + '.' is supplied, the volume directory will + be the git repository. Otherwise, if specified, + the volume will contain the git repository + in the subdirectory with the given name. type: string repository: - description: Repository URL + description: repository is the URL type: string revision: - description: Commit hash for the specified - revision. + description: revision is the commit hash for + the specified revision. type: string required: - repository type: object glusterfs: - description: 'Glusterfs represents a Glusterfs + description: 'glusterfs represents a Glusterfs mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/glusterfs/README.md' properties: endpoints: - description: 'EndpointsName is the endpoint - name that details Glusterfs topology. More - info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' + description: 'endpoints is the endpoint name + that details Glusterfs topology. More info: + https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string path: - description: 'Path is the Glusterfs volume + description: 'path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod' @@ -6031,87 +6923,87 @@ spec: - path type: object hostPath: - description: 'HostPath represents a pre-existing + description: 'hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most - containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath - --- TODO(jonesdl) We need to restrict who can - use host directory mounts and who can/can not - mount host directories as read/write.' + containers will NOT need this. More info: https://kubernetes.' properties: path: - description: 'Path of the directory on the + description: 'path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string type: - description: 'Type for HostPath Volume Defaults + description: 'type for HostPath Volume Defaults to "" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath' type: string required: - path type: object iscsi: - description: 'ISCSI represents an ISCSI Disk resource + description: 'iscsi represents an ISCSI Disk resource that is attached to a kubelet''s host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md' properties: chapAuthDiscovery: - description: whether support iSCSI Discovery - CHAP authentication + description: chapAuthDiscovery defines whether + support iSCSI Discovery CHAP authentication type: boolean chapAuthSession: - description: whether support iSCSI Session - CHAP authentication + description: chapAuthSession defines whether + support iSCSI Session CHAP authentication type: boolean fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine' type: string initiatorName: - description: Custom iSCSI Initiator Name. - If initiatorName is specified with iscsiInterface - simultaneously, new iSCSI interface : will be created for - the connection. + description: initiatorName is the custom iSCSI + Initiator Name. If initiatorName is specified + with iscsiInterface simultaneously, new + iSCSI interface : will be created for the connection. type: string iqn: - description: Target iSCSI Qualified Name. + description: iqn is the target iSCSI Qualified + Name. type: string iscsiInterface: - description: iSCSI Interface Name that uses - an iSCSI transport. Defaults to 'default' - (tcp). + description: iscsiInterface is the interface + Name that uses an iSCSI transport. Defaults + to 'default' (tcp). type: string lun: - description: iSCSI Target Lun number. + description: lun represents iSCSI Target Lun + number. format: int32 type: integer portals: - description: iSCSI Target Portal List. The - portal is either an IP or ip_addr:port if - the port is other than default (typically + description: portals is the iSCSI Target Portal + List. The portal is either an IP or ip_addr:port + if the port is other than default (typically TCP ports 860 and 3260). items: type: string type: array readOnly: - description: ReadOnly here will force the + description: readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. type: boolean secretRef: - description: CHAP Secret for iSCSI target - and initiator authentication + description: secretRef is the CHAP Secret + for iSCSI target and initiator authentication properties: name: description: 'Name of the referent. More @@ -6120,11 +7012,12 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic targetPortal: - description: iSCSI Target Portal. The Portal - is either an IP or ip_addr:port if the port - is other than default (typically TCP ports - 860 and 3260). + description: targetPortal is iSCSI Target + Portal. The Portal is either an IP or ip_addr:port + if the port is other than default (typically + TCP ports 860 and 3260). type: string required: - iqn @@ -6132,26 +7025,26 @@ spec: - targetPortal type: object name: - description: 'Volume''s name. Must be a DNS_LABEL + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string nfs: - description: 'NFS represents an NFS mount on the + description: 'nfs represents an NFS mount on the host that shares a pod''s lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' properties: path: - description: 'Path that is exported by the + description: 'path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: boolean server: - description: 'Server is the hostname or IP + description: 'server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs' type: string required: @@ -6159,118 +7052,112 @@ spec: - server type: object persistentVolumeClaim: - description: 'PersistentVolumeClaimVolumeSource + description: 'persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' properties: claimName: - description: 'ClaimName is the name of a PersistentVolumeClaim + description: 'claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims' type: string readOnly: - description: Will force the ReadOnly setting - in VolumeMounts. Default false. + description: readOnly Will force the ReadOnly + setting in VolumeMounts. Default false. type: boolean required: - claimName type: object photonPersistentDisk: - description: PhotonPersistentDisk represents a + description: photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string pdID: - description: ID that identifies Photon Controller - persistent disk + description: pdID is the ID that identifies + Photon Controller persistent disk type: string required: - pdID type: object portworxVolume: - description: PortworxVolume represents a portworx + description: portworxVolume represents a portworx volume attached and mounted on kubelets host machine properties: fsType: - description: FSType represents the filesystem + description: fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs". Implicitly inferred to be "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean volumeID: - description: VolumeID uniquely identifies + description: volumeID uniquely identifies a Portworx volume type: string required: - volumeID type: object projected: - description: Items for all in one resources secrets, - configmaps, and downward API + description: projected items for all in one resources + secrets, configmaps, and downward API properties: defaultMode: - description: Mode bits used to set permissions - on created files by default. Must be an - octal value between 0000 and 0777 or a decimal - value between 0 and 511. YAML accepts both - octal and decimal values, JSON requires - decimal values for mode bits. Directories - within the path are not affected by this - setting. This might be in conflict with - other options that affect the file mode, - like fsGroup, and the result can be other - mode bits set. + description: defaultMode are the mode bits + used to set permissions on created files + by default. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal and decimal + values, JSON requires decimal values for + mode bits. Directories within the path are + not affected by this setting. format: int32 type: integer sources: - description: list of volume projections + description: sources is the list of volume + projections items: description: Projection that may be projected along with other supported volume types properties: configMap: - description: information about the configMap - data to project + description: configMap information about + the configMap data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced ConfigMap will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced ConfigMap + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the ConfigMap, - the volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6279,16 +7166,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6308,14 +7190,15 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - ConfigMap or its keys must be - defined + description: optional specify whether + the ConfigMap or its keys must + be defined type: boolean type: object + x-kubernetes-map-type: atomic downwardAPI: - description: information about the downwardAPI - data to project + description: downwardAPI information + about the downwardAPI data to project properties: items: description: Items is a list of @@ -6346,6 +7229,7 @@ spec: required: - fieldPath type: object + x-kubernetes-map-type: atomic mode: description: 'Optional: mode bits used to set permissions @@ -6357,12 +7241,7 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: @@ -6406,41 +7285,37 @@ spec: required: - resource type: object + x-kubernetes-map-type: atomic required: - path type: object type: array type: object secret: - description: information about the secret - data to project + description: secret information about + the secret data to project properties: items: - description: If unspecified, each - key-value pair in the Data field - of the referenced Secret will - be projected into the volume as - a file whose name is the key and - content is the value. If specified, + description: items if unspecified, + each key-value pair in the Data + field of the referenced Secret + will be projected into the volume + as a file whose name is the key + and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. - If a key is specified which is - not present in the Secret, the - volume setup will error unless - it is marked optional. Paths must - be relative and may not contain - the '..' path or start with '..'. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key + to project. type: string mode: - description: 'Optional: mode - bits used to set permissions + description: 'mode is Optional: + mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value @@ -6449,16 +7324,11 @@ spec: values, JSON requires decimal values for mode bits. If not specified, the volume - defaultMode will be used. - This might be in conflict - with other options that - affect the file mode, like - fsGroup, and the result - can be other mode bits set.' + defaultMode will be used.' format: int32 type: integer path: - description: The relative + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain @@ -6478,16 +7348,19 @@ spec: apiVersion, kind, uid?' type: string optional: - description: Specify whether the - Secret or its key must be defined + description: optional field specify + whether the Secret or its key + must be defined type: boolean type: object + x-kubernetes-map-type: atomic serviceAccountToken: - description: information about the serviceAccountToken + description: serviceAccountToken is + information about the serviceAccountToken data to project properties: audience: - description: Audience is the intended + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in @@ -6497,7 +7370,7 @@ spec: of the apiserver. type: string expirationSeconds: - description: ExpirationSeconds is + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, @@ -6513,7 +7386,7 @@ spec: format: int64 type: integer path: - description: Path is the path relative + description: path is the path relative to the mount point of the file to project the token into. type: string @@ -6522,41 +7395,39 @@ spec: type: object type: object type: array - required: - - sources type: object quobyte: - description: Quobyte represents a Quobyte mount + description: quobyte represents a Quobyte mount on the host that shares a pod's lifetime properties: group: - description: Group to map volume access to + description: group to map volume access to Default is no group type: string readOnly: - description: ReadOnly here will force the + description: readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. type: boolean registry: - description: Registry represents a single + description: registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes type: string tenant: - description: Tenant owning the given Quobyte + description: tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin type: string user: - description: User to map volume access to + description: user to map volume access to Defaults to serivceaccount user type: string volume: - description: Volume is a string that references + description: volume is a string that references an already created Quobyte volume by name. type: string required: @@ -6564,46 +7435,47 @@ spec: - volume type: object rbd: - description: 'RBD represents a Rados Block Device + description: 'rbd represents a Rados Block Device mount on the host that shares a pod''s lifetime. More info: https://examples.k8s.io/volumes/rbd/README.md' properties: fsType: - description: 'Filesystem type of the volume - that you want to mount. Tip: Ensure that - the filesystem type is supported by the - host operating system. Examples: "ext4", - "xfs", "ntfs". Implicitly inferred to be - "ext4" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd + description: 'fsType is the filesystem type + of the volume that you want to mount. Tip: + Ensure that the filesystem type is supported + by the host operating system. Examples: + "ext4", "xfs", "ntfs". Implicitly inferred + to be "ext4" if unspecified. More info: + https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine' type: string image: - description: 'The rados image name. More info: - https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'image is the rados image name. + More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string keyring: - description: 'Keyring is the path to key ring + description: 'keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string monitors: - description: 'A collection of Ceph monitors. - More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'monitors is a collection of + Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' items: type: string type: array pool: - description: 'The rados pool name. Default - is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'pool is the rados pool name. + Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string readOnly: - description: 'ReadOnly here will force the + description: 'readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: boolean secretRef: - description: 'SecretRef is name of the authentication + description: 'secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' properties: @@ -6614,39 +7486,41 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic user: - description: 'The rados user name. Default - is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' + description: 'user is the rados user name. + Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it' type: string required: - image - monitors type: object scaleIO: - description: ScaleIO represents a ScaleIO persistent + description: scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Default is "xfs". + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Default is "xfs". type: string gateway: - description: The host address of the ScaleIO - API Gateway. + description: gateway is the host address of + the ScaleIO API Gateway. type: string protectionDomain: - description: The name of the ScaleIO Protection - Domain for the configured storage. + description: protectionDomain is the name + of the ScaleIO Protection Domain for the + configured storage. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef references to the secret + description: secretRef references to the secret for ScaleIO user and other sensitive information. If this is not provided, Login operation will fail. @@ -6658,27 +7532,29 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic sslEnabled: - description: Flag to enable/disable SSL communication - with Gateway, default false + description: sslEnabled Flag enable/disable + SSL communication with Gateway, default + false type: boolean storageMode: - description: Indicates whether the storage - for a volume should be ThickProvisioned + description: storageMode indicates whether + the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. type: string storagePool: - description: The ScaleIO Storage Pool associated - with the protection domain. + description: storagePool is the ScaleIO Storage + Pool associated with the protection domain. type: string system: - description: The name of the storage system - as configured in ScaleIO. + description: system is the name of the storage + system as configured in ScaleIO. type: string volumeName: - description: The name of a volume already - created in the ScaleIO system that is associated - with this volume source. + description: volumeName is the name of a volume + already created in the ScaleIO system that + is associated with this volume source. type: string required: - gateway @@ -6686,62 +7562,52 @@ spec: - system type: object secret: - description: 'Secret represents a secret that + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' properties: defaultMode: - description: 'Optional: mode bits used to - set permissions on created files by default. - Must be an octal value between 0000 and - 0777 or a decimal value between 0 and 511. - YAML accepts both octal and decimal values, - JSON requires decimal values for mode bits. - Defaults to 0644. Directories within the - path are not affected by this setting. This - might be in conflict with other options - that affect the file mode, like fsGroup, - and the result can be other mode bits set.' + description: 'defaultMode is Optional: mode + bits used to set permissions on created + files by default. Must be an octal value + between 0000 and 0777 or a decimal value + between 0 and 511. YAML accepts both octal + and decimal values, JSON requires decimal + values for mode bits. Defaults to 0644. + Directories within the path are not affected + by this setting.' format: int32 type: integer items: - description: If unspecified, each key-value + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, - and unlisted keys will not be present. If - a key is specified which is not present - in the Secret, the volume setup will error - unless it is marked optional. Paths must - be relative and may not contain the '..' - path or start with '..'. + and unlisted keys will not be present. items: description: Maps a string key to a path within a volume. properties: key: - description: The key to project. + description: key is the key to project. type: string mode: - description: 'Optional: mode bits used - to set permissions on this file. Must - be an octal value between 0000 and - 0777 or a decimal value between 0 - and 511. YAML accepts both octal and - decimal values, JSON requires decimal - values for mode bits. If not specified, - the volume defaultMode will be used. - This might be in conflict with other - options that affect the file mode, - like fsGroup, and the result can be - other mode bits set.' + description: 'mode is Optional: mode + bits used to set permissions on this + file. Must be an octal value between + 0000 and 0777 or a decimal value between + 0 and 511. YAML accepts both octal + and decimal values, JSON requires + decimal values for mode bits. If not + specified, the volume defaultMode + will be used.' format: int32 type: integer path: - description: The relative path of the - file to map the key to. May not be - an absolute path. May not contain + description: path is the relative path + of the file to map the key to. May + not be an absolute path. May not contain the path element '..'. May not start with the string '..'. type: string @@ -6751,31 +7617,33 @@ spec: type: object type: array optional: - description: Specify whether the Secret or - its keys must be defined + description: optional field specify whether + the Secret or its keys must be defined type: boolean secretName: - description: 'Name of the secret in the pod''s - namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + description: 'secretName is the name of the + secret in the pod''s namespace to use. More + info: https://kubernetes.io/docs/concepts/storage/volumes#secret' type: string type: object storageos: - description: StorageOS represents a StorageOS + description: storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is the filesystem type + to mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string readOnly: - description: Defaults to false (read/write). + description: readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. type: boolean secretRef: - description: SecretRef specifies the secret + description: secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted. properties: @@ -6786,13 +7654,14 @@ spec: kind, uid?' type: string type: object + x-kubernetes-map-type: atomic volumeName: - description: VolumeName is the human-readable + description: volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace. type: string volumeNamespace: - description: VolumeNamespace specifies the + description: volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the @@ -6800,32 +7669,33 @@ spec: StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to "default" if you are not using namespaces - within StorageOS. Namespaces that do not - pre-exist within StorageOS will be created. + within StorageOS. type: string type: object vsphereVolume: - description: VsphereVolume represents a vSphere + description: vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine properties: fsType: - description: Filesystem type to mount. Must - be a filesystem type supported by the host - operating system. Ex. "ext4", "xfs", "ntfs". - Implicitly inferred to be "ext4" if unspecified. + description: fsType is filesystem type to + mount. Must be a filesystem type supported + by the host operating system. Ex. "ext4", + "xfs", "ntfs". Implicitly inferred to be + "ext4" if unspecified. type: string storagePolicyID: - description: Storage Policy Based Management - (SPBM) profile ID associated with the StoragePolicyName. + description: storagePolicyID is the storage + Policy Based Management (SPBM) profile ID + associated with the StoragePolicyName. type: string storagePolicyName: - description: Storage Policy Based Management - (SPBM) profile name. + description: storagePolicyName is the storage + Policy Based Management (SPBM) profile name. type: string volumePath: - description: Path that identifies vSphere - volume vmdk + description: volumePath is the path that identifies + vSphere volume vmdk type: string required: - volumePath @@ -6906,10 +7776,7 @@ spec: format: int32 type: integer labelSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: 'Deprecated: Use Selector instead' properties: matchExpressions: description: matchExpressions is a list of label selector @@ -6952,6 +7819,13 @@ spec: only "value". The requirements are ANDed. type: object type: object + x-kubernetes-map-type: atomic + selector: + description: A Selector is a label query over a set of resources. + The result of matchLabels and matchExpressions are ANDed. + An empty Selector matches all objects. A null Selector matches + no objects. + type: string succeeded: description: The number of pods which reached phase Succeeded. format: int32 @@ -6967,18 +7841,9 @@ spec: and is in UTC. format: date-time type: string - required: - - conditions - - replicaStatuses type: object type: object served: true storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kubeflow/helm/training-operator/templates/cluster-role.yaml b/kubeflow/helm/training-operator/templates/cluster-role.yaml new file mode 100644 index 000000000..a29c6c2c8 --- /dev/null +++ b/kubeflow/helm/training-operator/templates/cluster-role.yaml @@ -0,0 +1,275 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "training-operator.labels" . | nindent 4 }} + name: {{ include "training-operator.fullname" . }}-controller-cluster-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - list + - update + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - mpijobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - mpijobs/finalizers + verbs: + - update +- apiGroups: + - kubeflow.org + resources: + - mpijobs/status + verbs: + - get + - patch + - update +- apiGroups: + - kubeflow.org + resources: + - mxjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - mxjobs/finalizers + verbs: + - update +- apiGroups: + - kubeflow.org + resources: + - mxjobs/status + verbs: + - get + - patch + - update +- apiGroups: + - kubeflow.org + resources: + - paddlejobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - paddlejobs/finalizers + verbs: + - update +- apiGroups: + - kubeflow.org + resources: + - paddlejobs/status + verbs: + - get + - patch + - update +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs/finalizers + verbs: + - update +- apiGroups: + - kubeflow.org + resources: + - pytorchjobs/status + verbs: + - get + - patch + - update +- apiGroups: + - kubeflow.org + resources: + - tfjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - tfjobs/finalizers + verbs: + - update +- apiGroups: + - kubeflow.org + resources: + - tfjobs/status + verbs: + - get + - patch + - update +- apiGroups: + - kubeflow.org + resources: + - xgboostjobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - kubeflow.org + resources: + - xgboostjobs/finalizers + verbs: + - update +- apiGroups: + - kubeflow.org + resources: + - xgboostjobs/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - list + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - list + - update + - watch +- apiGroups: + - scheduling.volcano.sh + resources: + - podgroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - scheduling.x-k8s.io + resources: + - podgroups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch diff --git a/kubeflow/helm/training-operator/templates/deployment.yaml b/kubeflow/helm/training-operator/templates/deployment.yaml index 9e38b530b..360edd76a 100644 --- a/kubeflow/helm/training-operator/templates/deployment.yaml +++ b/kubeflow/helm/training-operator/templates/deployment.yaml @@ -45,22 +45,22 @@ spec: fieldRef: fieldPath: metadata.name ports: - - name: healthz - containerPort: 8081 - protocol: TCP - name: metrics containerPort: 8080 protocol: TCP + - name: probe + containerPort: 8081 + protocol: TCP livenessProbe: httpGet: path: /healthz - port: healthz + port: probe initialDelaySeconds: 15 periodSeconds: 20 readinessProbe: httpGet: - path: /healthz - port: healthz + path: /readyz + port: probe initialDelaySeconds: 5 periodSeconds: 10 resources: diff --git a/kubeflow/helm/training-operator/templates/clusterroles.yaml b/kubeflow/helm/training-operator/templates/kubeflow-cluster-roles.yaml similarity index 53% rename from kubeflow/helm/training-operator/templates/clusterroles.yaml rename to kubeflow/helm/training-operator/templates/kubeflow-cluster-roles.yaml index 9a75a8a53..ff542a2b3 100644 --- a/kubeflow/helm/training-operator/templates/clusterroles.yaml +++ b/kubeflow/helm/training-operator/templates/kubeflow-cluster-roles.yaml @@ -1,13 +1,13 @@ -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" - name: kubeflow-training-admin + name: {{ include "training-operator.fullname" . }}-admin +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" rules: [] --- apiVersion: rbac.authorization.k8s.io/v1 @@ -16,7 +16,7 @@ metadata: labels: rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" rbac.authorization.kubeflow.org/aggregate-to-kubeflow-training-admin: "true" - name: kubeflow-training-edit + name: {{ include "training-operator.fullname" . }}-edit rules: - apiGroups: - kubeflow.org @@ -26,6 +26,7 @@ rules: - pytorchjobs - mxjobs - xgboostjobs + - paddlejobs verbs: - create - delete @@ -42,6 +43,7 @@ rules: - pytorchjobs/status - mxjobs/status - xgboostjobs/status + - paddlejobs/status verbs: - get --- @@ -50,7 +52,7 @@ kind: ClusterRole metadata: labels: rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: kubeflow-training-view + name: {{ include "training-operator.fullname" . }}-view rules: - apiGroups: - kubeflow.org @@ -60,6 +62,7 @@ rules: - pytorchjobs - mxjobs - xgboostjobs + - paddlejobs verbs: - get - list @@ -72,83 +75,6 @@ rules: - pytorchjobs/status - mxjobs/status - xgboostjobs/status + - paddlejobs/status verbs: - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "training-operator.labels" . | nindent 4 }} - name: {{ include "training-operator.fullname" . }}-controller-cluster-role -rules: -- apiGroups: - - kubeflow.org - resources: - - mpijobs - - tfjobs - - mxjobs - - pytorchjobs - - xgboostjobs - - mpijobs/status - - tfjobs/status - - pytorchjobs/status - - mxjobs/status - - xgboostjobs/status - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods - - services - - endpoints - - events - verbs: - - '*' -- apiGroups: - - apps - - extensions - resources: - - deployments - verbs: - - '*' -- apiGroups: - - "" - resources: - - pods/exec - verbs: - - create -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - create - - list - - watch - - update -- apiGroups: - - "" - resources: - - configmaps - - secrets - - serviceaccounts - verbs: - - create - - list - - watch - - update -- apiGroups: - - scheduling.volcano.sh - resources: - - podgroups - verbs: - - '*' diff --git a/kubeflow/helm/training-operator/templates/service.yaml b/kubeflow/helm/training-operator/templates/service.yaml index f9b207214..53f7f06c5 100644 --- a/kubeflow/helm/training-operator/templates/service.yaml +++ b/kubeflow/helm/training-operator/templates/service.yaml @@ -10,6 +10,6 @@ spec: - port: {{ .Values.service.port }} targetPort: metrics protocol: TCP - name: http + name: http-metrics selector: {{- include "training-operator.selectorLabels" . | nindent 4 }} diff --git a/kubeflow/helm/training-operator/values.yaml b/kubeflow/helm/training-operator/values.yaml index 0521fe9c1..dacfcfff4 100644 --- a/kubeflow/helm/training-operator/values.yaml +++ b/kubeflow/helm/training-operator/values.yaml @@ -17,10 +17,10 @@ global: replicaCount: 1 image: - repository: public.ecr.aws/j1r0q0g6/training/training-operator + repository: docker.io/kubeflow/training-operator pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: "174e8813666951ded505daf334a37f60fd50c18d" + tag: v1-855e096 # TODO: get upstream to use semver for their images as well imagePullSecrets: [] nameOverride: "" diff --git a/kubeflow/helm/volumes/values.yaml b/kubeflow/helm/volumes/values.yaml index efa0feaab..8400b2adc 100644 --- a/kubeflow/helm/volumes/values.yaml +++ b/kubeflow/helm/volumes/values.yaml @@ -30,7 +30,7 @@ serviceAccount: config: volumeViewerImage: repository: filebrowser/filebrowser - tag: v2.25.0 # TODO: check if we want to use the s6 image variant + tag: v2.25.0 # TODO: The `viewer-spec.yaml` template doesn't seem to be working properly, making the defaulting webhook set the image to latest rwoScheduling: enabled: true From dbbeb06d715a3801e8e79e53260e4e8a32fca322 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 17:01:36 +0200 Subject: [PATCH 13/32] update katib Signed-off-by: David van der Spek --- kubeflow/helm/katib/Chart.yaml | 2 +- ...cedefinition_experiments.kubeflow.org.yaml | 35 ----- ...cedefinition_suggestions.kubeflow.org.yaml | 41 ----- ...esourcedefinition_trials.kubeflow.org.yaml | 35 ----- kubeflow/helm/katib/crds/experiment.yaml | 36 +++++ kubeflow/helm/katib/crds/suggestion.yaml | 42 ++++++ kubeflow/helm/katib/crds/trial.yaml | 36 +++++ .../templates/controller/cluster-role.yaml | 129 ++++++++++++++++ .../templates/controller/clusterrole.yaml | 65 -------- .../katib/templates/controller/configmap.yaml | 142 +++++++++--------- .../templates/controller/deployment.yaml | 30 ++-- .../mutatingwebhookconfiguration.yaml | 28 ++-- .../validatingwebhookconfiguration.yaml | 9 +- .../templates/db-manager/deployment.yaml | 29 ++-- .../{clusterrole.yaml => cluster-role.yaml} | 22 ++- .../katib/templates/web-app/deployment.yaml | 7 + .../web-app/kubeflow-cluster-roles.yaml | 65 ++++++++ kubeflow/helm/katib/values.yaml | 11 +- 18 files changed, 475 insertions(+), 289 deletions(-) delete mode 100644 kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_experiments.kubeflow.org.yaml delete mode 100644 kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_suggestions.kubeflow.org.yaml delete mode 100644 kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_trials.kubeflow.org.yaml create mode 100644 kubeflow/helm/katib/crds/experiment.yaml create mode 100644 kubeflow/helm/katib/crds/suggestion.yaml create mode 100644 kubeflow/helm/katib/crds/trial.yaml create mode 100644 kubeflow/helm/katib/templates/controller/cluster-role.yaml delete mode 100644 kubeflow/helm/katib/templates/controller/clusterrole.yaml rename kubeflow/helm/katib/templates/web-app/{clusterrole.yaml => cluster-role.yaml} (85%) create mode 100644 kubeflow/helm/katib/templates/web-app/kubeflow-cluster-roles.yaml diff --git a/kubeflow/helm/katib/Chart.yaml b/kubeflow/helm/katib/Chart.yaml index 5059491a7..0077185da 100644 --- a/kubeflow/helm/katib/Chart.yaml +++ b/kubeflow/helm/katib/Chart.yaml @@ -3,4 +3,4 @@ name: katib description: A Helm chart for Kubernetes type: application version: 0.1.20 -appVersion: "0.11.1" +appVersion: "v0.16.0-rc.1" diff --git a/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_experiments.kubeflow.org.yaml b/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_experiments.kubeflow.org.yaml deleted file mode 100644 index 449222127..000000000 --- a/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_experiments.kubeflow.org.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: experiments.kubeflow.org -spec: - group: kubeflow.org - names: - categories: - - all - - kubeflow - - katib - kind: Experiment - plural: experiments - singular: experiment - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[-1:].type - name: Type - type: string - - jsonPath: .status.conditions[-1:].status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: - status: {} diff --git a/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_suggestions.kubeflow.org.yaml b/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_suggestions.kubeflow.org.yaml deleted file mode 100644 index 99a858209..000000000 --- a/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_suggestions.kubeflow.org.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: suggestions.kubeflow.org -spec: - group: kubeflow.org - names: - categories: - - all - - kubeflow - - katib - kind: Suggestion - plural: suggestions - singular: suggestion - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[-1:].type - name: Type - type: string - - jsonPath: .status.conditions[-1:].status - name: Status - type: string - - jsonPath: .spec.requests - name: Requested - type: string - - jsonPath: .status.suggestionCount - name: Assigned - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: - status: {} diff --git a/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_trials.kubeflow.org.yaml b/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_trials.kubeflow.org.yaml deleted file mode 100644 index e1ff82afe..000000000 --- a/kubeflow/helm/katib/crds/apiextensions.k8s.io_v1_customresourcedefinition_trials.kubeflow.org.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: trials.kubeflow.org -spec: - group: kubeflow.org - names: - categories: - - all - - kubeflow - - katib - kind: Trial - plural: trials - singular: trial - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.conditions[-1:].type - name: Type - type: string - - jsonPath: .status.conditions[-1:].status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - served: true - storage: true - subresources: - status: {} diff --git a/kubeflow/helm/katib/crds/experiment.yaml b/kubeflow/helm/katib/crds/experiment.yaml new file mode 100644 index 000000000..8b07270c3 --- /dev/null +++ b/kubeflow/helm/katib/crds/experiment.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: experiments.kubeflow.org +spec: + group: kubeflow.org + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Type + type: string + jsonPath: .status.conditions[-1:].type + - name: Status + type: string + jsonPath: .status.conditions[-1:].status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + kind: Experiment + singular: experiment + plural: experiments + categories: + - all + - kubeflow + - katib diff --git a/kubeflow/helm/katib/crds/suggestion.yaml b/kubeflow/helm/katib/crds/suggestion.yaml new file mode 100644 index 000000000..b6eaa3fd4 --- /dev/null +++ b/kubeflow/helm/katib/crds/suggestion.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: suggestions.kubeflow.org +spec: + group: kubeflow.org + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Type + type: string + jsonPath: .status.conditions[-1:].type + - name: Status + type: string + jsonPath: .status.conditions[-1:].status + - name: Requested + type: string + jsonPath: .spec.requests + - name: Assigned + type: string + jsonPath: .status.suggestionCount + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + kind: Suggestion + singular: suggestion + plural: suggestions + categories: + - all + - kubeflow + - katib diff --git a/kubeflow/helm/katib/crds/trial.yaml b/kubeflow/helm/katib/crds/trial.yaml new file mode 100644 index 000000000..765314b3f --- /dev/null +++ b/kubeflow/helm/katib/crds/trial.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: trials.kubeflow.org +spec: + group: kubeflow.org + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Type + type: string + jsonPath: .status.conditions[-1:].type + - name: Status + type: string + jsonPath: .status.conditions[-1:].status + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + kind: Trial + singular: trial + plural: trials + categories: + - all + - kubeflow + - katib diff --git a/kubeflow/helm/katib/templates/controller/cluster-role.yaml b/kubeflow/helm/katib/templates/controller/cluster-role.yaml new file mode 100644 index 000000000..4d0d73448 --- /dev/null +++ b/kubeflow/helm/katib/templates/controller/cluster-role.yaml @@ -0,0 +1,129 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "katib.labels" . | nindent 4 }} + name: {{ include "katib.fullname" . }}-controller-cluster-role +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - "" + resources: + - events + verbs: + - "create" + - "patch" + - "update" + - apiGroups: + - "" + resources: + - serviceaccounts + - persistentvolumes + - persistentvolumeclaims + verbs: + - "get" + - "list" + - "watch" + - "create" + - apiGroups: + - "" + resources: + - namespaces + - configmaps + verbs: + - "get" + - "list" + - "watch" + - apiGroups: + - "" + resources: + - pods + - pods/status + verbs: + - "get" + - apiGroups: + - "" + resources: + - secrets + verbs: + - "get" + - "list" + - "watch" + - "patch" + - apiGroups: + - apps + resources: + - deployments + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - rolebindings + verbs: + - "get" + - "create" + - "list" + - "watch" + - apiGroups: + - batch + resources: + - jobs + - cronjobs + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - kubeflow.org + resources: + - tfjobs + - pytorchjobs + - mpijobs + - xgboostjobs + - mxjobs + verbs: + - "get" + - "list" + - "watch" + - "create" + - "delete" + - apiGroups: + - kubeflow.org + resources: + - experiments + - experiments/status + - experiments/finalizers + - trials + - trials/status + - trials/finalizers + - suggestions + - suggestions/status + - suggestions/finalizers + verbs: + - "*" + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + verbs: + - "get" + - "watch" + - "list" + - "patch" diff --git a/kubeflow/helm/katib/templates/controller/clusterrole.yaml b/kubeflow/helm/katib/templates/controller/clusterrole.yaml deleted file mode 100644 index a23e1c540..000000000 --- a/kubeflow/helm/katib/templates/controller/clusterrole.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "katib.labels" . | nindent 4 }} - name: {{ include "katib.fullname" . }}-controller-cluster-role -rules: - - apiGroups: - - "" - resources: - - configmaps - - serviceaccounts - - services - - events - - namespaces - - persistentvolumes - - persistentvolumeclaims - - pods - - pods/log - - pods/status - verbs: - - '*' - - apiGroups: - - apps - resources: - - deployments - verbs: - - '*' - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - rolebindings - verbs: - - '*' - - apiGroups: - - batch - resources: - - jobs - - cronjobs - verbs: - - '*' - - apiGroups: - - kubeflow.org - resources: - - experiments - - experiments/status - - experiments/finalizers - - trials - - trials/status - - trials/finalizers - - suggestions - - suggestions/status - - suggestions/finalizers - - tfjobs - - pytorchjobs - - mpijobs - verbs: - - '*' - - apiGroups: - - tekton.dev - resources: - - pipelineruns - - taskruns - verbs: - - '*' diff --git a/kubeflow/helm/katib/templates/controller/configmap.yaml b/kubeflow/helm/katib/templates/controller/configmap.yaml index 084e66af5..a245420c6 100644 --- a/kubeflow/helm/katib/templates/controller/configmap.yaml +++ b/kubeflow/helm/katib/templates/controller/configmap.yaml @@ -1,66 +1,76 @@ apiVersion: v1 -data: - early-stopping: |- - { - "medianstop": { - "image": "docker.io/kubeflowkatib/earlystopping-medianstop:v0.11.1" - } - } - metrics-collector-sidecar: |- - { - "StdOut": { - "image": "docker.io/kubeflowkatib/file-metrics-collector:v0.11.1" - }, - "File": { - "image": "docker.io/kubeflowkatib/file-metrics-collector:v0.11.1" - }, - "TensorFlowEvent": { - "image": "docker.io/kubeflowkatib/tfevent-metrics-collector:v0.11.1", - "resources": { - "limits": { - "memory": "1Gi" - } - } - } - } - suggestion: |- - { - "random": { - "image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.11.1" - }, - "tpe": { - "image": "docker.io/kubeflowkatib/suggestion-hyperopt:v0.11.1" - }, - "grid": { - "image": "docker.io/kubeflowkatib/suggestion-chocolate:v0.11.1" - }, - "hyperband": { - "image": "docker.io/kubeflowkatib/suggestion-hyperband:v0.11.1" - }, - "bayesianoptimization": { - "image": "docker.io/kubeflowkatib/suggestion-skopt:v0.11.1" - }, - "cmaes": { - "image": "docker.io/kubeflowkatib/suggestion-goptuna:v0.11.1" - }, - "enas": { - "image": "docker.io/kubeflowkatib/suggestion-enas:v0.11.1", - "resources": { - "limits": { - "memory": "200Mi" - } - } - }, - "darts": { - "image": "docker.io/kubeflowkatib/suggestion-darts:v0.11.1" - } - } kind: ConfigMap metadata: - name: katib-config + name: {{ include "katib.fullname" . }}-config labels: {{- include "katib.labels" . | nindent 4 }} +data: + katib-config.yaml: |- + apiVersion: config.kubeflow.org/v1beta1 + kind: KatibConfig + init: + controller: + webhookPort: 8443 + trialResources: + - Job.v1.batch + - TFJob.v1.kubeflow.org + - PyTorchJob.v1.kubeflow.org + - MPIJob.v1.kubeflow.org + - XGBoostJob.v1.kubeflow.org + - MXJob.v1.kubeflow.org + runtime: + metricsCollectors: + - kind: StdOut + image: docker.io/kubeflowkatib/file-metrics-collector:v0.16.0-rc.1 + - kind: File + image: docker.io/kubeflowkatib/file-metrics-collector:v0.16.0-rc.1 + - kind: TensorFlowEvent + image: docker.io/kubeflowkatib/tfevent-metrics-collector:v0.16.0-rc.1 + resources: + limits: + memory: 1Gi + suggestions: + - algorithmName: random + image: docker.io/kubeflowkatib/suggestion-hyperopt:v0.16.0-rc.1 + - algorithmName: tpe + image: docker.io/kubeflowkatib/suggestion-hyperopt:v0.16.0-rc.1 + - algorithmName: grid + image: docker.io/kubeflowkatib/suggestion-optuna:v0.16.0-rc.1 + - algorithmName: hyperband + image: docker.io/kubeflowkatib/suggestion-hyperband:v0.16.0-rc.1 + - algorithmName: bayesianoptimization + image: docker.io/kubeflowkatib/suggestion-skopt:v0.16.0-rc.1 + - algorithmName: cmaes + image: docker.io/kubeflowkatib/suggestion-goptuna:v0.16.0-rc.1 + - algorithmName: sobol + image: docker.io/kubeflowkatib/suggestion-goptuna:v0.16.0-rc.1 + - algorithmName: multivariate-tpe + image: docker.io/kubeflowkatib/suggestion-optuna:v0.16.0-rc.1 + - algorithmName: enas + image: docker.io/kubeflowkatib/suggestion-enas:v0.16.0-rc.1 + resources: + limits: + memory: 200Mi + - algorithmName: darts + image: docker.io/kubeflowkatib/suggestion-darts:v0.16.0-rc.1 + - algorithmName: pbt + image: docker.io/kubeflowkatib/suggestion-pbt:v0.16.0-rc.1 + persistentVolumeClaimSpec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + earlyStoppings: + - algorithmName: medianstop + image: docker.io/kubeflowkatib/earlystopping-medianstop:v0.16.0-rc.1 --- apiVersion: v1 +kind: ConfigMap +metadata: + labels: + katib.kubeflow.org/component: trial-templates + {{- include "katib.labels" . | nindent 4 }} + name: {{ include "katib.fullname" . }}-trial-template data: defaultTrialTemplate.yaml: |- apiVersion: batch/v1 @@ -70,7 +80,7 @@ data: spec: containers: - name: training-container - image: docker.io/kubeflowkatib/mxnet-mnist:v1beta1-45c5727 + image: docker.io/kubeflowkatib/mxnet-mnist:v0.16.0-rc.1 command: - "python3" - "/opt/mxnet-mnist/mnist.py" @@ -79,6 +89,7 @@ data: - "--num-layers=${trialParameters.numberLayers}" - "--optimizer=${trialParameters.optimizer}" restartPolicy: Never + # For ConfigMap templates double quotes must set in commands to correct parse JSON parameters in Trial Template (e.g nn_config, architecture) enasCPUTemplate: |- apiVersion: batch/v1 kind: Job @@ -87,7 +98,7 @@ data: spec: containers: - name: training-container - image: docker.io/kubeflowkatib/enas-cnn-cifar10-cpu:v1beta1-45c5727 + image: docker.io/kubeflowkatib/enas-cnn-cifar10-cpu:v0.16.0-rc.1 command: - python3 - -u @@ -97,7 +108,7 @@ data: - "--nn_config=\"${trialParameters.neuralNetworkConfig}\"" restartPolicy: Never pytorchJobTemplate: |- - apiVersion: "kubeflow.org/v1" + apiVersion: kubeflow.org/v1 kind: PyTorchJob spec: pytorchReplicaSpecs: @@ -108,8 +119,7 @@ data: spec: containers: - name: pytorch - image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727 - imagePullPolicy: Always + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:v0.16.0-rc.1 command: - "python3" - "/opt/pytorch-mnist/mnist.py" @@ -123,16 +133,10 @@ data: spec: containers: - name: pytorch - image: docker.io/kubeflowkatib/pytorch-mnist:v1beta1-45c5727 - imagePullPolicy: Always + image: docker.io/kubeflowkatib/pytorch-mnist-cpu:v0.16.0-rc.1 command: - "python3" - "/opt/pytorch-mnist/mnist.py" - "--epochs=1" - "--lr=${trialParameters.learningRate}" - "--momentum=${trialParameters.momentum}" -kind: ConfigMap -metadata: - labels: - app: katib-trial-templates - name: trial-template diff --git a/kubeflow/helm/katib/templates/controller/deployment.yaml b/kubeflow/helm/katib/templates/controller/deployment.yaml index 5e802e1d2..14ea32383 100644 --- a/kubeflow/helm/katib/templates/controller/deployment.yaml +++ b/kubeflow/helm/katib/templates/controller/deployment.yaml @@ -34,12 +34,7 @@ spec: image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.controller.image.pullPolicy }} args: - - --webhook-port=8443 - - --trial-resources=Job.v1.batch - - --trial-resources=TFJob.v1.kubeflow.org - - --trial-resources=PyTorchJob.v1.kubeflow.org - - --trial-resources=MPIJob.v1.kubeflow.org - - --trial-resources=PipelineRun.v1beta1.tekton.dev + - --katib-config=/katib-config.yaml command: - ./katib-controller ports: @@ -49,25 +44,40 @@ spec: - name: metrics containerPort: 8080 protocol: TCP + - containerPort: 18080 + name: probe + protocol: TCP + env: + - name: KATIB_CORE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace livenessProbe: httpGet: - path: /metrics - port: metrics + path: /healthz + port: probe readinessProbe: httpGet: - path: /metrics - port: metrics + path: /readyz + port: probe resources: {{- toYaml .Values.controller.resources | nindent 12 }} volumeMounts: - mountPath: /tmp/cert name: cert readOnly: true + - mountPath: /katib-config.yaml + name: katib-config + subPath: katib-config.yaml + readOnly: true volumes: - name: cert secret: defaultMode: 420 secretName: {{ include "katib.fullname" . }}-controller-certs + - name: katib-config + configMap: + name: {{ include "katib.fullname" . }}-config {{- with .Values.controller.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml index 4dcfa10d8..a16fdfb78 100644 --- a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml +++ b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml @@ -6,16 +6,16 @@ metadata: name: katib.kubeflow.org labels: {{- include "katib.labels" . | nindent 4 }} webhooks: - - admissionReviewVersions: - - v1beta1 + - name: defaulter.experiment.katib.kubeflow.org + sideEffects: None + admissionReviewVersions: + - v1 clientConfig: caBundle: Cg== service: name: {{ include "katib.fullname" . }}-controller namespace: {{ .Release.Namespace }} path: /mutate-experiment - failurePolicy: Ignore - name: defaulter.experiment.katib.kubeflow.org rules: - apiGroups: - kubeflow.org @@ -26,20 +26,29 @@ webhooks: - UPDATE resources: - experiments + - name: mutator.pod.katib.kubeflow.org sideEffects: None - - admissionReviewVersions: - - v1beta1 + admissionReviewVersions: + - v1 clientConfig: caBundle: Cg== service: name: {{ include "katib.fullname" . }}-controller-controller namespace: {{ .Release.Namespace }} path: /mutate-pod - failurePolicy: Ignore - name: mutator.pod.katib.kubeflow.org namespaceSelector: matchLabels: - katib-metricscollector-injection: enabled + katib.kubeflow.org/metrics-collector-injection: enabled + # Once the AdmissionWebhookMatchConditions feature gate is enabled by default, we should switch to control based on userInfo. + # REF: + # - AdmissionWebhookMatchConditions: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-matchconditions + # - Tracking issue: https://github.com/kubeflow/katib/issues/2206 + objectSelector: + matchExpressions: + - key: katib.kubeflow.org/metrics-collector-injection + operator: NotIn + values: + - disabled rules: - apiGroups: - "" @@ -49,4 +58,3 @@ webhooks: - CREATE resources: - pods - sideEffects: None diff --git a/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml b/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml index 94058c221..7f707e2ee 100644 --- a/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml +++ b/kubeflow/helm/katib/templates/controller/validatingwebhookconfiguration.yaml @@ -6,16 +6,16 @@ metadata: name: katib.kubeflow.org labels: {{- include "katib.labels" . | nindent 4 }} webhooks: - - admissionReviewVersions: - - v1beta1 + - name: validator.experiment.katib.kubeflow.org + sideEffects: None + admissionReviewVersions: + - v1 clientConfig: caBundle: Cg== service: name: {{ include "katib.fullname" . }}-controller namespace: {{ .Release.Namespace }} path: /validate-experiment - failurePolicy: Ignore - name: validator.experiment.katib.kubeflow.org rules: - apiGroups: - kubeflow.org @@ -26,4 +26,3 @@ webhooks: - UPDATE resources: - experiments - sideEffects: None diff --git a/kubeflow/helm/katib/templates/db-manager/deployment.yaml b/kubeflow/helm/katib/templates/db-manager/deployment.yaml index 0358f4f21..8a7e0731e 100644 --- a/kubeflow/helm/katib/templates/db-manager/deployment.yaml +++ b/kubeflow/helm/katib/templates/db-manager/deployment.yaml @@ -40,24 +40,22 @@ spec: containerPort: 6789 protocol: TCP livenessProbe: - exec: - command: - - /bin/grpc_health_probe - - -addr=:6789 - failureThreshold: 5 + grpc: + port: 6789 initialDelaySeconds: 10 periodSeconds: 60 + failureThreshold: 5 readinessProbe: - exec: - command: - - /bin/grpc_health_probe - - -addr=:6789 - initialDelaySeconds: 5 + grpc: + port: 6789 + initialDelaySeconds: 10 + periodSeconds: 60 + failureThreshold: 5 resources: {{- toYaml .Values.dbManager.resources | nindent 12 }} env: - name: DB_NAME - value: mysql + value: {{ .Values.dbManager.config.database.type }} - name: DB_USER valueFrom: secretKeyRef: @@ -68,12 +66,21 @@ spec: secretKeyRef: key: {{ .Values.dbManager.config.secret.passwordKey }} name: {{ .Values.dbManager.config.secret.name }} + {{- if eq .Values.dbManager.config.database.type "mysql" }} - name: KATIB_MYSQL_DB_DATABASE value: {{ .Values.dbManager.config.database.name }} - name: KATIB_MYSQL_DB_HOST value: {{ .Values.dbManager.config.database.host }} - name: KATIB_MYSQL_DB_PORT value: {{ .Values.dbManager.config.database.port | quote }} + {{- else if eq .Values.dbManager.config.database.type "postgres" }} + - name: KATIB_POSTGRESQL_DB_DATABASE + value: {{ .Values.dbManager.config.database.name }} + - name: KATIB_POSTGRESQL_DB_HOST + value: {{ .Values.dbManager.config.database.host }} + - name: KATIB_POSTGRESQL_DB_PORT + value: {{ .Values.dbManager.config.database.port | quote }} + {{- end }} {{- with .Values.dbManager.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/kubeflow/helm/katib/templates/web-app/clusterrole.yaml b/kubeflow/helm/katib/templates/web-app/cluster-role.yaml similarity index 85% rename from kubeflow/helm/katib/templates/web-app/clusterrole.yaml rename to kubeflow/helm/katib/templates/web-app/cluster-role.yaml index 6e92dc48b..1c22555eb 100644 --- a/kubeflow/helm/katib/templates/web-app/clusterrole.yaml +++ b/kubeflow/helm/katib/templates/web-app/cluster-role.yaml @@ -4,13 +4,19 @@ metadata: labels: {{- include "katib.labels" . | nindent 4 }} name: {{ include "katib.fullname" . }}-web-app-cluster-role rules: + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create - apiGroups: - "" resources: - configmaps - namespaces verbs: - - '*' + - "*" - apiGroups: - kubeflow.org resources: @@ -18,7 +24,19 @@ rules: - trials - suggestions verbs: - - '*' + - "*" + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get --- aggregationRule: clusterRoleSelectors: diff --git a/kubeflow/helm/katib/templates/web-app/deployment.yaml b/kubeflow/helm/katib/templates/web-app/deployment.yaml index 9ab33e1c2..9b95471c7 100644 --- a/kubeflow/helm/katib/templates/web-app/deployment.yaml +++ b/kubeflow/helm/katib/templates/web-app/deployment.yaml @@ -41,6 +41,13 @@ spec: - name: website containerPort: 8080 protocol: TCP + env: + - name: KATIB_CORE_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: APP_DISABLE_AUTH + value: "false" # TODO: should this be configurable? # livenessProbe: # httpGet: # path: / # TODO: check if this is correct diff --git a/kubeflow/helm/katib/templates/web-app/kubeflow-cluster-roles.yaml b/kubeflow/helm/katib/templates/web-app/kubeflow-cluster-roles.yaml new file mode 100644 index 000000000..9dc4baef0 --- /dev/null +++ b/kubeflow/helm/katib/templates/web-app/kubeflow-cluster-roles.yaml @@ -0,0 +1,65 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "katib.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-admin: "true" + name: {{ include "katib.fullname" . }}-katib-admin +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true" +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "katib.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-katib-admin: "true" + name: {{ include "katib.fullname" . }}-katib-edit +rules: + - apiGroups: + - kubeflow.org + resources: + - experiments + - trials + - suggestions + verbs: + - get + - list + - watch + - create + - delete + - deletecollection + - patch + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - list + - apiGroups: + - "" + resources: + - pods/log + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "katib.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: {{ include "katib.fullname" . }}-katib-view +rules: + - apiGroups: + - kubeflow.org + resources: + - experiments + - trials + - suggestions + verbs: + - get + - list + - watch diff --git a/kubeflow/helm/katib/values.yaml b/kubeflow/helm/katib/values.yaml index 5fdb96d6a..f6c035389 100644 --- a/kubeflow/helm/katib/values.yaml +++ b/kubeflow/helm/katib/values.yaml @@ -30,10 +30,10 @@ serviceAccount: webApp: replicaCount: 1 image: - repository: docker.io/kubeflowkatib/katib-new-ui + repository: docker.io/kubeflowkatib/katib-ui pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v0.11.1 + tag: v0.16.0-rc.1 podAnnotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" sidecar.istio.io/inject: "true" @@ -90,7 +90,7 @@ controller: repository: docker.io/kubeflowkatib/katib-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v0.11.1 + tag: v0.16.0-rc.1 replicaCount: 1 @@ -135,7 +135,7 @@ controller: service: webhook: - port: 8443 + port: 443 metrics: port: 8080 @@ -144,7 +144,7 @@ dbManager: repository: docker.io/kubeflowkatib/katib-db-manager pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v0.11.1 + tag: v0.16.0-rc.1 replicaCount: 1 @@ -196,6 +196,7 @@ dbManager: userKey: USERNAME passwordKey: PASSWORD database: + type: mysql # mysql or postgres name: katib host: kubeflow-mysql-cluster-mysql-master.kubeflow.svc.cluster.local port: 3306 From ec205732cf679e4a9240c49188fbb5b3f215cad1 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 15 Sep 2023 18:05:24 +0200 Subject: [PATCH 14/32] pipelines first pass without rbac changes Signed-off-by: David van der Spek --- .../templates/api-server/deployment.yaml | 12 +++++++++ .../argo-workflow-controller/deployment.yaml | 3 ++- .../priority-class.yaml | 7 +++++ .../templates/cache/server/deployment.yaml | 13 ++++++++++ .../helm/pipelines/templates/configmap.yaml | 21 ++++++++------- .../persistence-agent/configmap.yaml | 3 +++ .../persistence-agent/deployment.yaml | 16 +++++++++++- kubeflow/helm/pipelines/values.yaml | 26 +++++++++++-------- 8 files changed, 79 insertions(+), 22 deletions(-) create mode 100644 kubeflow/helm/pipelines/templates/argo-workflow-controller/priority-class.yaml diff --git a/kubeflow/helm/pipelines/templates/api-server/deployment.yaml b/kubeflow/helm/pipelines/templates/api-server/deployment.yaml index 74592d2fb..a9ee3ae95 100644 --- a/kubeflow/helm/pipelines/templates/api-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/deployment.yaml @@ -143,6 +143,18 @@ spec: initialDelaySeconds: 3 periodSeconds: 5 timeoutSeconds: 2 + startupProbe: + exec: + command: + - wget + - -q + - -S + - -O + - '-' + - http://localhost:8888/apis/v1beta1/healthz + failureThreshold: 12 + periodSeconds: 5 + timeoutSeconds: 2 resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml index d4ed2baec..5877940c7 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml @@ -38,7 +38,7 @@ spec: - --configmap - {{ include "pipelines.fullname" . }}-argo-workflow-controller - --executor-image - - gcr.io/ml-pipeline/argoexec:v3.2.3-license-compliance + - "{{ .Values.argoWorkflowController.executorImage.repository }}:{{ .Values.argoWorkflowController.executorImage.tag }}" command: - workflow-controller env: @@ -64,6 +64,7 @@ spec: timeoutSeconds: 30 resources: {{- toYaml .Values.argoWorkflowController.resources | nindent 12 }} + priorityClassName: {{ include "pipelines.fullname" . }}-argo-workflow-controller {{- with .Values.nodeSelector }} nodeSelector: kubernetes.io/os: linux diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/priority-class.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/priority-class.yaml new file mode 100644 index 000000000..34d441906 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/priority-class.yaml @@ -0,0 +1,7 @@ +apiVersion: scheduling.k8s.io/v1 +kind: PriorityClass +metadata: + name: {{ include "pipelines.fullname" . }}-argo-workflow-controller + labels: + {{- include "pipelines.labels" . | nindent 4 }} +value: 1000000 diff --git a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml index 29c4b8d07..29aa6b065 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml @@ -42,9 +42,20 @@ spec: - --db_user=$(DBCONFIG_USER) - --db_password=$(DBCONFIG_PASSWORD) - --namespace_to_watch=$(NAMESPACE_TO_WATCH) + - --listen_ports=$(WEBHOOK_PORT) env: - name: NAMESPACE_TO_WATCH value: "" + - name: DEFAULT_CACHE_STALENESS + valueFrom: + configMapKeyRef: + key: defaultCacheStaleness + name: pipeline-install-config + - name: MAXIMUM_CACHE_STALENESS + valueFrom: + configMapKeyRef: + key: maximumCacheStaleness + name: pipeline-install-config - name: CACHE_IMAGE valueFrom: configMapKeyRef: @@ -82,6 +93,8 @@ spec: secretKeyRef: key: PASSWORD name: pipelines-db-user + - name: WEBHOOK_PORT + value: "8443" ports: - name: webhook-api containerPort: 8443 diff --git a/kubeflow/helm/pipelines/templates/configmap.yaml b/kubeflow/helm/pipelines/templates/configmap.yaml index f629a6678..0cb424d33 100644 --- a/kubeflow/helm/pipelines/templates/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/configmap.yaml @@ -1,21 +1,24 @@ apiVersion: v1 data: appName: pipeline - appVersion: 1.8.1 - autoUpdatePipelineDefaultVersion: "true" + ConMaxLifeTime: 120s # TODO: make configurable + defaultCacheStaleness: "" # TODO: make configurable + maximumCacheStaleness: "" # TODO: make configurable + appVersion: {{ .Chart.AppVersion }} + autoUpdatePipelineDefaultVersion: "true" # TODO: make configurable bucketHost: {{ .Values.config.objectStore.bucketHost }} bucketRegion: {{ .Values.config.objectStore.bucketRegion }} bucketName: {{ .Values.config.objectStore.bucketName }} defaultPipelineRoot: s3://{{ .Values.config.objectStore.bucketName }}/pipelines cacheDb: {{ .Values.config.databases.cacheDB }} - cacheImage: gcr.io/google-containers/busybox - cacheNodeRestrictions: "false" - cronScheduleTimezone: UTC + cacheImage: gcr.io/google-containers/busybox # TODO: make configurable + cacheNodeRestrictions: "false" # TODO: make configurable + cronScheduleTimezone: UTC # TODO: make configurable dbHost: {{ .Values.config.databases.connection.host }} dbPort: {{ .Values.config.databases.connection.port | quote }} - dbConMaxLifeTime: 120s - dbDriverName: mysql - dbGroupConcatMaxLen: "4194304" + dbConMaxLifeTime: 120s # TODO: make configurable + dbDriverName: mysql # TODO: make configurable + dbGroupConcatMaxLen: "4194304" # TODO: make configurable mlmdDb: {{ .Values.config.databases.metadataDB }} pipelineDb: {{ .Values.config.databases.pipelineDB }} kind: ConfigMap @@ -24,4 +27,4 @@ metadata: app.kubernetes.io/component: ml-pipeline app.kubernetes.io/name: kubeflow-pipelines application-crd-id: kubeflow-pipelines - name: pipeline-install-config + name: pipeline-install-config # TODO: don't hardcode name diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml index 49f7ebff6..4899cb858 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml @@ -13,3 +13,6 @@ data: API_SERVER_BASE_PATH: "/apis/v1beta1" MAX_CLIENT_QPS: "5" MAX_CLIENT_BURST: "10" + KUBEFLOW_USERID_HEADER: {{ .Values.global.userIDHeader }} + KUBEFLOW_USERID_PREFIX: {{ .Values.global.userIDPrefix }} + MULTIUSER: "true" # TODO: should this be configurable? diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml index c9fb008de..76683bf1d 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml @@ -35,7 +35,7 @@ spec: image: "{{ .Values.persistenceAgent.image.repository }}:{{ .Values.persistenceAgent.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.persistenceAgent.image.pullPolicy }} args: - - --logtostderr=true + - --logtostderr=true # TODO: why are we specifying this while the upstream manifest doesn't? - --namespace=$(NAMESPACE) - --ttlSecondsAfterWorkflowFinish=$(TTL_SECONDS_AFTER_WORKFLOW_FINISH) - --numWorker=$(NUM_WORKERS) @@ -47,11 +47,25 @@ spec: - --clientBurst=$(MAX_CLIENT_BURST) command: - persistence_agent + env: + - name: NAMESPACE # TODO: should this be specified? Or should it only be specified in single user mode? + value: "" envFrom: - configMapRef: name: {{ include "pipelines.fullname" . }}-persistence-agent-parameters resources: {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /var/run/secrets/kubeflow/tokens + name: persistenceagent-sa-token + volumes: + - name: persistenceagent-sa-token + projected: + sources: + - serviceAccountToken: + audience: pipelines.kubeflow.org + expirationSeconds: 3600 + path: persistenceagent-sa-token {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/kubeflow/helm/pipelines/values.yaml b/kubeflow/helm/pipelines/values.yaml index 606474256..17f0d6d15 100644 --- a/kubeflow/helm/pipelines/values.yaml +++ b/kubeflow/helm/pipelines/values.yaml @@ -35,7 +35,7 @@ image: repository: gcr.io/ml-pipeline/frontend pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 imagePullSecrets: [] nameOverride: "" @@ -80,7 +80,7 @@ apiServer: repository: gcr.io/ml-pipeline/api-server pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 service: http: port: 8888 @@ -92,28 +92,28 @@ persistenceAgent: repository: gcr.io/ml-pipeline/persistenceagent pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 scheduledWorkflow: image: repository: gcr.io/ml-pipeline/scheduledworkflow pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 viewerController: image: repository: gcr.io/ml-pipeline/viewer-crd-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 visualizationServer: image: repository: gcr.io/ml-pipeline/visualization-server pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 service: port: 8888 @@ -122,7 +122,11 @@ argoWorkflowController: repository: gcr.io/ml-pipeline/workflow-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v3.2.3-license-compliance + tag: v3.3.10-license-compliance + executorImage: + repository: gcr.io/ml-pipeline/argoexec + pullPolicy: IfNotPresent + tag: v3.3.10-license-compliance resources: requests: cpu: 100m @@ -154,7 +158,7 @@ cache: repository: gcr.io/ml-pipeline/cache-server pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 service: port: 443 deployer: @@ -162,7 +166,7 @@ cache: repository: gcr.io/ml-pipeline/cache-deployer pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 metadata: envoy: @@ -170,7 +174,7 @@ metadata: repository: gcr.io/ml-pipeline/metadata-envoy pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 service: port: 9090 admin: @@ -195,7 +199,7 @@ metadata: repository: gcr.io/ml-pipeline/metadata-writer pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 1.8.1 + tag: 2.0.1 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious From 0f92f0858524e267dc8fd166dd28fe59ee29bb96 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 18 Sep 2023 13:05:56 +0200 Subject: [PATCH 15/32] last initial pipelines changes for update Signed-off-by: David van der Spek --- ...rgo_workflow_customresourcedefinition.yaml | 460 +++++++++++++++++- .../templates/api-server/clusterrole.yaml | 11 +- .../argo-workflow-controller/clusterrole.yaml | 10 + .../argo-workflow-controller/configmap.yaml | 4 +- .../persistence-agent/clusterrole.yaml | 13 + .../templates/persistence-agent/role.yaml | 45 +- .../viewer-controller/deployment.yaml | 4 - 7 files changed, 503 insertions(+), 44 deletions(-) diff --git a/kubeflow/helm/pipelines/crds/argo_workflow_customresourcedefinition.yaml b/kubeflow/helm/pipelines/crds/argo_workflow_customresourcedefinition.yaml index 6d60ba61b..7df515f63 100644 --- a/kubeflow/helm/pipelines/crds/argo_workflow_customresourcedefinition.yaml +++ b/kubeflow/helm/pipelines/crds/argo_workflow_customresourcedefinition.yaml @@ -1,8 +1,6 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - application-crd-id: kubeflow-pipelines name: clusterworkflowtemplates.argoproj.io spec: group: argoproj.io @@ -40,8 +38,6 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - application-crd-id: kubeflow-pipelines name: cronworkflows.argoproj.io spec: group: argoproj.io @@ -83,8 +79,6 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - application-crd-id: kubeflow-pipelines name: workfloweventbindings.argoproj.io spec: group: argoproj.io @@ -121,8 +115,6 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - application-crd-id: kubeflow-pipelines name: workflows.argoproj.io spec: group: argoproj.io @@ -174,18 +166,14 @@ spec: apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - labels: - application-crd-id: kubeflow-pipelines - name: workflowtemplates.argoproj.io + name: workflowtaskresults.argoproj.io spec: group: argoproj.io names: - kind: WorkflowTemplate - listKind: WorkflowTemplateList - plural: workflowtemplates - shortNames: - - wftmpl - singular: workflowtemplate + kind: WorkflowTaskResult + listKind: WorkflowTaskResultList + plural: workflowtaskresults + singular: workflowtaskresult scope: Namespaced versions: - name: v1alpha1 @@ -196,15 +184,407 @@ spec: type: string kind: type: string + message: + type: string metadata: type: object - spec: + outputs: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - url + type: object + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - key + type: object + git: + properties: + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + repo: + type: string + revision: + type: string + sshPrivateKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + usernameSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbConfigConfigMap: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbKeytabSecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + securityToken: + type: string + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + bucket: + type: string + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + exitCode: + type: string + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + result: + type: string type: object - x-kubernetes-map-type: atomic - x-kubernetes-preserve-unknown-fields: true + phase: + type: string + progress: + type: string required: - metadata - - spec type: object served: true storage: true @@ -248,3 +628,41 @@ spec: type: object served: true storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtemplates.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTemplate + listKind: WorkflowTemplateList + plural: workflowtemplates + shortNames: + - wftmpl + singular: workflowtemplate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml b/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml index f059a0ec8..26114c224 100644 --- a/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml @@ -110,6 +110,8 @@ rules: - retry - terminate - unarchive + - reportMetrics + - readArtifact - apiGroups: - pipelines.kubeflow.org resources: @@ -150,11 +152,18 @@ rules: - pipelines - pipelines/versions - experiments - - runs - jobs verbs: - get - list + - apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - get + - list + - readArtifact - apiGroups: - kubeflow.org resources: diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrole.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrole.yaml index 6b42c0563..b229b0a16 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrole.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/clusterrole.yaml @@ -29,8 +29,10 @@ rules: - "" resources: - persistentvolumeclaims + - persistentvolumeclaims/finalizers verbs: - create + - update - delete - get - apiGroups: @@ -59,6 +61,14 @@ rules: - get - list - watch + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - list + - watch + - deletecollection - apiGroups: - "" resources: diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml index 303fc5bc5..ffd9ae09b 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/configmap.yaml @@ -1,9 +1,9 @@ apiVersion: v1 data: - containerRuntimeExecutor: pns + containerRuntimeExecutor: emissary # TODO: don't hardcode this executor: | imagePullPolicy: IfNotPresent - resources: + resources: # TODO: don't hardcode this. Upstream this is removed for some reason. requests: cpu: 0.01 memory: 32Mi diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/clusterrole.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/clusterrole.yaml index dba497147..e35e79921 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/clusterrole.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/clusterrole.yaml @@ -20,3 +20,16 @@ rules: - get - list - watch + - apiGroups: + - pipelines.kubeflow.org + resources: + - scheduledworkflows + - workflows + verbs: + - report + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml index b782cbc08..406247837 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/role.yaml @@ -4,19 +4,32 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} name: {{ include "pipelines.fullname" . }}-persistence-agent-role rules: - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - get - - list - - watch - - apiGroups: - - kubeflow.org - resources: - - scheduledworkflows - verbs: - - get - - list - - watch +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - get + - list + - watch +- apiGroups: + - pipelines.kubeflow.org + resources: + - scheduledworkflows + - workflows + verbs: + - report +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml index 694434926..84049d8b6 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml @@ -39,10 +39,6 @@ spec: value: "" - name: MAX_NUM_VIEWERS value: "50" - - name: MINIO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} From b2575b1298b457e80a2944338f31a377304c425f Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 18 Sep 2023 13:09:51 +0200 Subject: [PATCH 16/32] fix userIDPrefix templating Signed-off-by: David van der Spek --- .../helm/pipelines/templates/persistence-agent/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml index 4899cb858..c48634cfb 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/configmap.yaml @@ -13,6 +13,6 @@ data: API_SERVER_BASE_PATH: "/apis/v1beta1" MAX_CLIENT_QPS: "5" MAX_CLIENT_BURST: "10" - KUBEFLOW_USERID_HEADER: {{ .Values.global.userIDHeader }} - KUBEFLOW_USERID_PREFIX: {{ .Values.global.userIDPrefix }} + KUBEFLOW_USERID_HEADER: {{ .Values.global.userIDHeader | quote }} + KUBEFLOW_USERID_PREFIX: {{ .Values.global.userIDPrefix | quote }} MULTIUSER: "true" # TODO: should this be configurable? From 095c9c8e5f9e51c7f79c0e345e874554391d38fd Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 18 Sep 2023 13:41:58 +0200 Subject: [PATCH 17/32] use cert manager for pipelines cache server instead Signed-off-by: David van der Spek --- .../mutatingwebhookconfiguration.yaml | 2 +- .../templates/cache/deployer/clusterrole.yaml | 34 ------------ .../cache/deployer/clusterrolebinding.yaml | 13 ----- .../templates/cache/deployer/deployment.yaml | 55 ------------------- .../templates/cache/deployer/role.yaml | 16 ------ .../templates/cache/deployer/rolebinding.yaml | 13 ----- .../cache/deployer/serviceaccount.yaml | 12 ---- .../templates/cache/server/certificate.yaml | 17 ++++++ .../templates/cache/server/deployment.yaml | 8 ++- .../server/mutatingwebhookconfiguration.yaml | 32 +++++++++++ 10 files changed, 55 insertions(+), 147 deletions(-) delete mode 100644 kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml delete mode 100644 kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml delete mode 100644 kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml delete mode 100644 kubeflow/helm/pipelines/templates/cache/deployer/role.yaml delete mode 100644 kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml delete mode 100644 kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml create mode 100644 kubeflow/helm/pipelines/templates/cache/server/certificate.yaml create mode 100644 kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml diff --git a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml index a16fdfb78..d64b5215f 100644 --- a/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml +++ b/kubeflow/helm/katib/templates/controller/mutatingwebhookconfiguration.yaml @@ -2,7 +2,7 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: annotations: - cert-manager.io/inject-ca-from: kubeflow/{{ include "katib.fullname" . }}-controller-certs + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "katib.fullname" . }}-controller-certs name: katib.kubeflow.org labels: {{- include "katib.labels" . | nindent 4 }} webhooks: diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml deleted file mode 100644 index c47586ce4..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrole.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-cluster-role -rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - - certificatesigningrequests/approval - verbs: - - create - - delete - - get - - update - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - apiGroups: - - certificates.k8s.io - resourceNames: - - kubernetes.io/* - resources: - - signers - verbs: - - approve diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml deleted file mode 100644 index 3b337c022..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/clusterrolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-cluster-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "pipelines.fullname" . }}-cache-deployer-cluster-role -subjects: - - kind: ServiceAccount - name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml deleted file mode 100644 index 5cb259f7a..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/deployment.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "pipelines.fullname" . }}-cache-deployer - labels: - {{- include "pipelines.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "pipelines.cacheDeployerSelectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "pipelines.cacheDeployerSelectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - containers: - - name: {{ .Chart.Name }}-cache-deployer - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.cache.deployer.image.repository }}:{{ .Values.cache.deployer.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.cache.deployer.image.pullPolicy }} - env: - - name: NAMESPACE_TO_WATCH - valueFrom: - fieldRef: - fieldPath: metadata.namespace - resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml deleted file mode 100644 index 2cd93a8bc..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/role.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-role -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - patch - - list diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml deleted file mode 100644 index e0addcb35..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/rolebinding.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - name: {{ include "pipelines.fullname" . }}-cache-deployer-role-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "pipelines.fullname" . }}-cache-deployer-role -subjects: - - kind: ServiceAccount - name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - namespace: {{ .Release.Namespace }} diff --git a/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml b/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml deleted file mode 100644 index 5b4d5236e..000000000 --- a/kubeflow/helm/pipelines/templates/cache/deployer/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "pipelines.serviceAccountName" . }}-cache-deployer - labels: - {{- include "pipelines.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/certificate.yaml b/kubeflow/helm/pipelines/templates/cache/server/certificate.yaml new file mode 100644 index 000000000..548897893 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/cache/server/certificate.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "pipelines.fullname" . }}-cache-certs + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + commonName: kfp-cache-cert + dnsNames: + - {{ include "pipelines.fullname" . }}-cache-server + - {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }} + - {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}.svc + isCA: true + issuerRef: + kind: ClusterIssuer + name: kubeflow-self-signing-issuer + secretName: {{ include "pipelines.fullname" . }}-cache-server-tls diff --git a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml index 29aa6b065..38d2cda73 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml @@ -42,7 +42,9 @@ spec: - --db_user=$(DBCONFIG_USER) - --db_password=$(DBCONFIG_PASSWORD) - --namespace_to_watch=$(NAMESPACE_TO_WATCH) - - --listen_ports=$(WEBHOOK_PORT) + - --listen_port=$(WEBHOOK_PORT) + - --tls_cert_filename=tls.crt + - --tls_key_filename=tls.key env: - name: NAMESPACE_TO_WATCH value: "" @@ -67,7 +69,7 @@ spec: key: cacheNodeRestrictions name: pipeline-install-config - name: DBCONFIG_DRIVER - value: mysql + value: mysql # TODO: make configurable - name: DBCONFIG_DB_NAME valueFrom: configMapKeyRef: @@ -107,7 +109,7 @@ spec: readOnly: true volumes: - secret: - secretName: webhook-server-tls + secretName: {{ include "pipelines.fullname" . }}-cache-server-tls name: webhook-tls-certs {{- with .Values.nodeSelector }} nodeSelector: diff --git a/kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml b/kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml new file mode 100644 index 000000000..3b571942b --- /dev/null +++ b/kubeflow/helm/pipelines/templates/cache/server/mutatingwebhookconfiguration.yaml @@ -0,0 +1,32 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "pipelines.fullname" . }}-cache-cert + labels: + {{- include "pipelines.labels" . | nindent 4 }} + name: cache-webhook.pipelines.kubeflow.org +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + service: + name: {{ include "pipelines.fullname" . }}-cache-server + namespace: {{ .Release.Namespace }} + path: /mutate + failurePolicy: Ignore + name: {{ include "pipelines.fullname" . }}-cache-server.{{ .Release.Namespace }}.svc + objectSelector: + matchLabels: + pipelines.kubeflow.org/cache_enabled: "true" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + timeoutSeconds: 5 From 4b0b9f26bf79bee2235131b712289d1ac4d9c074 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 18 Sep 2023 13:47:19 +0200 Subject: [PATCH 18/32] small pipelines cleanup Signed-off-by: David van der Spek --- .../helm/pipelines/templates/cache/server/deployment.yaml | 5 ++++- kubeflow/helm/pipelines/templates/configmap.yaml | 1 - 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml index 38d2cda73..af4e17afa 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml @@ -69,7 +69,10 @@ spec: key: cacheNodeRestrictions name: pipeline-install-config - name: DBCONFIG_DRIVER - value: mysql # TODO: make configurable + valueFrom: + configMapKeyRef: + key: dbDriverName + name: pipeline-install-config - name: DBCONFIG_DB_NAME valueFrom: configMapKeyRef: diff --git a/kubeflow/helm/pipelines/templates/configmap.yaml b/kubeflow/helm/pipelines/templates/configmap.yaml index 0cb424d33..80f8664cb 100644 --- a/kubeflow/helm/pipelines/templates/configmap.yaml +++ b/kubeflow/helm/pipelines/templates/configmap.yaml @@ -1,7 +1,6 @@ apiVersion: v1 data: appName: pipeline - ConMaxLifeTime: 120s # TODO: make configurable defaultCacheStaleness: "" # TODO: make configurable maximumCacheStaleness: "" # TODO: make configurable appVersion: {{ .Chart.AppVersion }} From a081c43b4d0add598c904f997764e93d6b45dd6d Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 18 Sep 2023 15:57:22 +0200 Subject: [PATCH 19/32] pipelines per component resources etc Signed-off-by: David van der Spek --- .../templates/api-server/deployment.yaml | 18 +- .../pipelines/templates/api-server/hpa.yaml | 32 ++ .../argo-workflow-controller/deployment.yaml | 10 +- .../argo-workflow-controller/hpa.yaml | 32 ++ .../templates/cache/server/deployment.yaml | 19 +- .../pipelines/templates/cache/server/hpa.yaml | 32 ++ .../templates/metadata/envoy/deployment.yaml | 21 +- .../templates/metadata/envoy/hpa.yaml | 32 ++ .../metadata/grpc-server/deployment.yaml | 19 +- .../templates/metadata/grpc-server/hpa.yaml | 32 ++ .../templates/metadata/writer/deployment.yaml | 19 +- .../templates/metadata/writer/hpa.yaml | 32 ++ .../persistence-agent/deployment.yaml | 19 +- .../templates/persistence-agent/hpa.yaml | 32 ++ .../scheduled-workflow/deployment.yaml | 19 +- .../templates/scheduled-workflow/hpa.yaml | 32 ++ .../viewer-controller/deployment.yaml | 19 +- .../templates/viewer-controller/hpa.yaml | 32 ++ .../visualization-server/deployment.yaml | 19 +- .../templates/visualization-server/hpa.yaml | 32 ++ .../templates/web-app/deployment.yaml | 23 +- .../helm/pipelines/templates/web-app/hpa.yaml | 18 +- .../pipelines/templates/web-app/service.yaml | 2 +- .../templates/web-app/virtualservice.yaml | 14 +- kubeflow/helm/pipelines/values.yaml | 372 +++++++++++++++--- 25 files changed, 752 insertions(+), 179 deletions(-) create mode 100644 kubeflow/helm/pipelines/templates/api-server/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/argo-workflow-controller/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/cache/server/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/metadata/envoy/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/metadata/grpc-server/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/metadata/writer/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/persistence-agent/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/scheduled-workflow/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/viewer-controller/hpa.yaml create mode 100644 kubeflow/helm/pipelines/templates/visualization-server/hpa.yaml diff --git a/kubeflow/helm/pipelines/templates/api-server/deployment.yaml b/kubeflow/helm/pipelines/templates/api-server/deployment.yaml index a9ee3ae95..ca750ee80 100644 --- a/kubeflow/helm/pipelines/templates/api-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/deployment.yaml @@ -5,15 +5,15 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.apiServer.autoscaling.enabled }} + replicas: {{ .Values.apiServer.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.apiServerSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.apiServer.podAnnotations }} annotations: cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} @@ -27,11 +27,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-api-server securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.apiServer.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-api-server securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.apiServer.securityContext | nindent 12 }} image: "{{ .Values.apiServer.image.repository }}:{{ .Values.apiServer.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.apiServer.image.pullPolicy }} env: @@ -156,16 +156,16 @@ spec: periodSeconds: 5 timeoutSeconds: 2 resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml .Values.apiServer.resources | nindent 12 }} + {{- with .Values.apiServer.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.apiServer.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.apiServer.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/api-server/hpa.yaml b/kubeflow/helm/pipelines/templates/api-server/hpa.yaml new file mode 100644 index 000000000..4d8b678fc --- /dev/null +++ b/kubeflow/helm/pipelines/templates/api-server/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.apiServer.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-api-server + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-api-server + minReplicas: {{ .Values.apiServer.autoscaling.minReplicas }} + maxReplicas: {{ .Values.apiServer.autoscaling.maxReplicas }} + metrics: + {{- if .Values.apiServer.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.apiServer.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.apiServer.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.apiServer.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml index 5877940c7..7c153aca1 100644 --- a/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/deployment.yaml @@ -5,8 +5,8 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.argoWorkflowController.autoscaling.enabled }} + replicas: {{ .Values.argoWorkflowController.replicaCount }} {{- end }} selector: matchLabels: @@ -65,16 +65,16 @@ spec: resources: {{- toYaml .Values.argoWorkflowController.resources | nindent 12 }} priorityClassName: {{ include "pipelines.fullname" . }}-argo-workflow-controller - {{- with .Values.nodeSelector }} + {{- with .Values.argoWorkflowController.nodeSelector }} nodeSelector: kubernetes.io/os: linux {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.argoWorkflowController.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.argoWorkflowController.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/argo-workflow-controller/hpa.yaml b/kubeflow/helm/pipelines/templates/argo-workflow-controller/hpa.yaml new file mode 100644 index 000000000..4ebdfde6f --- /dev/null +++ b/kubeflow/helm/pipelines/templates/argo-workflow-controller/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.argoWorkflowController.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-argo-workflow-controller + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-argo-workflow-controller + minReplicas: {{ .Values.argoWorkflowController.autoscaling.minReplicas }} + maxReplicas: {{ .Values.argoWorkflowController.autoscaling.maxReplicas }} + metrics: + {{- if .Values.argoWorkflowController.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.argoWorkflowController.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.argoWorkflowController.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.argoWorkflowController.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml index af4e17afa..9b733b0c9 100644 --- a/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/cache/server/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.cache.server.autoscaling.enabled }} + replicas: {{ .Values.cache.server.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.cacheServerSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.cache.server.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-cache-server securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.cache.server.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-cache-server securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.cache.server.securityContext | nindent 12 }} image: "{{ .Values.cache.server.image.repository }}:{{ .Values.cache.server.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.cache.server.image.pullPolicy }} args: @@ -105,7 +104,7 @@ spec: containerPort: 8443 protocol: TCP resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.cache.server.resources | nindent 12 }} volumeMounts: - mountPath: /etc/webhook/certs name: webhook-tls-certs @@ -114,15 +113,15 @@ spec: - secret: secretName: {{ include "pipelines.fullname" . }}-cache-server-tls name: webhook-tls-certs - {{- with .Values.nodeSelector }} + {{- with .Values.cache.server.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.cache.server.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.cache.server.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/cache/server/hpa.yaml b/kubeflow/helm/pipelines/templates/cache/server/hpa.yaml new file mode 100644 index 000000000..678cb773c --- /dev/null +++ b/kubeflow/helm/pipelines/templates/cache/server/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.cache.server.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-cache-server + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-cache-server + minReplicas: {{ .Values.cache.server.autoscaling.minReplicas }} + maxReplicas: {{ .Values.cache.server.autoscaling.maxReplicas }} + metrics: + {{- if .Values.cache.server.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.cache.server.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.cache.server.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.cache.server.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml b/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml index d1bc0bd08..07a02b7eb 100644 --- a/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/envoy/deployment.yaml @@ -5,17 +5,18 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.metadata.envoy.autoscaling.enabled }} + replicas: {{ .Values.metadata.envoy.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.metadataEnvoySelectorLabels" . | nindent 6 }} template: metadata: + {{- with .Values.metadata.envoy.podAnnotations }} annotations: - sidecar.istio.io/inject: "false" - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "pipelines.metadataEnvoySelectorLabels" . | nindent 8 }} spec: @@ -25,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-metadata-envoy securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.metadata.envoy.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-metadata-envoy securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.metadata.envoy.securityContext | nindent 12 }} image: "{{ .Values.metadata.envoy.image.repository }}:{{ .Values.metadata.envoy.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.metadata.envoy.image.pullPolicy }} args: @@ -42,7 +43,7 @@ spec: containerPort: 9901 protocol: TCP resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.metadata.envoy.resources | nindent 12 }} volumeMounts: - mountPath: /config name: config-volume @@ -50,15 +51,15 @@ spec: - configMap: name: {{ include "pipelines.fullname" . }}-metadata-envoy-config name: config-volume - {{- with .Values.nodeSelector }} + {{- with .Values.metadata.envoy.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.metadata.envoy.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.metadata.envoy.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/metadata/envoy/hpa.yaml b/kubeflow/helm/pipelines/templates/metadata/envoy/hpa.yaml new file mode 100644 index 000000000..a0fa8233b --- /dev/null +++ b/kubeflow/helm/pipelines/templates/metadata/envoy/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.metadata.envoy.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-metadata-envoy + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-metadata-envoy + minReplicas: {{ .Values.metadata.envoy.autoscaling.minReplicas }} + maxReplicas: {{ .Values.metadata.envoy.autoscaling.maxReplicas }} + metrics: + {{- if .Values.metadata.envoy.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.metadata.envoy.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.metadata.envoy.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.metadata.envoy.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml index 7594ecb6e..cb34a81e2 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.metadata.grpc.autoscaling.enabled }} + replicas: {{ .Values.metadata.grpc.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.metadataGRPCServerSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.metadata.grpc.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-metadata-grpc-server securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.metadata.grpc.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-metadata-grpc-server securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.metadata.grpc.securityContext | nindent 12 }} image: "{{ .Values.metadata.grpc.image.repository }}:{{ .Values.metadata.grpc.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.metadata.grpc.image.pullPolicy }} args: @@ -87,16 +86,16 @@ spec: port: api timeoutSeconds: 2 resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml .Values.metadata.grpc.resources | nindent 12 }} + {{- with .Values.metadata.grpc.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.metadata.grpc.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.metadata.grpc.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/hpa.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/hpa.yaml new file mode 100644 index 000000000..735c5f71a --- /dev/null +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.metadata.grpc.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-metadata-grpc-server + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-metadata-grpc-server + minReplicas: {{ .Values.metadata.grpc.autoscaling.minReplicas }} + maxReplicas: {{ .Values.metadata.grpc.autoscaling.maxReplicas }} + metrics: + {{- if .Values.metadata.grpc.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.metadata.grpc.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.metadata.grpc.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.metadata.grpc.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml index 2fae96466..f30cdc58f 100644 --- a/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/writer/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.metadata.writer.autoscaling.enabled }} + replicas: {{ .Values.metadata.writer.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.metadataWriterSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.metadata.writer.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-metadata-writer securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.metadata.writer.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-metadata-writer securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.metadata.writer.securityContext | nindent 12 }} image: "{{ .Values.metadata.writer.image.repository }}:{{ .Values.metadata.writer.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.metadata.writer.image.pullPolicy }} env: @@ -41,16 +40,16 @@ spec: - configMapRef: name: {{ include "pipelines.fullname" . }}-metadata-writer-parameters resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml .Values.metadata.writer.resources | nindent 12 }} + {{- with .Values.metadata.writer.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.metadata.writer.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.metadata.writer.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/metadata/writer/hpa.yaml b/kubeflow/helm/pipelines/templates/metadata/writer/hpa.yaml new file mode 100644 index 000000000..4ad020ef2 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/metadata/writer/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.metadata.writer.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-metadata-writer + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-metadata-writer + minReplicas: {{ .Values.metadata.writer.autoscaling.minReplicas }} + maxReplicas: {{ .Values.metadata.writer.autoscaling.maxReplicas }} + metrics: + {{- if .Values.metadata.writer.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.metadata.writer.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.metadata.writer.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.metadata.writer.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml index 76683bf1d..5f7573175 100644 --- a/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/persistence-agent/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.persistenceAgent.autoscaling.enabled }} + replicas: {{ .Values.persistenceAgent.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.persistenceAgentSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.persistenceAgent.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-persistence-agent securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.persistenceAgent.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-persistence-agent securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.persistenceAgent.securityContext | nindent 12 }} image: "{{ .Values.persistenceAgent.image.repository }}:{{ .Values.persistenceAgent.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.persistenceAgent.image.pullPolicy }} args: @@ -54,7 +53,7 @@ spec: - configMapRef: name: {{ include "pipelines.fullname" . }}-persistence-agent-parameters resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.persistenceAgent.resources | nindent 12 }} volumeMounts: - mountPath: /var/run/secrets/kubeflow/tokens name: persistenceagent-sa-token @@ -66,15 +65,15 @@ spec: audience: pipelines.kubeflow.org expirationSeconds: 3600 path: persistenceagent-sa-token - {{- with .Values.nodeSelector }} + {{- with .Values.persistenceAgent.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.persistenceAgent.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.persistenceAgent.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/persistence-agent/hpa.yaml b/kubeflow/helm/pipelines/templates/persistence-agent/hpa.yaml new file mode 100644 index 000000000..337b0a1e5 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/persistence-agent/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.persistenceAgent.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-persistence-agent + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-persistence-agent + minReplicas: {{ .Values.persistenceAgent.autoscaling.minReplicas }} + maxReplicas: {{ .Values.persistenceAgent.autoscaling.maxReplicas }} + metrics: + {{- if .Values.persistenceAgent.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.persistenceAgent.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.persistenceAgent.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.persistenceAgent.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml index 34e488834..84b8c63a2 100644 --- a/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.scheduledWorkflow.autoscaling.enabled }} + replicas: {{ .Values.scheduledWorkflow.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.scheduledWorkflowSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.scheduledWorkflow.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-scheduled-workflow securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.scheduledWorkflow.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-scheduled-workflow securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.scheduledWorkflow.securityContext | nindent 12 }} image: "{{ .Values.scheduledWorkflow.image.repository }}:{{ .Values.scheduledWorkflow.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.scheduledWorkflow.image.pullPolicy }} env: @@ -43,16 +42,16 @@ spec: key: cronScheduleTimezone name: pipeline-install-config resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml .Values.scheduledWorkflow.resources | nindent 12 }} + {{- with .Values.scheduledWorkflow.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.scheduledWorkflow.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.scheduledWorkflow.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/scheduled-workflow/hpa.yaml b/kubeflow/helm/pipelines/templates/scheduled-workflow/hpa.yaml new file mode 100644 index 000000000..dcb96778e --- /dev/null +++ b/kubeflow/helm/pipelines/templates/scheduled-workflow/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.scheduledWorkflow.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-scheduled-workflow + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-scheduled-workflow + minReplicas: {{ .Values.scheduledWorkflow.autoscaling.minReplicas }} + maxReplicas: {{ .Values.scheduledWorkflow.autoscaling.maxReplicas }} + metrics: + {{- if .Values.scheduledWorkflow.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.scheduledWorkflow.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.scheduledWorkflow.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.scheduledWorkflow.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml index 84049d8b6..c08508cb9 100644 --- a/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/viewer-controller/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.viewerController.autoscaling.enabled }} + replicas: {{ .Values.viewerController.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.viewerControllerSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.viewerController.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-viewer-controller securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.viewerController.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-viewer-controller securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.viewerController.securityContext | nindent 12 }} image: "{{ .Values.viewerController.image.repository }}:{{ .Values.viewerController.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.viewerController.image.pullPolicy }} env: @@ -40,16 +39,16 @@ spec: - name: MAX_NUM_VIEWERS value: "50" resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml .Values.viewerController.resources | nindent 12 }} + {{- with .Values.viewerController.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.viewerController.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.viewerController.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/viewer-controller/hpa.yaml b/kubeflow/helm/pipelines/templates/viewer-controller/hpa.yaml new file mode 100644 index 000000000..6b9ee358a --- /dev/null +++ b/kubeflow/helm/pipelines/templates/viewer-controller/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.viewerController.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-viewer-controller + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-viewer-controller + minReplicas: {{ .Values.viewerController.autoscaling.minReplicas }} + maxReplicas: {{ .Values.viewerController.autoscaling.maxReplicas }} + metrics: + {{- if .Values.viewerController.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.viewerController.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.viewerController.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.viewerController.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml b/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml index 0e095c2fd..23e76edfa 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.visualizationServer.autoscaling.enabled }} + replicas: {{ .Values.visualizationServer.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.visualizationServerSelectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.visualizationServer.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,11 +26,11 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-visualization-server securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.visualizationServer.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-visualization-server securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.visualizationServer.securityContext | nindent 12 }} image: "{{ .Values.visualizationServer.image.repository }}:{{ .Values.visualizationServer.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.visualizationServer.image.pullPolicy }} ports: @@ -63,16 +62,16 @@ spec: periodSeconds: 5 timeoutSeconds: 2 resources: - {{- toYaml .Values.resources | nindent 12 }} - {{- with .Values.nodeSelector }} + {{- toYaml .Values.visualizationServer.resources | nindent 12 }} + {{- with .Values.visualizationServer.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.visualizationServer.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.visualizationServer.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/visualization-server/hpa.yaml b/kubeflow/helm/pipelines/templates/visualization-server/hpa.yaml new file mode 100644 index 000000000..ef262b998 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/visualization-server/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.visualizationServer.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "pipelines.fullname" . }}-visualization-server + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "pipelines.fullname" . }}-visualization-server + minReplicas: {{ .Values.visualizationServer.autoscaling.minReplicas }} + maxReplicas: {{ .Values.visualizationServer.autoscaling.maxReplicas }} + metrics: + {{- if .Values.visualizationServer.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.visualizationServer.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.visualizationServer.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.visualizationServer.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/kubeflow/helm/pipelines/templates/web-app/deployment.yaml b/kubeflow/helm/pipelines/templates/web-app/deployment.yaml index ee77889e9..009a060a8 100644 --- a/kubeflow/helm/pipelines/templates/web-app/deployment.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/deployment.yaml @@ -5,17 +5,16 @@ metadata: labels: {{- include "pipelines.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} + {{- if not .Values.webapp.autoscaling.enabled }} + replicas: {{ .Values.webapp.replicaCount }} {{- end }} selector: matchLabels: {{- include "pipelines.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.webapp.podAnnotations }} annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" {{- toYaml . | nindent 8 }} {{- end }} labels: @@ -27,13 +26,13 @@ spec: {{- end }} serviceAccountName: {{ include "pipelines.serviceAccountName" . }}-web-app securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.webapp.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }}-web-app securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- toYaml .Values.webapp.securityContext | nindent 12 }} + image: "{{ .Values.webapp.image.repository }}:{{ .Values.webapp.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.webapp.image.pullPolicy }} env: - name: AWS_ACCESS_KEY_ID valueFrom: @@ -74,7 +73,7 @@ spec: periodSeconds: 5 timeoutSeconds: 2 resources: - {{- toYaml .Values.resources | nindent 12 }} + {{- toYaml .Values.webapp.resources | nindent 12 }} envFrom: - configMapRef: name: {{ include "pipelines.fullname" . }}-web-app-parameters @@ -86,15 +85,15 @@ spec: - configMap: name: {{ include "pipelines.fullname" . }}-web-app-viewer-template name: config-volume - {{- with .Values.nodeSelector }} + {{- with .Values.webapp.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.webapp.affinity }} affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.webapp.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/web-app/hpa.yaml b/kubeflow/helm/pipelines/templates/web-app/hpa.yaml index a7171f655..4b3868cd1 100644 --- a/kubeflow/helm/pipelines/templates/web-app/hpa.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/hpa.yaml @@ -1,32 +1,32 @@ -{{- if .Values.autoscaling.enabled }} +{{- if .Values.webapp.autoscaling.enabled }} apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: - name: {{ include "pipelines.fullname" . }} + name: {{ include "pipelines.fullname" . }}-web-app labels: {{- include "pipelines.labels" . | nindent 4 }} spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ include "pipelines.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} + name: {{ include "pipelines.fullname" . }}-web-app + minReplicas: {{ .Values.webapp.autoscaling.minReplicas }} + maxReplicas: {{ .Values.webapp.autoscaling.maxReplicas }} metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.webapp.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: name: cpu target: type: Utilization - averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + averageUtilization: {{ .Values.webapp.autoscaling.targetCPUUtilizationPercentage }} {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.webapp.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory target: type: Utilization - averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + averageUtilization: {{ .Values.webapp.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/kubeflow/helm/pipelines/templates/web-app/service.yaml b/kubeflow/helm/pipelines/templates/web-app/service.yaml index d17b44395..062b31893 100644 --- a/kubeflow/helm/pipelines/templates/web-app/service.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/service.yaml @@ -7,7 +7,7 @@ metadata: spec: type: ClusterIP ports: - - port: {{ .Values.service.port }} + - port: {{ .Values.webapp.service.port }} targetPort: website protocol: TCP name: http-website diff --git a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml index bdebd25f2..34626a1f4 100644 --- a/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/virtualservice.yaml @@ -3,33 +3,33 @@ kind: VirtualService metadata: name: {{ include "pipelines.fullname" . }}-web-app labels: {{- include "pipelines.labels" . | nindent 4 }} - {{- with .Values.virtualService.annotations }} + {{- with .Values.webapp.virtualService.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} spec: gateways: - {{- range .Values.virtualService.gateways }} + {{- range .Values.webapp.virtualService.gateways }} - {{ . | quote }} {{- end }} hosts: - {{ .Values.global.domain }} - {{- range .Values.virtualService.hosts }} + {{- range .Values.webapp.virtualService.hosts }} - {{ . | quote }} {{- end }} http: - headers: request: add: - x-forwarded-prefix: {{ .Values.virtualService.prefix }} + x-forwarded-prefix: {{ .Values.webapp.virtualService.prefix }} match: - uri: - prefix: {{ .Values.virtualService.prefix }} + prefix: {{ .Values.webapp.virtualService.prefix }} rewrite: - uri: {{ .Values.virtualService.prefix }} + uri: {{ .Values.webapp.virtualService.prefix }} route: - destination: host: {{ include "pipelines.fullname" . }}-web-app.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} port: - number: {{ .Values.service.port }} + number: {{ .Values.webapp.service.port }} timeout: 300s diff --git a/kubeflow/helm/pipelines/values.yaml b/kubeflow/helm/pipelines/values.yaml index 17f0d6d15..58652177d 100644 --- a/kubeflow/helm/pipelines/values.yaml +++ b/kubeflow/helm/pipelines/values.yaml @@ -14,7 +14,9 @@ global: authEndpoint: "" tokenEndpoint: "" -replicaCount: 1 +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" config: databases: @@ -31,16 +33,6 @@ config: bucketName: pipelines-bucket bucketRegion: us-east-2 -image: - repository: gcr.io/ml-pipeline/frontend - pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. - tag: 2.0.1 - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" - serviceAccount: # Specifies whether a service account should be created create: true @@ -50,32 +42,70 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" -podAnnotations: - sidecar.istio.io/inject: "true" +webapp: + replicaCount: 1 -podSecurityContext: {} - # fsGroup: 2000 + image: + repository: gcr.io/ml-pipeline/frontend + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: 2.0.1 -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + sidecar.istio.io/inject: "true" -service: - port: 80 + podSecurityContext: {} + # fsGroup: 2000 -virtualService: - annotations: {} - prefix: /pipeline - gateways: - - kubeflow-gateway - # hosts to add additional to the value of global.domain - hosts: [] + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + service: + port: 80 + + virtualService: + annotations: {} + prefix: /pipeline + gateways: + - kubeflow-gateway + # hosts to add additional to the value of global.domain + hosts: [] + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} apiServer: + + replicaCount: 1 + image: repository: gcr.io/ml-pipeline/api-server pullPolicy: IfNotPresent @@ -87,28 +117,145 @@ apiServer: grpc: port: 8887 + resources: {} + + podAnnotations: + sidecar.istio.io/inject: "true" + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + persistenceAgent: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/persistenceagent pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: 2.0.1 + resources: {} + + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} scheduledWorkflow: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/scheduledworkflow pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: 2.0.1 + resources: {} + + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} viewerController: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/viewer-crd-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: 2.0.1 + resources: {} + + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} visualizationServer: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/visualization-server pullPolicy: IfNotPresent @@ -116,8 +263,37 @@ visualizationServer: tag: 2.0.1 service: port: 8888 + resources: {} + + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} argoWorkflowController: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/workflow-controller pullPolicy: IfNotPresent @@ -149,11 +325,21 @@ argoWorkflowController: prometheus.io/scrape: "true" prometheus.io/path: /metrics podSecurityContext: {} + nodeSelector: {} + tolerations: [] + affinity: {} service: port: 9090 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 cache: server: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/cache-server pullPolicy: IfNotPresent @@ -161,6 +347,37 @@ cache: tag: 2.0.1 service: port: 443 + resources: {} + + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + sidecar.istio.io/inject: "true" + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + nodeSelector: {} + + tolerations: [] + + affinity: {} + + deployer: image: repository: gcr.io/ml-pipeline/cache-deployer @@ -170,6 +387,7 @@ cache: metadata: envoy: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/metadata-envoy pullPolicy: IfNotPresent @@ -179,7 +397,31 @@ metadata: port: 9090 admin: port: 9901 + resources: {} + podAnnotations: + sidecar.istio.io/inject: "false" + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + podSecurityContext: {} + # fsGroup: 2000 + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + nodeSelector: {} + tolerations: [] + affinity: {} + grpc: + replicaCount: 1 image: repository: gcr.io/tfx-oss-public/ml_metadata_store_server pullPolicy: IfNotPresent @@ -194,34 +436,52 @@ metadata: - kubeflow-gateway # hosts to add additional to the value of global.domain hosts: [] + resources: {} + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + podSecurityContext: {} + # fsGroup: 2000 + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + nodeSelector: {} + tolerations: [] + affinity: {} writer: + replicaCount: 1 image: repository: gcr.io/ml-pipeline/metadata-writer pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. tag: 2.0.1 - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} + resources: {} + podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + podSecurityContext: {} + # fsGroup: 2000 + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + nodeSelector: {} + tolerations: [] + affinity: {} From 47db8da4415f79b7f2cbe7ff36afed67db89eb3a Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 19 Sep 2023 11:05:18 +0200 Subject: [PATCH 20/32] fix pipelines version Signed-off-by: David van der Spek --- kubeflow/helm/pipelines/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubeflow/helm/pipelines/Chart.yaml b/kubeflow/helm/pipelines/Chart.yaml index 9bd2755ea..05762ad10 100644 --- a/kubeflow/helm/pipelines/Chart.yaml +++ b/kubeflow/helm/pipelines/Chart.yaml @@ -3,4 +3,4 @@ name: pipelines description: A Helm chart for Kubernetes type: application version: 0.1.89 -appVersion: "1.8.1" +appVersion: "2.0.1" From 197901f7ce535488100da77598ba9fcd3f8f0862 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 19 Sep 2023 11:29:58 +0200 Subject: [PATCH 21/32] quick update for mysql v8 Signed-off-by: David van der Spek --- kubeflow/helm/mysql-cluster/templates/cluster.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kubeflow/helm/mysql-cluster/templates/cluster.yaml b/kubeflow/helm/mysql-cluster/templates/cluster.yaml index 817ce29b0..d27eb6bfd 100644 --- a/kubeflow/helm/mysql-cluster/templates/cluster.yaml +++ b/kubeflow/helm/mysql-cluster/templates/cluster.yaml @@ -4,6 +4,8 @@ metadata: name: kubeflow-mysql-cluster spec: replicas: 2 + mysqlVersion: "8.0" + image: dkr.plural.sh/mysql/library/percona:8.0.32-24 secretName: kubeflow-mysql-cluster-root volumeSpec: persistentVolumeClaim: From ff271a06087f046fdf81b5a443a6b8e6ff135690 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 21 Sep 2023 13:10:36 +0200 Subject: [PATCH 22/32] partly working pipelines (s3 auth error for artifact) Signed-off-by: David van der Spek --- .../helm/mysql-cluster/templates/cluster.yaml | 4 +- .../templates/api-server/clusterrole.yaml | 130 ------------------ .../templates/kubeflow-cluster-roles.yaml | 129 +++++++++++++++++ .../metadata/grpc-server/destinationrule.yaml | 11 ++ .../metadata/grpc-server/service.yaml | 16 +++ 5 files changed, 158 insertions(+), 132 deletions(-) create mode 100644 kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml diff --git a/kubeflow/helm/mysql-cluster/templates/cluster.yaml b/kubeflow/helm/mysql-cluster/templates/cluster.yaml index d27eb6bfd..8bde85c7e 100644 --- a/kubeflow/helm/mysql-cluster/templates/cluster.yaml +++ b/kubeflow/helm/mysql-cluster/templates/cluster.yaml @@ -4,8 +4,8 @@ metadata: name: kubeflow-mysql-cluster spec: replicas: 2 - mysqlVersion: "8.0" - image: dkr.plural.sh/mysql/library/percona:8.0.32-24 + mysqlVersion: "5.7" # update to 8.0 once https://github.com/kubeflow/pipelines/issues/9549 is released or working + image: dkr.plural.sh/mysql/library/percona:5.7.39 secretName: kubeflow-mysql-cluster-root volumeSpec: persistentVolumeClaim: diff --git a/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml b/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml index 26114c224..77fa17abf 100644 --- a/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/clusterrole.yaml @@ -48,133 +48,3 @@ rules: - tokenreviews verbs: - create ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" - name: {{ include "pipelines.fullname" . }}-edit -rules: [] ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true" - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" - name: {{ include "pipelines.fullname" . }}-view -rules: [] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true" - name: aggregate-to-{{ include "pipelines.fullname" . }}-edit -rules: - - apiGroups: - - pipelines.kubeflow.org - resources: - - pipelines - - pipelines/versions - verbs: - - create - - delete - - update - - apiGroups: - - pipelines.kubeflow.org - resources: - - experiments - verbs: - - archive - - create - - delete - - unarchive - - apiGroups: - - pipelines.kubeflow.org - resources: - - runs - verbs: - - archive - - create - - delete - - retry - - terminate - - unarchive - - reportMetrics - - readArtifact - - apiGroups: - - pipelines.kubeflow.org - resources: - - jobs - verbs: - - create - - delete - - disable - - enable - - apiGroups: - - kubeflow.org - resources: - - scheduledworkflows - verbs: - - '*' - - apiGroups: - - argoproj.io - resources: - - cronworkflows - - cronworkflows/finalizers - - workflows - - workflows/finalizers - - workfloweventbindings - - workflowtemplates - verbs: - - '*' ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: {{- include "pipelines.labels" . | nindent 4 }} - rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: "true" - name: aggregate-to-{{ include "pipelines.fullname" . }}-view -rules: - - apiGroups: - - pipelines.kubeflow.org - resources: - - pipelines - - pipelines/versions - - experiments - - jobs - verbs: - - get - - list - - apiGroups: - - pipelines.kubeflow.org - resources: - - runs - verbs: - - get - - list - - readArtifact - - apiGroups: - - kubeflow.org - resources: - - viewers - verbs: - - create - - get - - delete - - apiGroups: - - pipelines.kubeflow.org - resources: - - visualizations - verbs: - - create diff --git a/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml b/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml new file mode 100644 index 000000000..554a80770 --- /dev/null +++ b/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml @@ -0,0 +1,129 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "pipelines.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-edit: "true" + name: {{ include "pipelines.fullname" . }}-edit +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true" +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "pipelines.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true" + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-view: "true" + name: {{ include "pipelines.fullname" . }}-view +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: "true" +rules: [] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "pipelines.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-edit: "true" + name: aggregate-to-{{ include "pipelines.fullname" . }}-edit +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + verbs: + - create + - delete + - update +- apiGroups: + - pipelines.kubeflow.org + resources: + - experiments + verbs: + - archive + - create + - delete + - unarchive +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - archive + - create + - delete + - retry + - terminate + - unarchive + - reportMetrics + - readArtifact +- apiGroups: + - pipelines.kubeflow.org + resources: + - jobs + verbs: + - create + - delete + - disable + - enable +- apiGroups: + - kubeflow.org + resources: + - scheduledworkflows + verbs: + - '*' +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + - workflows + - workflows/finalizers + - workfloweventbindings + - workflowtemplates + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: {{- include "pipelines.labels" . | nindent 4 }} + rbac.authorization.kubeflow.org/aggregate-to-kubeflow-pipelines-view: "true" + name: aggregate-to-{{ include "pipelines.fullname" . }}-view +rules: +- apiGroups: + - pipelines.kubeflow.org + resources: + - pipelines + - pipelines/versions + - experiments + - jobs + verbs: + - get + - list +- apiGroups: + - pipelines.kubeflow.org + resources: + - runs + verbs: + - get + - list + - readArtifact +- apiGroups: + - kubeflow.org + resources: + - viewers + verbs: + - create + - get + - delete +- apiGroups: + - pipelines.kubeflow.org + resources: + - visualizations + verbs: + - create diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml index 6da494872..60bba83d4 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/destinationrule.yaml @@ -8,3 +8,14 @@ spec: trafficPolicy: tls: mode: ISTIO_MUTUAL +--- +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + labels: {{- include "pipelines.labels" . | nindent 4 }} + name: metadata-grpc-service +spec: + host: metadata-grpc-service.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }} + trafficPolicy: + tls: + mode: ISTIO_MUTUAL diff --git a/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml b/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml index 0f261ea06..fb56cdba7 100644 --- a/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml +++ b/kubeflow/helm/pipelines/templates/metadata/grpc-server/service.yaml @@ -13,3 +13,19 @@ spec: name: grpc-api selector: {{- include "pipelines.metadataGRPCServerSelectorLabels" . | nindent 6 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: metadata-grpc-service + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.metadata.grpc.service.port }} + targetPort: api + protocol: TCP + name: grpc-api + selector: + {{- include "pipelines.metadataGRPCServerSelectorLabels" . | nindent 6 }} From 0acd507efa8f50ba03047c05911bbc9db12a77d9 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 21 Sep 2023 13:30:13 +0200 Subject: [PATCH 23/32] fix missing rbac for argo workflows Signed-off-by: David van der Spek --- kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml b/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml index 554a80770..1fa2a7139 100644 --- a/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml +++ b/kubeflow/helm/pipelines/templates/kubeflow-cluster-roles.yaml @@ -85,6 +85,7 @@ rules: - workflows/finalizers - workfloweventbindings - workflowtemplates + - workflowtaskresults verbs: - '*' --- From be196eec1da42e5bb8a2131641e46b1889959abf Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 21 Sep 2023 14:33:45 +0200 Subject: [PATCH 24/32] update notebooks config Signed-off-by: David van der Spek --- .../templates/web-app/configmap.yaml | 111 ++---------------- kubeflow/helm/notebooks/values.yaml | 96 +++++++++++++-- 2 files changed, 96 insertions(+), 111 deletions(-) diff --git a/kubeflow/helm/notebooks/templates/web-app/configmap.yaml b/kubeflow/helm/notebooks/templates/web-app/configmap.yaml index 46b4e12b9..b35e36b6d 100644 --- a/kubeflow/helm/notebooks/templates/web-app/configmap.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/configmap.yaml @@ -43,122 +43,31 @@ data: # The list of available standard container Images options: {{- toYaml .Values.webApp.config.images.rstudioImages | nindent 8 }} allowCustomImage: {{ .Values.webApp.config.images.allowCustomImage }} + hideRegistry: {{ .Values.webApp.config.images.hideRegistry }} + hideTag: {{ .Values.webApp.config.images.hideTag }} imagePullPolicy: value: {{ .Values.webApp.config.images.imagePullPolicy.value }} readOnly: {{ .Values.webApp.config.images.imagePullPolicy.readOnly }} cpu: - # CPU for user's Notebook - value: {{ .Values.webApp.config.cpu.value }} - # Factor by with to multiply request to calculate limit - # if no limit is set, to disable set "none" - limitFactor: {{ .Values.webApp.config.cpu.limitFactor }} - readOnly: {{ .Values.webApp.config.cpu.readOnly }} + {{- toYaml .Values.webApp.config.cpu | nindent 8 }} memory: - # Memory for user's Notebook - value: {{ .Values.webApp.config.memory.value }} - # Factor by with to multiply request to calculate limit - # if no limit is set, to disable set "none" - limitFactor: {{ .Values.webApp.config.memory.limitFactor }} - readOnly: {{ .Values.webApp.config.memory.readOnly }} + {{- toYaml .Values.webApp.config.memory | nindent 8 }} environment: - value: {} - readOnly: false + {{- toYaml .Values.webApp.config.environment | nindent 8 }} workspaceVolume: - # Workspace Volume to be attached to user's Notebook - # Each Workspace Volume is declared with the following attributes: - # Type, Name, Size, MountPath and Access Mode - value: - type: - # The Type of the Workspace Volume - # Supported values: 'New', 'Existing' - value: New - name: - # The Name of the Workspace Volume - # Note that this is a templated value. Special values: - # {notebook-name}: Replaced with the name of the Notebook. The frontend - # will replace this value as the user types the name - value: 'workspace-{notebook-name}' - size: - # The Size of the Workspace Volume (in Gi) - value: '5Gi' - mountPath: - # The Path that the Workspace Volume will be mounted - value: /home/jovyan - accessModes: - # The Access Mode of the Workspace Volume - # Supported values: 'ReadWriteOnce', 'ReadWriteMany', 'ReadOnlyMany' - value: ReadWriteOnce - class: - # The StrageClass the PVC will use if type is New. Special values are: - # {none}: default StorageClass - # {empty}: empty string "" - value: '{none}' - readOnly: false + {{- toYaml .Values.webApp.config.workspaceVolume | nindent 8 }} dataVolumes: - # List of additional Data Volumes to be attached to the user's Notebook - value: [] - # Each Data Volume is declared with the following attributes: - # Type, Name, Size, MountPath and Access Mode - # - # For example, a list with 2 Data Volumes: - # value: - # - value: - # type: - # value: New - # name: - # value: '{notebook-name}-vol-1' - # size: - # value: '10Gi' - # class: - # value: standard - # mountPath: - # value: /home/jovyan/vol-1 - # accessModes: - # value: ReadWriteOnce - # class: - # value: {none} - # - value: - # type: - # value: New - # name: - # value: '{notebook-name}-vol-2' - # size: - # value: '10Gi' - # mountPath: - # value: /home/jovyan/vol-2 - # accessModes: - # value: ReadWriteMany - # class: - # value: {none} - readOnly: false + {{- toYaml .Values.webApp.config.dataVolumes | nindent 8 }} gpus: - # Number of GPUs to be assigned to the Notebook Container - value: - # values: "none", "1", "2", "4", "8" - num: "none" - # Determines what the UI will show and send to the backend - vendors: - - limitsKey: "nvidia.com/gpu" - uiName: "NVIDIA" - - limitsKey: "amd.com/gpu" - uiName: "AMD" - # Values: "" or a `limits-key` from the vendors list - vendor: "" - readOnly: false + {{- toYaml .Values.webApp.config.gpus | nindent 8 }} affinityConfig: {{- toYaml .Values.webApp.config.affinityConfig | nindent 8 }} tolerationGroup: {{- toYaml .Values.webApp.config.tolerationGroup | nindent 8 }} shm: - value: true - readOnly: false + {{- toYaml .Values.webApp.config.shm | nindent 8 }} configurations: - # List of labels to be selected, these are the labels from PodDefaults - # value: - # - add-gcp-secret - # - default-editor - value: [] - readOnly: false + {{- toYaml .Values.webApp.config.configurations | nindent 8 }} kind: ConfigMap metadata: labels: {{- include "notebooks.labels" . | nindent 4 }} diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index bc4fec410..123b2b1d8 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -86,21 +86,23 @@ webApp: config: images: allowCustomImage: true + hideRegistry: true + hideTag: false imagePullPolicy: value: IfNotPresent readOnly: false jupyterImages: - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:v1.0.55 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:v1.0.55 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:v1.0.55 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:v1.0.54 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:v1.0.54 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:v1.0.11 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:2.1.1 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:2.1.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:2.1.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:2.1.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:2.1.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:2.2.0 - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-elixir:v1.0.12 vscodeImages: - - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:v1.0.8 + - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:2.1.1 rstudioImages: - - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:v1.0.1 + - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:2.1.0 cpu: # CPU for user's Notebook value: '0.5' @@ -115,7 +117,82 @@ webApp: # if no limit is set, to disable set "none" limitFactor: "1.2" readOnly: false + gpus: + readOnly: false + # configs for gpu/device-plugin limits of the container + # https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/#using-device-plugins + value: + # the `limitKey` of the default vendor + # (to have no default, set as "") + vendor: "" + + # the list of available vendors in the dropdown + # `limitsKey` - what will be set as the actual limit + # `uiName` - what will be displayed in the dropdown UI + vendors: + - limitsKey: "nvidia.com/gpu" + uiName: "NVIDIA" + # - limitsKey: "amd.com/gpu" + # uiName: "AMD" + + # the default value of the limit + # (possible values: "none", "1", "2", "4", "8") + num: "none" + environment: + readOnly: false + value: {} + workspaceVolume: + readOnly: false + # the default workspace volume to be created and mounted + # (to have no default, set `value: null`) + value: + mount: /home/jovyan + # pvc configs for creating new workspace volumes + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core + newPvc: + metadata: + # "{notebook-name}" is replaced with the Notebook name + name: "{notebook-name}-workspace" + spec: + storageClassName: null + resources: + requests: + storage: 5Gi + accessModes: + - ReadWriteOnce + dataVolumes: + readOnly: false + # a list of additional data volumes to be created and/or mounted + value: [] + #value: + # - mount: /home/jovyan/datavol-1 + # newPvc: + # metadata: + # name: "{notebook-name}-datavol-1" + # spec: + # resources: + # requests: + # storage: 5Gi + # accessModes: + # - ReadWriteOnce + # + # - mount: /home/jovyan/datavol-1 + # existingSource: + # persistentVolumeClaim: + # claimName: "test-pvc" + shm: + readOnly: false + # the default state of the "Enable Shared Memory" toggle + value: true + configurations: + readOnly: false + # the list of PodDefault names that are selected by default + # (take care to ensure these PodDefaults exist in Profile Namespaces) + value: [] + #value: + # - my-pod-default affinityConfig: + readOnly: false # If readonly, the default value will be the only option # value is a list of `configKey`s that we want to be selected by default value: "" @@ -197,8 +274,8 @@ webApp: operator: "Exists" namespaces: [] topologyKey: "kubernetes.io/hostname" - readOnly: false tolerationGroup: + readOnly: false # The default `groupKey` from the options list # If readonly, the default value will be the only option value: "" @@ -227,7 +304,6 @@ webApp: operator: "Equal" value: "SPOT" effect: "NoSchedule" - readOnly: false controller: replicaCount: 1 From 2886668f120480ba02c61f385b190f7ae272f076 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Fri, 22 Sep 2023 11:03:09 +0200 Subject: [PATCH 25/32] bump notebook images again Signed-off-by: David van der Spek --- kubeflow/helm/notebooks/values.yaml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index 123b2b1d8..7d56e8a9c 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -92,17 +92,16 @@ webApp: value: IfNotPresent readOnly: false jupyterImages: - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:2.1.1 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:2.1.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:2.1.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:2.1.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:2.1.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:2.2.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-elixir:v1.0.12 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:2.2.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:2.2.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:2.2.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:2.3.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:2.3.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:2.3.0 vscodeImages: - - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:2.1.1 + - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:2.2.0 rstudioImages: - - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:2.1.0 + - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:2.2.0 cpu: # CPU for user's Notebook value: '0.5' From 750ca4e9d26e55c94fad723d86a8ecdae9ea1da0 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Wed, 27 Sep 2023 12:42:17 +0200 Subject: [PATCH 26/32] bump notebook images Signed-off-by: David van der Spek --- kubeflow/helm/notebooks/values.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index 7d56e8a9c..c6c223a36 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -92,16 +92,16 @@ webApp: value: IfNotPresent readOnly: false jupyterImages: - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:2.2.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:2.2.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:2.2.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:2.3.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:2.3.0 - - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:2.3.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-scipy:2.5.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full:2.5.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-pytorch-full-cuda:2.5.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full:2.6.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-tensorflow-full-cuda:2.6.0 + - ghcr.io/pluralsh/kubeflow-notebooks-jupyter-go:2.5.0 vscodeImages: - - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:2.2.0 + - ghcr.io/pluralsh/kubeflow-notebooks-codeserver-python:2.4.0 rstudioImages: - - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:2.2.0 + - ghcr.io/pluralsh/kubeflow-notebooks-rstudio-tidyverse:2.3.0 cpu: # CPU for user's Notebook value: '0.5' From 2935da61bff294c11bb66493736fe55fb3da7779 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Mon, 18 Dec 2023 11:42:15 +0100 Subject: [PATCH 27/32] update profile controller to use argo cd appset Signed-off-by: David van der Spek --- .../profile-templates/network-policy.yaml | 49 -------------- .../profile-templates/test-template.yaml | 8 --- .../templates/applicationset.yaml | 67 +++++++++++++++++++ .../templates/authorizationpolicy.yaml | 6 +- .../templates/configmap.yaml | 14 ++-- .../templates/deployment.yaml | 2 + .../profile-controller/templates/secret.yaml | 16 +++++ kubeflow/helm/profile-controller/values.yaml | 13 +++- .../helm/profile-controller/values.yaml.tpl | 23 +++++++ 9 files changed, 132 insertions(+), 66 deletions(-) delete mode 100644 kubeflow/helm/profile-controller/profile-templates/network-policy.yaml delete mode 100644 kubeflow/helm/profile-controller/profile-templates/test-template.yaml create mode 100644 kubeflow/helm/profile-controller/templates/applicationset.yaml create mode 100644 kubeflow/helm/profile-controller/templates/secret.yaml diff --git a/kubeflow/helm/profile-controller/profile-templates/network-policy.yaml b/kubeflow/helm/profile-controller/profile-templates/network-policy.yaml deleted file mode 100644 index 98ff7b09d..000000000 --- a/kubeflow/helm/profile-controller/profile-templates/network-policy.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: kubeflow-default-ingress-egress - namespace: {{ .Namespace }} -spec: - podSelector: {} - policyTypes: - - Ingress - - Egress - ingress: - - from: - - podSelector: {} - - namespaceSelector: - matchLabels: - istio: system - - namespaceSelector: - matchLabels: - app.plural.sh/name: monitoring - podSelector: - matchLabels: - app: prometheus - - namespaceSelector: - matchLabels: - app.plural.sh/name: kubeflow - podSelector: - matchLabels: - app: notebooks-controller - - namespaceSelector: - matchLabels: - app.plural.sh/name: knative - egress: - - to: - - podSelector: {} - - to: - - namespaceSelector: - matchLabels: - kube-system: "true" - ports: - - protocol: UDP - port: 53 - - to: - - namespaceSelector: - matchLabels: - istio: system - - to: - - namespaceSelector: - matchLabels: - app.plural.sh/name: kubeflow diff --git a/kubeflow/helm/profile-controller/profile-templates/test-template.yaml b/kubeflow/helm/profile-controller/profile-templates/test-template.yaml deleted file mode 100644 index d439364a2..000000000 --- a/kubeflow/helm/profile-controller/profile-templates/test-template.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: test-template-configmap - namespace: {{ .Namespace }} -data: - number: "{{ .Count }}" - items-are-made-of: {{ .Material }} diff --git a/kubeflow/helm/profile-controller/templates/applicationset.yaml b/kubeflow/helm/profile-controller/templates/applicationset.yaml new file mode 100644 index 000000000..2ffe4dd86 --- /dev/null +++ b/kubeflow/helm/profile-controller/templates/applicationset.yaml @@ -0,0 +1,67 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: kubeflow-profile + namespace: {{ .Values.argocd.namespace }} +spec: + generators: + - plugin: + configMapRef: + name: kubeflow-profiles + requeueAfterSeconds: 10 + template: + metadata: + name: {{ `"kubeflow-profile-{{metadata.name}}"` }} + annotations: + owner: {{ `"{{spec.owner.name}}"` }} + spec: + project: default + syncPolicy: + # syncOptions: + # - ServerSideApply=true + automated: + prune: true + selfHeal: true + source: + helm: + parameters: + - name: email + value: {{ `"{{spec.owner.name}}"` }} + - name: provider + value: {{ lower .Values.config.infrastructure.provider }} + - name: pipelines.storage.bucketName + value: {{ .Values.config.infrastructure.storage.bucketName }} + - name: pipelines.storage.provider + value: {{ lower .Values.config.infrastructure.storage.provider }} + - name: istio.ingressNamespace + value: {{ .Release.Namespace }} + - name: istio.ingressServiceAccount + value: {{ .Values.global.istioIngressServiceAccount }} + - name: istio.clusterDomain + value: {{ .Values.global.clusterDomain }} + - name: istio.oidc.issuer + value: {{ .Values.global.oidc.issuer }} + - name: istio.oidc.jwksURI + value: {{ .Values.global.oidc.jwksURI }} + - name: kubeflow.namespace + value: {{ .Release.Namespace }} + - name: knative.namespace + value: {{ .Values.knative.namespace }} + {{- if eq (lower .Values.config.infrastructure.provider) "aws" }} + - name: aws.region + value: {{ .Values.config.infrastructure.providerConfig.region }} + - name: aws.iam.create + value: "true" + - name: aws.iam.accountID + value: {{ .Values.config.infrastructure.providerConfig.accountID | quote }} + - name: aws.iam.oidcIssuer + value: {{ .Values.config.infrastructure.providerConfig.clusterOIDCIssuer }} + - name: aws.iam.clusterName + value: {{ .Values.config.infrastructure.clusterName }} + {{- end }} + repoURL: https://github.com/DavidSpek/kubeflow-profile.git + targetRevision: HEAD + path: kubeflow-profile + destination: + server: https://kubernetes.default.svc + namespace: {{ `"{{metadata.name}}"` }} diff --git a/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml b/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml index 3c91adc01..6a8eda771 100644 --- a/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml @@ -1,4 +1,4 @@ -apiVersion: security.istio.io/v1beta1 +apiVersion: security.istio.io/v1 kind: AuthorizationPolicy metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} @@ -10,6 +10,10 @@ spec: - source: principals: - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Release.Name }}-central-dashboard #TODO: make this more robust + - to: + - operation: + methods: ["POST"] + paths: ["/api/v1/getparams.execute"] selector: matchLabels: {{- include "profile-controller.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/profile-controller/templates/configmap.yaml b/kubeflow/helm/profile-controller/templates/configmap.yaml index 63eddd1f9..c53f3b32c 100644 --- a/kubeflow/helm/profile-controller/templates/configmap.yaml +++ b/kubeflow/helm/profile-controller/templates/configmap.yaml @@ -1,18 +1,20 @@ apiVersion: v1 data: WORKLOAD_IDENTITY: "" + USERID_HEADER: {{ .Values.global.userIDHeader | quote }} + USERID_PREFIX: {{ .Values.global.userIDPrefix | quote }} + ADMIN: {{ .Values.kfam.adminEmail | quote }} kind: ConfigMap metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} name: {{ include "profile-controller.fullname" . }}-config --- apiVersion: v1 -data: - network-policy.yaml: | -{{ .Files.Get "profile-templates/network-policy.yaml" | indent 4 }} - test-template.yaml: | -{{ .Files.Get "profile-templates/test-template.yaml" | indent 4 }} kind: ConfigMap metadata: labels: {{- include "profile-controller.labels" . | nindent 4 }} - name: {{ include "profile-controller.fullname" . }}-templates + name: kubeflow-profiles + namespace: {{ .Values.argocd.namespace }} +data: + token: "${{ include "profile-controller.fullname" . }}-kfam-secret:plugin.kubeflow-profiles.token" + baseUrl: "http://{{ include "profile-controller.fullname" . }}-kfam.{{ .Release.Namespace }}.svc:{{ .Values.service.kfam.port }}" diff --git a/kubeflow/helm/profile-controller/templates/deployment.yaml b/kubeflow/helm/profile-controller/templates/deployment.yaml index b0836ebde..c361152f0 100644 --- a/kubeflow/helm/profile-controller/templates/deployment.yaml +++ b/kubeflow/helm/profile-controller/templates/deployment.yaml @@ -97,6 +97,8 @@ spec: envFrom: - configMapRef: name: {{ include "profile-controller.fullname" . }}-config + - secretRef: + name: {{ include "profile-controller.fullname" . }}-kfam-secret volumes: - configMap: name: {{ include "profile-controller.fullname" . }}-templates diff --git a/kubeflow/helm/profile-controller/templates/secret.yaml b/kubeflow/helm/profile-controller/templates/secret.yaml new file mode 100644 index 000000000..749674361 --- /dev/null +++ b/kubeflow/helm/profile-controller/templates/secret.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Secret +metadata: + labels: {{- include "profile-controller.labels" . | nindent 4 }} + name: {{ include "profile-controller.fullname" . }}-kfam-secret +data: + ARGO_TOKEN: {{ .Values.kfam.secret.argoToken | b64enc | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: {{- include "profile-controller.labels" . | nindent 4 }} + name: {{ include "profile-controller.fullname" . }}-kfam-secret + namespace: {{ .Values.argocd.namespace }} +data: + plugin.kubeflow-profiles.token: {{ .Values.kfam.secret.argoToken | b64enc | quote }} diff --git a/kubeflow/helm/profile-controller/values.yaml b/kubeflow/helm/profile-controller/values.yaml index ea164483d..492b26407 100644 --- a/kubeflow/helm/profile-controller/values.yaml +++ b/kubeflow/helm/profile-controller/values.yaml @@ -20,14 +20,23 @@ image: repository: ghcr.io/pluralsh/kubeflow-profile-controller pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 0.1.13 + tag: 0.1.14 kfam: + adminEmail: "" + secret: + argoToken: "" image: repository: davidspek/kfam pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: 0.1.1 + tag: 0.2.0 + +argocd: + namespace: argo-cd + +knative: + namespace: knative imagePullSecrets: [] nameOverride: "" diff --git a/kubeflow/helm/profile-controller/values.yaml.tpl b/kubeflow/helm/profile-controller/values.yaml.tpl index 731e3b7de..e63705899 100644 --- a/kubeflow/helm/profile-controller/values.yaml.tpl +++ b/kubeflow/helm/profile-controller/values.yaml.tpl @@ -1,3 +1,26 @@ +{{- $argocdNamespace := namespace "argo-cd" -}} +{{- $knativeNamespace := namespace "knative" -}} + +global: + {{- if .OIDC }} + oidc: + issuer: {{ .OIDC.Configuration.Issuer }} + jwksURI: {{ .OIDC.Configuration.JwksUri }} + authEndpoint: {{ .OIDC.Configuration.AuthorizationEndpoint }} + tokenEndpoint: {{ .OIDC.Configuration.TokenEndpoint }} + {{- end }} + +kfam: + adminEmail: {{ .Config.Email }} + secret: + argoToken: {{ dedupe . "profile-controller.kfam.secret.argoToken" (randAlphaNum 32) }} + +argocd: + namespace: {{ $argocdNamespace }} + +knative: + namespace: {{ $knativeNamespace }} + config: infrastructure: clusterName: {{ .Cluster }} From a05befc5b3c30b8b8008b0f7b46cf30ad045f3d8 Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 19 Dec 2023 17:16:39 +0100 Subject: [PATCH 28/32] init upgrade of knative and kserve Signed-off-by: David van der Spek --- knative/helm/knative-serving/Chart.lock | 6 + knative/helm/knative-serving/Chart.yaml | 6 +- .../charts/knative-serving-0.1.12.tgz | Bin 0 -> 67405 bytes .../knative-serving/crds/certificate-crd.yaml | 132 + .../crds/clusterdomainclaim-crd.yaml | 49 + .../crds/configuration-crd.yaml | 919 + knative/helm/knative-serving/crds/crds.yaml | 3179 -- .../crds/domainmapping-crd.yaml | 149 + .../helm/knative-serving/crds/image-crd.yaml | 105 + .../knative-serving/crds/ingress-crd.yaml | 243 + .../helm/knative-serving/crds/metric-crd.yaml | 104 + .../crds/podautoscaler-crd.yaml | 142 + .../knative-serving/crds/revision-crd.yaml | 925 + .../helm/knative-serving/crds/route-crd.yaml | 166 + .../crds/serverlessservice-crd.yaml | 149 + .../knative-serving/crds/service-crd.yaml | 993 + .../knative-serving/templates/_helpers.tpl | 20 +- .../templates/authorizationpolicy.yaml | 2 + .../templates/clusterrole.yaml | 187 - .../templates/clusterrolebinding.yaml | 35 - .../knative-serving/templates/configmap.yaml | 167 - .../knative-serving/templates/deployment.yaml | 682 - .../templates/horizontalpodautoscaler.yaml | 49 - .../helm/knative-serving/templates/image.yaml | 12 - .../templates/istio-resources.yaml | 19 - .../mutatingwebhookconfiguration.yaml | 91 - .../templates/peerauthentication.yaml | 59 - .../templates/poddisruptionbudget.yaml | 31 - .../knative-serving/templates/secret.yaml | 27 - .../knative-serving/templates/service.yaml | 154 - .../templates/serviceaccount.yaml | 10 - .../validatingwebhookconfiguration.yaml | 121 - knative/helm/knative-serving/values.yaml | 78 +- knative/helm/knative-serving/values.yaml.tpl | 31 +- kserve/helm/kserve/Chart.lock | 8 +- kserve/helm/kserve/Chart.yaml | 6 +- kserve/helm/kserve/charts/kserve-v0.11.2.tgz | Bin 0 -> 11964 bytes kserve/helm/kserve/charts/kserve-v0.8.0.tgz | Bin 39464 -> 0 bytes ...ving.kserve.io_clusterservingruntimes.yaml | 2352 +- ...ng.kserve.io_clusterstoragecontainers.yaml | 649 + .../serving.kserve.io_inferencegraphs.yaml | 515 + .../serving.kserve.io_inferenceservices.yaml | 25548 +++++++++------- .../crds/serving.kserve.io_predictor.yaml | 13 +- .../serving.kserve.io_servingruntime.yaml | 1625 - .../serving.kserve.io_servingruntimes.yaml | 1880 ++ .../crds/serving.kserve.io_trainedmodels.yaml | 14 +- kserve/helm/kserve/templates/_helpers.tpl | 20 +- kserve/helm/kserve/values.yaml.tpl | 6 +- .../templates/configmap.yaml | 2 +- kubeflow/helm/serving/Chart.yaml | 2 +- .../serving/templates/web-app/configmap.yaml | 1 + kubeflow/helm/serving/values.yaml | 6 +- 52 files changed, 23051 insertions(+), 18638 deletions(-) create mode 100644 knative/helm/knative-serving/Chart.lock create mode 100644 knative/helm/knative-serving/charts/knative-serving-0.1.12.tgz create mode 100644 knative/helm/knative-serving/crds/certificate-crd.yaml create mode 100644 knative/helm/knative-serving/crds/clusterdomainclaim-crd.yaml create mode 100644 knative/helm/knative-serving/crds/configuration-crd.yaml delete mode 100644 knative/helm/knative-serving/crds/crds.yaml create mode 100644 knative/helm/knative-serving/crds/domainmapping-crd.yaml create mode 100644 knative/helm/knative-serving/crds/image-crd.yaml create mode 100644 knative/helm/knative-serving/crds/ingress-crd.yaml create mode 100644 knative/helm/knative-serving/crds/metric-crd.yaml create mode 100644 knative/helm/knative-serving/crds/podautoscaler-crd.yaml create mode 100644 knative/helm/knative-serving/crds/revision-crd.yaml create mode 100644 knative/helm/knative-serving/crds/route-crd.yaml create mode 100644 knative/helm/knative-serving/crds/serverlessservice-crd.yaml create mode 100644 knative/helm/knative-serving/crds/service-crd.yaml delete mode 100644 knative/helm/knative-serving/templates/clusterrole.yaml delete mode 100644 knative/helm/knative-serving/templates/clusterrolebinding.yaml delete mode 100644 knative/helm/knative-serving/templates/configmap.yaml delete mode 100644 knative/helm/knative-serving/templates/deployment.yaml delete mode 100644 knative/helm/knative-serving/templates/horizontalpodautoscaler.yaml delete mode 100644 knative/helm/knative-serving/templates/image.yaml delete mode 100644 knative/helm/knative-serving/templates/istio-resources.yaml delete mode 100644 knative/helm/knative-serving/templates/mutatingwebhookconfiguration.yaml delete mode 100644 knative/helm/knative-serving/templates/peerauthentication.yaml delete mode 100644 knative/helm/knative-serving/templates/poddisruptionbudget.yaml delete mode 100644 knative/helm/knative-serving/templates/secret.yaml delete mode 100644 knative/helm/knative-serving/templates/service.yaml delete mode 100644 knative/helm/knative-serving/templates/serviceaccount.yaml delete mode 100644 knative/helm/knative-serving/templates/validatingwebhookconfiguration.yaml create mode 100644 kserve/helm/kserve/charts/kserve-v0.11.2.tgz delete mode 100644 kserve/helm/kserve/charts/kserve-v0.8.0.tgz create mode 100644 kserve/helm/kserve/crds/serving.kserve.io_clusterstoragecontainers.yaml create mode 100644 kserve/helm/kserve/crds/serving.kserve.io_inferencegraphs.yaml delete mode 100644 kserve/helm/kserve/crds/serving.kserve.io_servingruntime.yaml create mode 100644 kserve/helm/kserve/crds/serving.kserve.io_servingruntimes.yaml diff --git a/knative/helm/knative-serving/Chart.lock b/knative/helm/knative-serving/Chart.lock new file mode 100644 index 000000000..1fd494dbe --- /dev/null +++ b/knative/helm/knative-serving/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: knative-serving + repository: oci://ghcr.io/davidspek/charts + version: 0.1.12 +digest: sha256:f2da0576ad6b394e030b8ea87de7a269abdf63db395460998a4110aaa2a39366 +generated: "2023-12-19T16:37:22.233074+01:00" diff --git a/knative/helm/knative-serving/Chart.yaml b/knative/helm/knative-serving/Chart.yaml index 4372e3c5b..ff9c45a46 100644 --- a/knative/helm/knative-serving/Chart.yaml +++ b/knative/helm/knative-serving/Chart.yaml @@ -3,4 +3,8 @@ name: knative-serving description: Installs knative for plural type: application version: 0.1.25 -appVersion: "0.26.0" +appVersion: "1.12.2" +dependencies: +- name: knative-serving + repository: oci://ghcr.io/davidspek/charts + version: 0.1.12 diff --git a/knative/helm/knative-serving/charts/knative-serving-0.1.12.tgz b/knative/helm/knative-serving/charts/knative-serving-0.1.12.tgz new file mode 100644 index 0000000000000000000000000000000000000000..08aae4304879d0cb26729ef1af14ebaa105e1b61 GIT binary patch literal 67405 zcmV)hK%>7OiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwQdLucqAPCoO>nZRv>UXf zr|YW(-9Zv5C*TFZB{3soZs&d;ah_y87#4>w+_W$hnZ!kAh>pczunh)-;hJGZZ%8DG zxS?#cb27$4wWoNJ{^`+5r_<>i?Crt-JDpDT|DA)~-9L5r_V+rwyL-L;gFkh;d%NBJ zKcUX!fiSz|Qep9@&V$FQPVO5iIHNxjAt`5lbkp0yS?2%jw!6J{Zz~}gVF_U|C9=O2 zp_sFTDyYGTil|hSw+X|8lq6dSF+3r`mo0<@$+)D7i)kP6nD%#eM&nqtDc?!(4NYW5 zu6JThc5(}$8#j8V-EAM%hl`0&6U^|4h{i#K?++S!Zz~}(7Bn+MAEO^gIzdnu4Y@#n z&j&;>qKMoYb3OQ2sZ92Fb}U1+6LPbY@L29_8Q?06wxy;S=_8zFDUGonWUDlOx3{&H z^>60?l*iYPH^w6V-#h5k_`lQL@c%kWmAfCCeV>Fg>4-?xM{2V+ z2&_obN3C9`w;OePQTNSNcfY@T*zfMQ4-Sud-Glx8-T&2E4^ytORQdk~r#X?2YXHpU z|L(!w;eNNu|N94r8~$HM8Kr!H)BYCHigrjx`dgRr)llSYp?lF(p)Mc+=#LH zQ!7uLZf*T5CpkG6{BEjo3IiJChN5p|WS-+fK~jPxktHj_v1U9;cA!(}Md1;EqyJqI zh{^uJo8fK;50c$(JRsf9{s8ax2K(I}-tBdh|d~|fUJ52VIZj$UB zb#SjY=p79@2i?Pi&QWjwptBeE-s~Rj_Mp!!Pt$Xr(srUJ0kvnC&#A(WJ z&jr1qDH)Md8RHZiD{_caX;v@BnW0@!y9i1mc;@~cq2qV&EXr~6k)_iM&eeA`C2}ei zne>qomJmeFj^zi=bcNt&N#dAKvU9ONKa40VRS+o{QK4lhO%Q z954z**_;_0t9f->Aa^F#((8RRvPSfI+I$9_Y|<23{2Hn5UfZ5^@OtH8%$Ge z*!R&<=ihX7oGY%eNSR$UYxtMjT@Wy(Wgm6TPx!9*sn@YoCq_h_oPYYHXi9&DWjQAz zCQNA>N8L`xiYrs|JpewV@=-?v2P7Vo<2dFyQ%-zdW+bLVN+h}+6E!9RVOJAjQx(ZE z&(j1Ah($xvjFJ~9pg^QJ!bzh4rv+)HOGADYdNqAqjY&xaSAkI+<&v~*?Xw|bTp>vm z!Yr{cAu0i?ZG=r%R3dLWpzmN1s56i;Z3QE zHyy_zu<+;QpGzHNz*0`Lxh{@6ouh^>{Lf(*m4=PYy1iPnUb$Vjx!rE9U3sp1d%H~y zyLLb$A*^aUJKx%J+($qeh=9u;Q8)N87Ac3_csEG~9kSm!+&$Vga1S4L z4tJCIFxh*94~GYx-Mwyacz6_dk8q6R&VIL>9CY{bLgmmb@vC}aqXG0XcRTY{K)0>} zx*e+nR+Rykr;}r*=yB;sgfc;fL`wn%XmzZTyyBzh;je(=^cr4SO$+`-Jk92 ziinB(00_VXl6nAx4_dRRc>GR(m*o!#;Vf$x2BPKxy#$;QruwKt<#s)+Q2RTX_EEX% zm`kO(*w?-#bTn2*P5qAL;S7mrf1V?te#o$%;0r{Jk{f3@Kzg8X6OyHTN)p6{R&-l+ zlj5o6Tr|$`B3XBcag2MzqfTeIJLv884hPBp;XdAbbGSd~zDeS}z1_V7(%nDm9ljav z9ULBZ56GL|-cfh&=%5>S1{+y-Z&}x1yzVVBck2x{lCGfhKen{12`$Z3f~VH1dL;2u zbh=2iklxRo*=_ zk-T+F24l{z`;Tbb*)A7uVBhTT9d-7OdcDJ=-K4w!=BV3EI%F??(>>_E8FUVNZw3cP zZw?1TynA@GdqBuRynk?Xa6tAC*OiG<9$ zHVyJkh{kFcGAiS0t`kxJyk(A8j!SMs^V@rzHS$b?6*eFKN$&6@(|q$=WCwV$ptx#i zZYfne{rBVd=kHF@$;S`hoqhl5;`r+9b;Zlw148JTqp6*76CD^9j+mz?e)B zWeB5NJVk1Zl?DsPF_DrEQsP@1qd`bh=V#3qu}Tq1sQMWxJt=#7JHc6dtBUHYF_8pG zSkW?g9;^wTf_=m@N)p6#h4`=-T@PR>!eUQPBWIK)ged}6(tzlhXjEu2GSx!(J)+|= zW+Q{N5-jZyUUWfjsMHXiI2C!qS)2<&SUg2TO40;LZ~N)aCisp{@(E)3WZ;d`7upPS zN(HL<{!ok=8e^8E1Yw0Zi%C2DS`1fA1DFhDUUci_8uME;$>Xsx_^|STm_;+|D-{mc zQ!1=T8=baCZA6C%7t<}~)HrcIMBUD|o(Kz;hoFMZ(Jf6=q{LK@Khg3JQ-%(U`6&HQ zMq;z@84+6M7wBRL-w=UEq*#v+9E60X0?_AXhygKSb7uMDCd3)LRv~gjM1jSW+>jK# zI&rdSyO_PU<`EZxA^y4m<2x=;N=7)I0{IPae0_^WqG^AUVMT2mgCJOPCbtd15J-b? zDmm~~rljw0D6r#r6KQ!eOb^n1NRN)4v=oM{~HtMtw(f|8@|3B!k^KY+1I?bgv z7w811AyJqyC%IG_Nh1)lLemCA-F9bNPq08@v5aPKg0Mu`!xk*U$E(x6A+TU#2`5&L z4TmIl;>_}Zrj}sY9UD|+t0o^UT!JOk(m;@y&>ON1Vvnogj?H; zC(=yXcJ1co$BhEgi43nrSzso$4m+)qkZ2}4%cY4iN;Qk#I$$bn65zhfF1KUCN`2bh zmR=m#)EN`f2D?Bcsu~wd>FHV1sS2f8!QMFoULr|2PO;oSX$U;-$ep%6sY<6o4~?_m zHkb$M@SQn+byL880v1<#0)?}%0)-iIs;f5wy=^FC25QG#&|fvATJ}Q)Q@x0|MFXti z;>-}X1*s7$pugRM-Vzk!G(|1RhssE%me)a6#TpfkfQhN0W8ax!85z(rkf_nnWwwG{ z_-vA=ETK0v(VUm@1Z9G24NhcPrIp13MzF`FH@;`7m5ApXS36Y{glu7kOqb;thztm& zPp94KE|Mr-wkN-6(>T%Ng^Lx~1uL*KDsTQ^O| zky*F;YWJ$EZQ&i{LMm|3#M&+?TdR`(3NAuZi3ZxHV2r?SwIpE~gl9xx#f8=jAi}E5 zQ_-+5X4!|C;L6E2+kPnc1VMbGM#*5RO(DUPJT7*xFVL|IB6RZBf{HS%#_rhHajML) zAO#+bU$iiVt$$P-mqbdlkRXpFQHrurF^RKb>4R=!ZQ%eQC%>8iD~W%giCLoxC06Z=OkJDQ`l{4m0KoxaSLKs&iMztdYRYe}< z8q&r=3Z=4Ou#ezcXJiCUS7$Hlb*1bEr_{^YMgTOEbi1vxSz(A6@LBAT(1a(XW>A=_ zL>kFZ(2mm#p{2%eKpGI&;Voqezb$5R8UF0GF^Ex~5-Xg&<~E%~rgk5-4mz?r4Tyl& zQnvw^1l()@PKFtc-LQh-cuWfP!^cRC1(9Q(CL!ghLZHmCxqMH0KQ5#lO(V12fbHVz z%zofchw%A`F3s$AOyhA#?q+J{Yd9}=JQ5HVQZ=@y3FljewTYaJx(eZakMFE9&NBq=EaS5`!a)CBfH%j?r!3YRZvqA| zoOHF(8Q3$SZw5R)8Yc;nRFK42+&4tXyr3A*QTk)C)+cb@rk4`*gw}rl(iXSkC@^Zz z+61s;tyw-qy>_Q!zr&!~5WosexKwDw(Ffg6??VBErfx~uC@mRc84;8x=v7a?HalZa zDIdbs`|w}8+gc3#-LEk!8`doFMY**@AEHHTrg2|iHT|nww_dntm&U~9=vN{* z8WOB>LC`S8-lQ>yPqrV$BVDnNT1w<(RyQMoW8$V{mrcyI6ayrrNPYu!piTPwgv-EwhF z+30nBKMy{rOmB{igHanSRBH3|hH9a$DN1of*pQ3ZOqlD19I8NNm25ewc$SgGTEZF> zZ%u2nzhoSk36_Mf)JtVSMuKF5j|84fK*?~Fpv zK&2acLPz7^RAfN3iA{&WboCSmB=A2sS=urm4rxpYQ|T0?yk^A{0Tw?aaMYou&V`0j zO-@=kDULM2nj|>LVEJWmHsg>Cc%H4Yu-BvrYM zUAYDP0#Wir)4EW3rt97iF@;Sdlk_IAqph1#39Oe**8~H8ieBkerC`L$2~LeZ(L7_u z9Rl-%r}}mIpe(~G9#6{-uvD8n!k9#E0($75XRpuC25kh~aP)=*`!~-;Z~{|D^%(0d zJ(zvXbkIaLebfrcL01WaDB~1MS=q=t&y5~8(7I4H;9DGqA%XXS4iV!F*ueFev^96| z2~~=SfI6ul|01{MtKy3g?=)1REyMN3H7&w*${dI|!z!c-VtoJ9cWe zkOd0M>+%}^oHME*I!Vv1?yu7_{f-(~!BBC172WusiVduHntHpu!VJcWaCp$9X?6w9 zXK5U29&VWrBvIgm33i6WI;7GO7gUWWNVAbSe(&$>45(_S)1BR;f2Sw^Yd0AG26W z8yy0l43pMTAacKErH^4u=Zo20*ciGZUXW1uUk$b8W?EPk9BJ{qGA_2A|4~z4sETKS z+ea;k^(rPdp=@P(m{8WV_{Dr?t@`X4PAHqX(jG)DO#{fC$-D~We&h3akmI{KGRkL;@l~L1~zLOvG94g;)szahAh` zY?y`?zEaW=3&pYPMTTw&RN`#L3)b|&*St{8ykE$Qzmb&Rf?8uWUG~2 z2h|l=9rJ~Va4WDR<`+-IB+4>q*{`CdI-3#^o2}3S)`m*8_8^O&3Ca1XJOW?4-A%XS z*t%Qrv;J`zhHk)XBRfBT)P@s!9A0(^?m3d}-Jg>i@VqP^o2DzH{3+PjVdQY%V&rgt z0TUNtW(-eAX=#f7Tej%}XPZX{O`wX9x-IG=-tm=HyAXP0oVa?0)uA(}G!eHj0xzF33?UyNBrxlNnqWzJIT=qR6D%^toM&*XxhjChJt%C2Xf zsT*$ePN}k-)4f<3_YV3nBGsPtp7Z1~Bk{J0n>6fU^}9PE(r751{sylHlrEmb`vH1h zBvW$70xqK>qG`w8sEmT0x^y$#d12kJY!s=npLnz5gMzjZG=dwVCPV`0HRHyC>m)ZH zqE{NPzX9?5=6w7OJ~4&}yP<-!31Lc_-V8q%k#=rQE+Q-+jfhl%nW?y;*224{IQkjJ z{<(aD?oc?QYMc++F`u|p9X?G5l`8zoeKIlIA?zAmgv^_$b&6{6IXr+ocQDW zm@_Stz%tW~FinfWA>5Qm86^ZKDP_bQ4}@`w?lc=@1q4-1UrKOX)Esf)&K6g6>nj_c zl}=Hsw?ApU-mdOr%ks1A3Dqr@0jc6mSQa4Tk|{s}UG97N8ODKO+AiymyOk$@4$kI( zJ~cUhex5z0vJ+_0l&ov#-iU@2mQOyfnk&@|yX55VxnxJ{oSIv;qopQRa}>>Az(%** zlD?lZv~&Hq-QK-GpR+tq33$OLy}dfz{F-RZDJ737q_O~8)4~uVoF|m9*y@O2hA8sk ztN-WuN2BR#%JI8O#1bUu8x!=ivl;Jx_9OH|v!pyH05bBR^ij*VFQ#*xO749#2&2?0 zI^S#?rr@owdkwek{xxkiuA`psBvVsZQHNVm&SAKCxXKy{&eh4W*HKF@!fd!~f7%*K zg4=Z?o?%saqI-K1@?9wxyv|&qFB%483U8CjsAn@;LI}jRM3>? z0`XgB()R_vCzHo7JmS==R)$P*(;j95;qbu!Q#*ttWshQc2!v3p@R5{aaBrxz>6-rP zf`BU)Jgmi-k{h!I5>JS|1>!vDa?Ec{_AQ8Cy@o5k1-|QmA)IA@mGID%xijTaXoMC( z;Gd7O?Q6@?N55@3&Xx_y5OJ3Ekr|~z+FE!!`m}CO@Z(g;#@1=ad{WNb0~?q$wevK$ z)~LU{2^S+GuWd!Hhv6tVZ!B($mF}P*4qidK@{r20a83un6f-YiM*g2r>UF>L>;*s2W0RR?97!KK$pZf(G=gqcwk=SSIeSR}8&Nm{)6B0Q{ZLh)c zN5&JaQljD!u;ms#K*P+uyw4gh4(dn(*qRO;+_SOd8ksh6n1Xm^w2iq`$0@~I^OX_t z9VKaUL59zoCg5CJkl}13xElAsfX%>vl42=8=uOgd#)L4yM&af726WhJP|H4Tu_{{L zez-IbGdyd2Bur)ibP%|WHLL%eg(F?;kgY`q!UtH`T+>JFpDRz=@ zW5(@TjDt$}%#sr#$Ipk{rNs(tEDE$VP`#^ZE6x`Hi5CEJjEkg$CKEBlqsk1&1l>@K zF2`7qbMxtg{{pFEG6LCOY8Q*cyW|9XOt9-U*UC*sB|9walVLsJpk1Pb3can@xK+1A zGm%-*`Vr4^s4Z=;=OJ3pGO`$mJO<|ATQ{)vef4{Y-E%=X(ET@|lQRpgQOZ&9z)Ay( zT;+$TX8RTm5zihq(m}caE56=rjMQallb*s!Qqoi5<4$w6Roxr3lDaC5W4vCa<2)~W z3*3GO*`(dUsEXvf*irg$Fya(pTt|gi9YgO+E?vUDE5;4^_bI?yiCa4z(p&$4yxgla3#VLhgP_2Ir zu+Y(fjPVWS0N*QRWGn zz?fVHZ>Edl1)Ji&wNhk~K{^+TQJ#$iPJ-lKB`h{~;!ehjo*;G{)RTLH(Mi;CFZLv= z=VPW5LB~rX~baL<6F6eL3te0!vWaIgU zcDW;HxFi;C1y#fz_5n@T;E*e0Vu?N%VPp9&mcj^hw*Vvd6@)OvD&xr+8y2~M3q)-D zC}l3ZSv!9xUXz`k9@$zHn*3zg18gbCnuB4d z4W=Qybz>SpXT?2AhF%7b=DtKjniBNN+h7@(wnYu&r+HoOIq1L~&BA5Ml-OKW#*lI5 zN?6(6RyJWc6y8CDtcTWovEG7GOeLVfCyxpGvO8fzPbO$CL<;c;Mp&U8qGE06P&VW{ zm=)dB*0`gCz>TLxjxfC4vIvxIPQ03pS=Xz1YLC`){b zcaBD!C+_N(7GIDKJ%+PE3b**%bx>*%)+KO^8|C}>j~qc$lB=5lnr9k7<7!9C6<_~* zECzT)&l~VVII;h zb#~TtHQO%61dHo17eFBt%iPhjTfCA$WIP(ht-iUEYu6_uVuG2uz_9?Xr|(aKC|H+bdj`4;qQHnqtkEwyKIn1Q_mmsnHx9SUd5Wkj&=0FS6k)Vvf=(*pOvD zS{3@$!AA?Q+3hSdQ`;>BL659-x2s-V;%6|YRn`y|PmtJ1VRLoVYzC_XV^4ZOplH)G^3OL^iiEjXFM(_|I}%|rLz z(YQ6Ias#Tn`_&e6IJQ@u&gn3KQsb9Tbw)?^q4rf;4b~g3dflBut7p}D7uXo_E zJ`JSAX1}x9?>ztg4n*fiiGz`v%T6h0BVef%$l5-sZk~VQ?p;?L|0}2F3811o9$)`A z)ZH(h>5}f`( zcQ-Oga`WuJp>F5FpqGJzJMksZm6%4w8(bc63!Mg?STW+3NiSTQJ zV!g|;V+#v89LU-(ugO#v)7D!|7NoESL1OxJc(xFj=VYt~;iHk=d~Q_7Ms+-Y)p5cn z6V57-y6dAZPBP{R8DRga-mf@|Qa&1)9BvS7TU^Ziyj9RlDYZ4)OCID@k%g1Xa^&9fo~B27lEGF+7}StC&Bk zRVGAAJaXOGzp9m_!tu2dICk}lA8K$@MoyVSP2;Ri4R)HoYjgykspLlooo=<3vjFCF zWF{L{2)=*Ws{ZQ*ddEiypmQ%e1xLHzS^CvVgENR#v6Zh*jkD=iTy zP(^v$;ifq!N)RBRWiA~;1pVAqJ}K(0bEWmL(R-s4LKv1_^cvj1n}x5foHqD0x~vLq z2Nf36fxm zuNBOsUBW>*bSg~q1etwMCP>t6cY;{|p@|jrz06A5WY_X1izCg&;HM{dX6^+<{TjAl z?9;nU3&8T}QG~9EHgi`PG*~*9?!J#&AGkVW;Wra5rT2~y?eGu#X({R|SO>Bq6^}xc zC9%zO2Uj_ZDoWUw_QNOZK^B{g5P9sQ4&7edMjyU}OS=GKJA4q;_u?}w=x0@%0M;@z%6-iQl3lC>txZqGqVd-C8)Y_pwvy(!_6fYCP!+ZmR7|~`U z7E`kh#oZg&FKGS^3_9X+VL{aYh%ilK1YE+I;DeM*u%fZable~>E6={ewE`Ce?%zlm7+0Q{<->ql=t1tLsQLDFe)jmoWP+gxCR2Net$jNIBq0dnB^Xsm{L8Ukka)DSI%Q}^(|Fr~4Q zC@Mc$Y(t#k9Ru@dLxtVqF%~#hCf*+&IYB>1KU*@V{&FzPk`>eq|11RR=g;kcroVjA zwLgDu8=C*}rS@zlW>XaBQt=7>)t=h0(qfKyz+ywh2uZ>li$8(%;B1sm!I?do5SBo2 zfJS0*i#NlfU?kU{vsWsz%aE3~M#kYSb24h9mvblq>HW(c3g?enG9R?cbn>#$V=MtO zG?oMlgLOYc!+vYXdFuEfN2vL za;J!3IE@^5shhm(ppRN_m$-9s_3pAHe@*mYt~khP*jERptA-=kOiP8+v`~OfA-f&4 z7RL6aSYih9x5kR40#RjCd%9U!q)YTFrPrj7aF(@$WQwl?1E_rC#Zp~mQe^|t-z1(h za1c0KyAt!*V>B$~qO~LV`K_JF0NSu{Uh=l(P2B$fPr+wt6PKFm|NZe7w3He3DOa^| z`o%yWK3<*n?cJl)7-bahbKo=^V`N^cu}_svxK!yBGQ|eFFUl<0C?Zw)riU&=xCM6G zhW$&JOvG=iLrg5BF*jO7SS+TQ3!a!GiOilV@(l|~)X-P)ER7$rp?&b`Qb6fth`iYl z(4`9{D4C-kf5Fj5;i(AsQUU4vGl1sLCL1>#G6WTTqZw6v)$_`GL`G#e62YPb)rKD) zmmeDFZGpHg-|jbt;}2I?=ZLT*mob1$%nVSZ$^-j)gn~b$>dVG)Jy&#xnfnXQN)ZngkflX98 zagJVv{>bf8zIL4G<$x0{F2X1L?344<`566`(x&;kX^i}>(@E$E44kqz6uW(DM&e@o zVs6B?Z31-r!eb>HSK!Kk47Q3e%v9wOIO7E-#@k>QtLhtu-K}PXBKivAsNy`uqO`e$ zQ#zkN99CjJ#=#-CZ8z{>@mWdW9}fv0p9FyXriK>!%)eS^(N(4eC)&d_4fANWL9c6& zMNYO+;haQSnvbZx0u1?j5_8=Kr--s47ZZO!)kX0aTob$w=#$o)WzKjKWXdWIIRi>K zJD2ADN;-s;W+556>+~ixFLzxfWtsI#~Sb+StBbsMn+nHXyx$te~bg<*>4^AVd?Mmt)^;6%? z&+~Ee^R{t8Y}=G7!4>~=yswj=ZrD4PwKnm!!YJD(8 zN=!B78Uz7xXiC&S0W~Tf;=${ib_tByJ$>DG*bHJBOc;epDB}RI>r(D6xWXUw=aw+& zOheiPCTH-7Tp;jfkXhfNuyi3E&IaKaG#-;l;L-Fu{!bV0;I4V-+|lsVY`-v7pzmga zL3lcWB8c&Zr?y`#Q47qiR@u!f7MrV-3MB-m zR)Offfb$7Jw#vYt;Cf6rk?f^H*Noq4I@QJ!IPx`1-csoiY)LTk-VcMkK5A*>&xII$ z9B4h|q`@CJ(5OTpn>eFq8fWBcrzYmTZ6)~))*J6pR9v@oGv`RJded*zxH08N+VoWko0$U{EQ0+ z^3MNoZ9bj7{p+7UU!4AUc6s*k!#_Wrz5P;pQBIpv_Qf_sMAiut<{!Bg6r?Jo+_gDK zG;k(;G6ZRF+k<{Ef(0Lh`z({QByf@Zt&i|fYo<=Sd*ogksV?w80rsB1#+fQ^do-8jW!l+#v}j4|by}9;G)a7R@Q% zo!arIouQLNlfgu*H*8*hg{!@Qcr1hSU&=@uz1JJG%>HS^l(EoC6KlgL!ywuSQ;_1a z5Q0;i0H$C@Jc5m#2G}@5vXrX&gn%w5ZdAQN7Dm2#cp^m~yNR z_H1YV&su+}tzYRf@J1EA*Mp=kYS|YW5DbALzSx6R4OU?-+B?ue8eZ4Xcq*1@SPor4 zJ_XgxVO{?4%BW>8TSL3Da<8;L=SeW%pf&tjTr7a+U)&rSF_Zv8TQK;=*s+3>dRKrznMO?$~zvJ3riK)KDkd0 zvaVy=!kJqfHB+Vs9TA_G#A)OC8cU@#6gg~ z&09?+(;%15;?T_Qr>5J7hL^N%vU&KJF+Bid{v;gs8kiG0}4`IOz4x2;0d&*MGNO0s@N)3t8uS9T&9s_^=4Jl$XGc3)^ ztVO7PZA5qc`^wyEm#^DpM>(V+7Ict1(pTYQ-jx^FU1u2)evTHCplKTlgMB;?zXh#KLgi2mt`4 zJ_0AWf6m_0w0B1KXHxa{9GYHYdJAa0+&QlY8TRk1xE}ieYGaVS&yoBt;LkKCiXDQ&} zRQ8Y_oVQ1v&QaOp;|}m4Qc`fPoMyBgnkyd+?IdK7k9Gk19oIz_&4uDJ_Ov!kHaQqJ z4%BbOfm&WI3t8(|nq5<79%5mfk>DW9Hn7^EZ@>F)z|F{!>A-n@;HDRxW(tTKz(Q|Z znW~(|IR8~)LBJuNQ~y+Yz-&A7SLA|&3P+^*&^C9xjb+%bKau`suiM?h8Qr<*?Z^y= zIV(*VjGG1s0yv$sF%9-X8VnvR%v^wxB+N&w7|9s;!n7uWI0(J8LFfT=UblbGiHHeP zctp^vPSkyEvSAi>JD}3mHq;ggdk6b}>hA6Db#{06diw`| z>U0kdd)+^w&clXXuH;f-@u$v%$Er^58!4YZ@BC%!^e%I`l~~{nipN-}_SRo^zI@sG z{5i5$wot1=GxmOARMY~atbGE_!M)V}5zJVq`O)UrK)-3)WidL~g@4k?Wj-9zJJgC= z$o8d$#FsByTL9$=sM}xMK2ho{K~S660J8b3P%Z zXMW+5g!MKHn+Mk2h@uj`vUZQXPytMzk@$6c>ul%`8O(JT7fJ`nvr$UL0aR{X?AY9S zFwibUu&!H1G97xHx{n^Ow#v-!%iukgzMntC9QuD!vnJR!Ak41k zF2cUE!?XiRvQt0KGB^7#U$$_Twaa&&?ScS2^(Mcef8|_}3M%To7%iGagQ@ArQI+%D zH=)wsfL|7w)!9akpqQ8a=3&hUhIaEz;HnCXNqHV2`;{hf?4$5ko{kUTzg%iw-n-Qg z?hDl6@u`CD0g!LIIz+zdT#$Y^KYj>UKVmk#5i+0bGKj z)u&P(*sO9q@@uMCTOc5#->ubM^fcn-%VLAAY#xdg*QyJOSr z!z_JXuGThA22?SwUd=hS%?u*Aj(kz8g zUw=u|1`60WZ7qrM*NaD89r??3wc0Wi40!K#2-$zBg(w;1?77GcY8z-K_->WvMQz*M94dKy zELu!+E$`&~( zEhCJ4IOoY*Dn$;5p?}Mh5mAq%?KQ!bH2(c{{!?iEV|QvjL#}HahSjV9cKQAQDo9ZH zE|}l~KncqW`QGC9vFCyy-c9zm{!4hCTc3ytfBp?A{vUXf2EFta z%k5?OKk@eeJ&eC4;y(`eI~D%#?(Obv_34aaar zbV(n_fINCk1G3T?q(Nw~k$Dnkdi70;EUvQfsOWyIl$$e>cXc4-)>#)Dj6#I(P*=Sv zdXFq|fB*6O6aS-4=M5xpq6g}8FoBru5g)~&cgFR1{_*WUKODb5t@iny;FEsvBQhaK z-YZl2{T!=tACPD{gvyf)3p{m;Z5jb^0D=b$Nb#@&r>0Z%r2Cnpo$5 zzWez7_h%ozZ^UZDN|{?YZkb9?>$y;f83TR%+vVxSkH>#Idv|vA9}gL>l#FB6pzlww zF3wIa|M~Xg`{T0@E01J7!6q41Q~!Ve^taQC52shBm;XF@_v!NL^kVs;isSQAhOuy% zIb04o&rjJ+wfcN!uCcQ&bb?2-Ogs1n*D@qkTujlIFa0?c6&|7As&Q?l5Tlvy5z|3J zM?@<0<;(w^Gm5V?Ycl6~nx2DCW$v^xUoGq*r8k5TDbEETkdV1-Ql6`^Aacypq>sA2 z;PY6i?EBDL?S3@3GG+OLqoC_Z(?Lp96lP+m&`vc0s43b??W3bk2@1-nqBwm^QartM zmtea4K@D?5ruf$J-zqzjt#BY2N_8*z&jExtoj09e0O!aLFLX7uI_h+eYOVa;k$LS( z6E^KMp1X6~?AF`#V*i^UIH60f`u?+9^vaU%2h%b~7H|$$2!|R!_3a$L-Igy*5iWa+t+jBU)n{# zLAt5$1&+yi8SMw1&SL9~@r3v|EZ=kZ>jR9lxg+D@Pz#4Z*12DvYDC3TBC2L+@Z-~s zoAH#7rk9y!>k~-gk111+3dOAb-!l9EN}a$x@A6rS0gh+;1{TGCboLG_`~QQ(y^a5G zEhXIl!z$ujjk&PL$?fYS6ISh<0@n7s;AxY0a0RcxLYk^L7F{=Clxyj6O~~weZ^wej zQzH9Y5yBb$Uhq7FVI%Y2SD}{RH<$f&%WNRcO*Q@34G{xdXG9eIUyFSB$1PUzxZZ!m zwCV%8{3%P05k*_~U)8@+c)WL=i~E&bL4v2m?n~X`%t6|g3yKIi;Ym;=b9hS*sIugi zxB7mmQJ1k5{BFB`Nx&pI+8qAT$z6P!t_vteU*KZRfFA4IIx@jQowAPy}t5y}i#MVR|ivr1NgYIPIg>1~7Gflct} z#=yo1*p#O&_tF0#fmR3wSQP)WThsr$`<;#cUrU)0|D$zDgPfnGi$cX6yr=9QxF{>} z;HmPQCVf=x43&S0VkOc(q{WFKGv2+`!`H_3b1cj7f1_>knEZcG=l|a3{?}T{YWzRT zN?j}eM;3~W9C(DX4F6k)r@bG%dJNzq{y#XZ#{czt2b=i6wUia_%2%&~R6~Z{wq&&} z;xZeQXBA~U_dKtHIb4lyt3|fWILHe|db%sBrE|1a)yuZJaPCh=Jz^56II)kFW6pUsTe|N2xO68yg`{~HHr6pX%-4X}v+_v`!r zPH%U^|LZ9A6fHwKDzY}Teahp77Ql(C*&sG*1oZ5rM@^sCFaddazkJzpGn=8cd*4>t zn5Fptffs-l@c+SHx61$B{lm@ve=TJV_kWt1{%KBlRyP+!W9pTH?L{fs%2&QGwAAzf zw?Ih0p5=w1r68YsW2jh?XLx03bH!(K#pjQC#iwA)r@iA-jI-#HPqpUiw|uHSG+*mMKGlvMe9`A%O;SlFeuHrZ5K>#yem)}ycA z3#>=|T8>~d_8NS_e-sDE?ESxu*|SWy%6+eDS?K@mRrmj$-R{9=|G$pX82|a!t@)!y ze>zH9k2iSsp`l2NO`v@<+6nQe^~PWW#s>EP5vJoZtnlD zrOc53e$5|Q0|XDreZxAyW9LCyV2NHfdSFwYwk($a;4gfD^}mGt?^fi0_iz*cv8K{2 z|IL~|uIz_CziGK|u<{U@zo>_eyx)}dmWA?vNU+KUS-1bEw~_yADUI^~JGbVKssS7& zeakw)W99)`V2M69dSFx5Qx?kq(Gm%s7nB9^zjJt4v;Vu@P5y_qlt%ggef+qRe-wYq zGXMMdA<}+s>#r~87xI4!H`gM-C*}8Y1T3`wYWZKf`X!UbWkH3W zzGcBsLDK_-#L_)|eSxtlzpJuX{+meHhZun?`+s|#?&kgP^^|7$Z`b^B1b-0Jw^XQg zs1ILW{<4^SMd2z!f@he-K_U2MerrmVLtl>auJ_fyLM-Rl0o z*XeaP@gHj`jq?A4UGqmZ{4F7^BH)Wu^7p<3xPpXtvwnbtU);sA5?=p!=XysiMpQ(l zqP&G#_Eu)g)TeADh?G&BVk!Hm1-07t*LIMMKghw~nmwQ3r&g)!a1xKIf$SftBu}K` zHu`Q(St$Q`cs1>QT41sNr(5;^>>h05zt>V4<$viq;(B%gGj2dGttv`nx}F_D8A}h) z8q0RH*&S@kW0!^UUkMyPt^cQUSo8mPy89dZe=Vg^{$JTOe^mS564EL{y=bxqaqcGl z071UEi)Sao=kmWjGYS5=w)bBSHs}9qDJ$l6D=6XF9o)@K=vMUcwX?acFq`I7ZVgj; zviDyC{(s{4A9~%|{_kKD|FfR*^m)C$0g>@_b95~S@N-PiwH)O0vU3Fj?T?+BYm+kT zTS}SrwO(5Y*yTynas}fo$jMc!xpG3TS`UrcxMtUyHK7@)xN03e{c8)eQ(8S*UZ@7^ zycprzN*Ojg?^Yf4yU!yl*ZjO&0mVH|(ygGwSsAwisJ~k7ttU#p70iC!nYV(W*OhiF z7;?Qiw@L$V9$)yqmZkRpl}f>uF2YG7h?IDcl1NLp^oEE?3~+dBXwms^_n;F0v)et~ z+r)parG)!`ST>xiF&Fe#VCMGq5%}Z_Kff_mFL+A+Mp>ej{ezqXD^k|8^B@SG61xY( z8U0@HJez~ZEre=ld2kkXYM+5o&y{e;F8-(%62ZY3zv$k`gRQ z`-A&=Bk7-6dAR(aP*xTAm9kL&cdPIJ92{=)Kdz@dXZb&QhWTQiiNFWkY{dGeJhUt& z|LyJ`8_Ia>_kTJEht>F>-roM^{_k4KY-eoQrL!;ss3Lk+(+W!oq35Lt=DSQP$ivlx zt=gg13}4CKQ-@^E=Ks3RS-jJ4E(`g;_WsxYUZ=O=|8y=M|J*UpBNaWwr2I!w;f9ET z?PdgTOh@2jhkx8+6_20Ruv&%x7w`0%%Od{Y@6_M_+vNXTPkBE4U)}B9kB^-zjB<97 zr*M227ce`mZW*o?>4Td1J+Oqmm@(o4u{=$`?Tyb0{6F8xI7c!pNAoo)Li}-(ce}BKK|9id7{(mjyx$wWHu8O_Cq$+-F zi@(*X8~7PdjQ#E%q0XF#_?Rsl>NKRI3C_%)ge4iLOf_r*$PKCdZar&@_5;QT1OLpk z#QifNDY5^|V8c*s9hRD$hjd2}sRWG`Ny>oOahK|?z|hW+GMv(1iKxuW!d~kRXMnp( zhsEUsS^azF2v2}HZJ^=&kX&X_a6DdqA`k)j=&SR!m3>25-v0A~Jz3Qiw7~xBc6tXD`)_Y=e-r<;mhxQe zzbbWAY{A)}`Hf?wxM})zeZfWq24X}1Q0r>3WL;83uO`-Nznkh_*c;6>l%Fx-u>XbCt%SEYZjK^*IWPD{Qs|<h3ogg@y;8BwZ2&iV2OpoPe_v2xg;-{X@ z1bROQN?wr8q*im~bSAYP8q=A~uC?YX@w55g9!uIhuxB2m+&oDKm*6@Fe!BXUr_@0KspIF2wnSH7*O$cbKNDVTHp5zsq`hy3@N%5GjlM zBN4hL(|&`H4YG~#j0mjzL1)bV1j(s_G-wrk&+ppH@8$b1j^X`JwWLK+>0zhx7R&!s z&-bo>EfNMxnvm1s5Uxj}51eTnC^{iLS3ZGHx3lqMEtdZeO#Zn<{?GlrYW!cf+u6kb zuBAME{?9^iK2*jpXm?8noL_$q9z$4MJ{J{~;b)=U*B`Sh^mK8}cgAI^Rf~hHeW(v&9;0r|f;`A*^@zfjA zz0T|`ncYf`(kcwkEJ0}*52l?)zKp7X&(2f&yjO7M`pnN_>L~tkQkc5lX5}wMzlE#t zb@G=!O8Qbo#KeYze=l%M&db=}?Q|AdOY2T@>c(AHhEq4*defU0qyDjTn=an}XM~6d z=W0xtqOtJ_uI30>82?d=|LYxW?*Fc*toGb&=q+$!zHMKe(qDThNSP6+g_X9fRg|dp6G4k>BalA%geJLPZv8B?lG}P-j+8>q{aO2Z)g&s zWE3lrMlpWW_rLafwfDa|oBO}(DKm0;X|w5JZofvdsT>I}2%Xx|ZRt=;4-(}x>7!Do z;U(c3=_I^0k*`ZDle4yNjxv-S-T5(fRK|x9a~t*gf2w|E{I1;rw?w z0{SDK0WXai8=hwGZ5IJ*OU9Ni7p6Kp-VJiyhA1ooP~E9-_~qo{^!V!3{_*MjZSlw3 z(|4!#k5UYs{ucUlAmc*$$~HJ_3Vq;yqHH9Hl>To$0U}Z&We|eb7^J6v6y%1=@NbvM ztrEirH#NYMI>A{+*{J!);@UexGUgfSTP!`_)9A(W-~Qid*r#~^v9sIlRL_4m_kY(^ zRpBWdHtUygQwB|-Og_H{$ID-+4z6gQfA0Yz1TBee8|9)QTT(- zdGeM@k!M;Q{Vh*M5A_@e1ovDu{_zc_skwOAAl)_c!b(;QKj?U9sfg3Zi8BLB}}w<`a8ozCX|=UU3Vw|tg7uYWFb*;v61^4L+XuFxcl?=5&Abs9bt z^1tZbX3YWWKmZ%W9ujE-7Dszam8$%2k4ZYABgO@Jv@sUhfBUb=1es6ap|JPAopmVIW zn2<FxF-cQ2O8LO-XDJ(PBSBIi zDU@L~4t~ch*?NJPeS!tO$^;qGJCc~V?El~EHu}iYDdG%TYLHMy1WG9*?XC9P%YR-f zF38pkbiyYS&d`r1mnfk^ZnZ~L?ZAHx_*?D4uVM%O>wXxIcJzPTpYn$76det4e4S@# zNK+!W{?eAW+16j$1AM*pm$sVde{(@cTYve#wqBqgv7kJc=VF zBt($<3m$uLhYWB1V-HOkKLTamUTl!e&k|&BM>Qm-n43|kk~5-S_r^`T)opis?Vh>l zSqeWDNko}cI8A+mF}K+qnU}v8Pwu8-PT9yWmrcpom0;Q=eWb^5KPfKY5@q;XKB(AM zrlz(``slO2%oLBw1Q!)}M%eNB*^j%Il@ACdM8<+<=Ai1NST;nZHsdnRBpsv#4Y@#> z;KroVN&%zG%Xi^ILlre9Xhd%aLt`$LY@;)!d&21N1}6v)^u7X~ZGZ+hR-jfpD~%<2 znwxt;uVfyN5tdLlnqY=UL?ABohJF}HI$|WL_Vv0Q%-8q`Oj?!jPMpxzt)irIH!t9h z%6+^N;$CX(+B>Q63JQ^c3cL0su}gyZ5UDYsHWNe=W^TLdpE0vgwZZ#Bgx0P+PZMq3 z-VmXXATb{?`m65^G`1cF_Uj5c0yK98LE)kao+3eXzbI!x4<;{58@<=+p0Xjgw;cOB zJ0q$b@5g*H$r)8s^X?KI04#&WYEP0Eo?2g4 z&}Y^`DiPksMD74`F0TJhSz?IFG&gf8P^y2@Sh+a8yz*NSgLZ@AqN*&Atr11pkO)(A zDEI_=agQUxA7;;}*>FOYUd4aqL@K=wZFBED9^||P&;nUvu82`pkjd+0(I%D zI>7WQIbcjjfqdei@dw9;eRZtj2^gGcXcnq|yA9 zBw*d*6j@Y3wiW5koQrVf@C`wdPe`>H(YDI1-Xv?AMNfH(CJvLD0k!tGT0ECTw9N)v zTL?TKjngT@*A!}m;Bkg9o1*I@>FH-1{gO+gq_mc2F-?iEBWi^xXgnsOG%U~6Ef&cf z9%#fj;MLFad=B>K(kL?7c}zcxSLei64J{t*PuOibIE$Yl!X7g(WtqAkRd|(o$^+?* zKwM;rC}s;JRG7pLP;HBl5_gUBffl|y#l9tAv_Z-TI}*^=~INjTKz!vgp=`e{s<`A8+w zn-Z;E>5!6S8&Ty_p#ZI(3ca~xr;===PwblU z+lQeZsw_zmHALQTU@gEq-IFm+Q^H0|nDswgU7d#w%I3ZKisIt48e@eRA&FkV0YSq& z9nv%EQdl8ban ztbMw8=dh*!2^^>Ys9}dnMD8*YD+`bs>7~QLrK4)SZnxN)Cz;?ekYER@*3rcCiio&;Rl2e?pYrU;p~QThQVEZoU48tyfRPc>(6z z(~N0M!ERwQOo?=n@1Yh(&MqJRQ)a%ZT?>|&dvgDWx zRdN_c=voi3r*t{)t3BPl8&BjZo86!>kt=T)-`;*unPrf&i z#3+}BNvLdCj+e3~HOnaRgj6?6Yn_#?)4EQs8mYA!PhzXaNnBW}7U*vwQu6m%n(hBE zp#I?zpmXj2UhlAbP>ugSJlNgb|6WUZ8vDO=A!FgypNE?J_cP(qvTw>(Z2jih)Wvb> zUQ|gE*RQJtLb%qfN&ezAt;%BmcZjP-`3oZye-1~Dj)U1-mM7V)EbnM~2L|^EDA!~a z=a2LKq+tga_L|U#rl)$$P%C@3$^$|3xx+lN>+B`;_i~Mnvtq=;ZH6AO1ASRyo?y!W zR#$77a&waW!|CzcmN`^PDI-{*F_rMD3?Cwga@j_oq~2v%dyJ9W;u{)F&6dG!TuLLq zd?}6p82r;MyVW!OBrSi%?4`BZ!2a_gDLG4su!O#iu#dHJ-3X1ddM6MDf^aHl*yD!V zT~=;qic_|e@L29>Xm|LH{zz`Mon4YAFE^X<&1QVF8DGn0yd+3qV?O3-GH-8Ql6kK@ z-VLg2K|J>ii7Y=SI0ybKTQLCJa+i%Ji3{hSiH9_D%myV$g(n$F5YN>;0t^?O+s|6A zCA(i{2(&nUbcNB-N>P*Lju)IA4=KYb{k8V4R8v>8LOfiV6Y8-NOyy@OXLs|paK`3_ zd#upOg4m0tdMX|MXU4HkqTED3MJDWcP8dLwByy$1(T+ox5k{Vy7s{dXMCUH(qWI9# zdu+3!M3>^*+CxFrjr^|YJC$PM>!a(^Hx zz}$1iCp>4W{4m)Szb11+BdcMYb2@RMoJ6AAF@dO4?89!bsfZNRw07Ho7^twKF;3Gd zg07qIk(3cO;5;Rm&8+9C<%Ba6 zL&sJ^swHKkv`h^JtPm13-{4Z6t?4n_;~q0zxwg` z0$vJ!jj({gGt4xhxTBe1I6V+yH&k#2PvE1oA;NHN8G4O9edzsFdZRhhT*9%Vxi~e- zvRt`++AU2}peYuQF&k+(-|}4d_vb$YM1mxFY)+A|TmC<9TX6xx$XrAsGRB#MIh>Z9 zGKKH@h_*=^wf-D@YMIe9!SxU}I2WKwsUiZWs1??3qfmkxx zNz9T6Tk4AZvhKVPIb)QKBJ68X7U2j|nl#^ksk6-@RySn{h7UVkV0D^eVP2KZPCZu{ z*xTp>SBTt^I9E0k3y2NC!c4|H{cv^hALk#>K3r}1Z^M6oNd6=2W<}m}CQU%hepRFi zwN{Q;J(^ZDK*DJ}GHyz9Ib}CLViEe~F>9O{vK5R)<&Cw)b6CMJF=g@IGA!mGWQnTF zTRo;Max8?U7F*&r3{9A9qxa5cMJN9}dwcrf>g>C-(~D(LiB_X+Q_O?o_nFGed&>Mw zkQ>T#nNID|K{A6`s$2qlAgPbM^7<$38kv5__XP zmt>fyHv2|9IEUVb6Vh#z)8v0FD|{Y|PoA06hzH^H5`2u)l9ct#rsXSD66nRbsjND@ z*CZFYQ0t}Sgr49mvIeE%6B;kw4=mV2B+|ot@-Vz0!>1QrkKnUk(CNL`z@7Pjw^@s? zz82;R>f>u^djZzksu@pg98psk{JgSJ+@>@t?sC#Duf`!brj3HF8NBH1>RpqitwmQh zivIVm=uKLsCM7h{)U2a&Loin$=uA~QVCm|tM8%sNP@)-vJLE7{BZQf}HX8$)kE3zD$Z z3hM)cHDJP8hjTl_S7L^JP?8p?az!MyypPAKK(qklg!7tzuiFww-2h|)cf86gWO4e9 zDOp?E5+v>xgnWUhlTL0%%$SQ0ZiL1ifffcK}pawl5$ZBhi3ECVXu78Iw#SKR~b;0Wh#e`W%av z&A0HWc)H+80X(CH*-X+jO5LPM#&1|ugIj}r3(^UXitLIR-N4w=0uo_17e$u2f@Lkw z;2d^7FS5*)1|E=in9cDtyQOp8BX8M^sUA5Wy_MzyIlZd+2tOozL|(WU14GBaahHiJ zrK)s*H~5z8r7Z59LEsA?6xPSTce>#jpE1F-zEE=58ssmS;xgrlMb|@Cagq!jM}Co! zoCD&E_tjyp{fP2R?_vu*Bx{JFwg1!4_=qL*Bx7HMDfVI1#@pGDezl`q?89n@`87NL z>H|w^?!m5*iIE_7HRB{&6Xy10xv_JYe`;>g&^n}scYkJFxGcrsEJnD{JY`iO86{pv zhe^s6R6LzW33jnBOmHp@IoLniKU@&=_ca#d0?%geg%&2I`83bwFpqsqXzR?gst|rw z&V#K-v?NB+kdqw?mT{qtDiTZ>HT=fLu$+-5ffa%Od1lWgo2A z%}q8Z38Y>w47#mS<2~nIec&cadU_1IiE*QZYPhIJ6Gk&LnFDqgQuP19lmv%5;eKhZ zJZvMe`=_zwULB+{bK^13CU(fF&&mc9b?#E zSCpB&#os))?GT!xV$8^i1+nK}e);svw)eRWSdlG2i!2ts-TYKGX3r-kU7rXUGv2#h zft~vfFx=UMB{!ECJVOpNW6L7m?FGR9iPKJ{GI0pBpV(fw7!RiD;eh-s$oXhh_H&GP zL)LuAELM=9*^M-;c6x)omM7I1DcbdY%NoMrLU!$MnW=Fgwm%D(npHnm0 zmdT+8>WrX|50N4yhMZ#kd`$1Kq^{%xiuG`J(6Zhe$$f_z7RI604 z-$`j(J%N4$$WoCaI2ZY2*0Go*zmmz#R&v?(*#)-UsBO7EySPtf%YzDM`|rHbvbCJn z+@AWtY=lG5s-nf{*ocq7Mi@S2vM~2RZCy3J67O*+91$zj{3&uV^x0_^ z_Qto(U*cU`p{+9!Nz1^75lK2jo=D@yC#TKI7UjVLx(+$}2nfjtB66dxWN`vY0Gb%8~_BaTMhd7T^-QTi{RK z%t6Nr+9LEv)kaan#ylZYrpC<5qR9l(NhVUMBFD^;DK&IJzL9FN5c1V>1#nb?Ao?fQ zx?uX~Fr%<%l@|un-6&2 z6KZ$!WE>B3e&NC1>8Yl*fQ`H~@bt(r`A_nJ{3j6Z=k44B+Y#CJ_L{BJ3!IOtW{`Lf zYP<+A?GE=k@A{B#3(z*!+A9Hf4c>NaPmnd>j4Vz|s6eNb5mU-lG7a(jjaAmI`IB5p zBNN%!)vl@_bB$p+z{m%&=lhozJ9yBH?$39)_3kx<;|F3gyqgvkX{bSWtoKn6DI4<FTz%>!cS(ip zX1jhSr+Hx*@nzX{5TMC$jyk!u#U!>!lu;HbJ;IzP{V@A}lt<&E8XS|1@}^3Xs(SSd zT7n~0sbB?*Qdng#C@(E*le1*tf5OH+v`bm85mYEk4&rA~rqmULX8D9VsnybNcZ8ZS zL5G>I5%6*@=#(e^q))R<`Vy=z1Mip`R`wn8*YN4IFjzz496c|j!18FC8PD;%V{52~ zZL7CxrL(FPt&FxdE@U8uD-vc;;Xw{#v$_r&``rsNiU8BGNS3vgIGx82`>BAuGDB6V3aebFhgeeHo3#Pe>hFr?k7 zZtvVeAZO5&H*rfP3nbz-w2ZX9mBN-#iW5Cvkdg#6=Zju`R2o6Hxt{Hd2A5AxjbTc> zApiH^=l}Ru|L{)-2R|M6|M<&)9Q-_hfBg5uKOO$d|M4G(hX)5g{pHQK*B7sT;fMeF zNfgr?{Oex_Ke1Q8H0(^krCUulpDiRAd@uqyWyrHZn;|qo?a9jWFnuHIE|T4TLvPIAbgrBX;Cf4%zk^yQoLx8$uf3@Jgx2bUG+>?~mn zV5OxV0Iv<^T#?G#CJ8>t7CBlIn$scAcyqkFU}BBC01}p_N2!uIF2@!1j0MVymM8WG za;e=b9gYm9n_o(4z6s9hTcE8ULt5-u z2?t1;>--m%VEvn(2o{KFyK3D#WS&R>`6vbS|LuZ_i&^+-xaZwetRA zKyM(V-)k#0AyN()osUQ%G_!0JofDdA>37Ac=<3{-W9976Lun=pJRBA2l6G-jl`_JZ zi-qO}bWL$Flm|S(ElmZ_pEW)5w^G=vvBjaEixjHHXulQl5rY!YaXA#CB;aBcnkitt zEt`ZV@Rwr9GP`4z^@2D`YLMN=WbD)g2r-f{p$p|U-^$LCl`$k#lkd-8l4EjU$2x>_ zA5jh&*TI-w=fy_83z!lB9gzyJX^#j=bdgN_oGgFm*+b`j09vib38VLiBfi&6ZHXej z-vUL%e4mA$>OLTdOqro6HPoRF|G}d@oX-V;XqF^$nqMes3Eq}K;W{ZLcXT0JV(x-d zs(wsC7?d-fveaS|AazivcSCp}FQ5g0cag=E0+Z#1bRkm~X?f62bdBBu@SS(yu(!}FT+&KwBV7bx zS>VS`kcrfaqB%8_9#PB+`ZMN*&>N&(`~lkJXZ59b=r1${DZtjs7!3(F2^K=M2TWc&lDc&k>3d?#gNOO8b9QZ+C#RGf{- zh(nAoMBVm~>B2IKRBMZjr0~(BeqICeqnnsfg-B?m?EwhkBQl1lU4;t5XUBhhPKI;C zG@=C~4b8$LGbYA%uM#CS7%U^rQ`iA8o#Mn#p4<$poXJtjW=GNf^)oqM<|wn%0x(Me zW}DJGo{uLJc?&zZ3=YaW;EQdh1M*F{=ayo7P=M4lmZ4h;&y{+eH7z}cUHc)Wl)09ED0iU}*#>KZj94Q=-B)GR*vFJ@ z31(_MQ9t|{4nv43y5bGA;X zRHl(C9j1H|JP&5~HfygM-D>7<92Zb(KDpQGz$;7hS>&g109qA`_#z4Yu!`nTKiX=! zZ7K`uVz@JabdU#`dX}+MdJSw=ayspi1N?FyQ>z@_!*RRBE-!fl#m(}}bNhNRI}8Zq zOXBnw81H=@Snm)ns_oafaZ^5?7#GFjWvGQ~4~m}qBY~;VSmJfv2JOIpmdg|@XQ|M* z+BL&9q!SgV3^22(8S59~M#x*yM?ZxP?is1jn>okbt{!VVZe0C_V*}4-=5krQ=Hg~8 zajFVRuNK-?L|ZiW#Cav@P!=X6my0eo7xsv}M3l?a%0Wv@(f1I|dtYol7lwYYxc;R~ zZlLm_xX}Yr%5Z-XsBb8J#O%fgRJl%^XoerHZFOXTOQlYrx|@ z_{>`{cssbdJk8j3y{U8ZBW3U<*g7$5Nl@^hgRir)%!$mIu&6y_ zXqjON;}}UN=1%+x`CtnTv<37kUQ2dfQR4RqB`7g05D~BVT}K0&D#4qnzC(>$tc%0x|oen6gYFKf1}U@NEzZj7G+8Wh$P8rQVF)si!Ae7>})BnI&dX+#0NMmB=TgM zg~7u1Qmye=Enb}Qw4fOb1mrmOHw{6lQ#Yp_RL(7P8)NNUJFuH!Uy45MTRi*V2n4j1 z@8D)%`jhfpipBY|7*8rh!$^`b16k-m56oQt7uPm*Xd=$aS3TwR3{GQI(_DPpB5n8Q zQh~iOOTAr%axSJBr7v9N?`t171pe}(KC)Cq*c+DB9S$H74WtdGQ)$s*MU}g_BU3sD8U<5*?PEJ# z47l!*OP{UP<#6bc*VUvBn5h>7<=rcsz4wQ|MD5MgD@7Lev!G{S~4noP>DC<~fBufPQm`|377?Tp)y;M3$frD`7FhHIseA1!XG~2BWswG&#%P*a%&2@q z+%S{xesns7w7aSP`K0bogy>V3Mlrk7TPY$vRnPi%ksfHl56DQcM(ZezIV&&J0`OM z*Ruia^n@yQfxen=y~z4daAU{Lm4wDYUcR$NbSLoBJP}THL+(zZxX^|Q%*P^l(e8yih53==Wkbz|hpysDaZ^bA2;%CvRwjxU}3)8U_pc-h8#?!c2bsOoo^WW?mE9@|JvonS+Ig)<7FZgxX{|^tQ~qnLki5vLSE=2)Lpfo`#@>8OJO5=6^BP=3b!@jcx=apYOJurDOEQt z4On3S&TD0*#t_6}C+#gD-b>OBvOgH?1x~^pu-RQK5p+p_W-;uxa^YjLV@@hQ2z8z{6(|W(S&vD6~0}$EW4RZSE=m zS$ddkv15U`Z@+87yUaOL1-I4;XJIjuy>Gy_cqYLGV76FLQ&0TuY@_%VYrSewX zQk9a^i}O!cGZS-C;Mg@`za^c_C#`{bBnp_uB^*c{`1~DnjAd3)v->N$(MaT-_>13=6myPJ zjAa_VnEtZd3FjzgQQjxT1}`iD62wLBS+&S$RC<-@-Jxk8pqR@P5y+>+GJgct7xw6q zwW=;#K8wY#VDSW__)zAJgy&qQFEEEGgk(||DVxzD%XANgV$1cEX$q)frNZV;e9o2! zO73{51P&H

bZd`g6Avwogeyx9y?sj*7kcgN5?{6#n^*Un-0Ont8M5m(v(BUVao@m!{UtXNkHec$CMx5hf&sQb+h*^iRx2>C1Or6C;m zQJR!9myN=eyoN%T2l#T3k`gx zQy}g7r(Uz($H9QMq^wwPv9pWu>6Jn|Bt{W4GNYb{obwoFar+3JsYA$P+$qg&I~dNORjLPh3&{0(Wxc5CCujElc@13&IUXWei1 zbk_Yf?K_D8DAEhRM1m88jp>1Z@$pj;u-5G#@uWA4gbLmNx5p}4*A4jU^5ypB49=C1Iz zn!D^xQ5QHXK8pX)L}sb4+W7UcWm*#lj~40rGT@nIAf#H?_{lRek%iKOI8)3CyhEAQ zGrfjnjA}zpj>(jZ!qUpEKxjKYt!>Ta^4W$rTgjEdzw6~~v5;S-Lbqqs9HNeQUl@6h zcdx02t;#4l-B~3=lzX=+J=9(Ei+zFPG!18cgu#sUG*c}F%+DjFu}d@6sKvvknX2b4 z?Nr0RG1YLFU~1FTC77x{U4p4jG211W`UDlOA0b^*3l-o)WK8nHPjm07WkS%ZLIlD0 zz`OVF@9TvkgAXPQk##4o4K>9A(WzG~hFS-xNrCT4BB#?rxXP~JCN%_AQ3@S~ji@vw z2cbr#g?1&gjH!j%%xft5IwBcGPAogm%7RYIZy{bNO}T?ow>nh9`wEQYGIp+^Ge)$W zvU)RMXm44T+5aX|%-Ebv{Q*Y-I>wdg9E2oDN*3cuHYfCk!x!=Nq<{p~H(%@E;?pC4 zv)2RBkOdB&G37?I$UyO=US?Mo=9a2-sS;)b=TxrpVgrk^7O5msU_YBr=PZ1Rti1&> zL+Fh1j1DsoX?}l3kzeb+_AaIfg{zmlipyQY(=K>Q;v^l8Libu<*)FWsRWb4Sa`%JJ}it>`Y2^HmK|w6?o*XaxM7JY z6g#3h?*lvt*rdTU{ld(1p3tn1*S%lfq~+*iBRjo`dG0&Jvhrs;!qOi%bHW+b=2}sq zVT-T%It*T|G`i3*7B7gxJkRRbvlOLqz3$O;T zMgMt5QCB}@hR#j~*G|{UJ|tO@I^7ub3z{8!ec9g&nsGB9T(Kz?h9@NDqfo&1fM%Iv zx~!Zu)?{MoD%3EbVqK;C1~h-lw5H>xyLn0`#gqyFd$^dcxi9$*h3%Q4Jkyb-s@%~# zO;s_f*F|mBvduBqAfWVc#QWME{%+=_*^DV})(B=*S7Y}%a&)Lrur$H~1JwB}tds!6 z)I#b!2Ve@5ACMm>%t<#+4-p9q+*E8luauH&EICaUx0F{{wKTjWWvBs8xd%5$j>xqt zSdV-|GtGMBdrYf$r`f?L4FO_dBexqEY10`hWiQ!`TY+;GOIbrjD_T}Cl5#(wly++w z3$Fl1PKxU)i!~tU#)*DT;;^@KPUg(?9PCpAmo6X3tJkT}g*Y8jhVTY*cRP)#N@1<_&;M%#dEg;o_+c3`03MU zPriKqyW^9uo}WDX9Xa0VN>@CEHdOuY_|9Y17x#%gQE)n;IcFaX6QIx>+#Y-5`Re>KpaIiISur^59?Dxba9zbM9^L$WM zN?=Dd=v?vb%r9W?WN`9i@C3u6qR}i=_o2RCmc1Z*#vSL_>22$Z`pua ziu)K5S#Uq%9wtZFD|c^C=1iPkod59js{YeLQWOitZxD(x<%y(>VxR|YgdW5NFsdJFDcj%5Ns72d?q3-&|j99D>^2ed*g)k}`K@o1;iOKho& z2zRZndsxYB0h(L8*MH$6ML=*WaWvM1E%o_tE?-?;N5OJ-+i`~@f0lBy?M87iLSb8z zpuS`xMGqcezcTRd)5Q>CrbE26kxOgrp9^wErz|_8D^$R{+-k_-+qc`-e6wSsvDjdV zPROI{)u(fnv&1vHDbo;AT+tI(F7&Ehxo;gAt`;ZR7s)Jn#E|>sxEAt(tRG)u_E1Rdb%lb&Whe@Vzdw4aP;bB#L>UW~!P)8XrM>p{bS8xuOlkams-v&M zqlSLo$`jJ56}SYQ(z>0GluXEEE=8GkNscY5*ch;zRX|k9#yd#7*{2KvwkW7u&GIVe z%x5H<5lk9tQR4q<7(IE{2YUw1)y;a|F?BCCwK1HjZMsIhlSXIA$Pn$(R76B zo1*oX{C*cF3TmCXMELne`Sc`*wlQMG|CIl&26*3FJbcYmv#XV>9|^w)l8@d(pgand zTlMz_#e<0Sn7nWVi)!RDWGc!M(>@P8Eu@R<@$DYlXmw~zoxM5qf^F)Q_%#KpFg7Hm zjUN1<5EOIORM7l*jGl^$@ZeKB8Cw_^h}wK+0kn3_z_eD`JIgYXWNc5=h*I=J=q23P z+BlqAm8-UDlk&F>tCem~cmLk4XTp9!IRndK|DEuYRN=`;fhIn3Kd(KkG&R=eANm8^ z0=8nY0kk5MMkbNTi~1?Af|jM7+WjGO36pMeU+6Ch3Y+|lt-|l z3I03I&mqNBj&NGR_xQyZRp|Xj)W6=K#&#f6jq^+;s_3J&ocKF`zD_RjQx5w`ve8V5 z`n28bT|LDUZ;0oEp&f6}V&ss8e+ySER4;=5{dR%;F^RlVZ3&hHi!b6aNbdkW9>h3^q5c`cU|NPJ^FKLCMv|>iKQ>%ILNrgSTUu<6MHku-U2KK3 zu@x>)H^M*W|2vzt-3;dy6H9!nrNU?!E9ma=zEnd*nbKYsu1;ox&V*hA#(}xqPlns^ z$w7@Yb#Y?>SO zeG_m?EstvOM;*N)>WjO(HVeVIh0MH#Vc%%&V2ELo6 z-Qi2127?yp=g$q=2FGcK)#mrf0kiR|X1!c|=8qlI#)qRCSE+mr-Zrux6y}dq{Dlp2 zRZoRp*8JHGDKzJ@K5MiOvUG9t8o~sj^c&F_YA((!F4+M#*#qWO5Jtf|c#g8rGN$K1 ztiO?+Ne9Z9IV;G$p#Go67RPb3uSU*a81VaXz*iW>ORnW&5JX|*hVZVWPJW0%CAJ3^%%QRZ!O~f?OBfm5H6Ya%z zjxgpDSLf8(2(si40SN`+7eFe(i=TQR_I+rY(<^TSN%KoXpC2<`hP8=ZZ~l6-MH17S zVZI#DzJ%ETdlP-K_?$PdZ;$Yv;II%-PS zF`HP;XDIdfSoe_Wv_k++Z8Y}R42Y|C^P`@2e2>GRDtWA-=0CsWo0jeVxGS;+csxB= zm;pS(k9{xre)37fgE7f=*aKAa^fBE9#tg3K4Vye1a^tg2uW{gEA5S9&Pb2<_mk}B9 zMi`}xYV{Awqor}E?U?bOpcdW7xE!vTEjNM%B@)Wmrip)NClL5@qI4iDAmpQ>t7i&) zvXVk1J33Z7;e~+apFa<+Hi^@VC@|-uBZEEcF7Xml>_lXy;x!#v_Qz0|gXDE+hj{v> z6^9%g#wX@5r;o0jC`R_dhr>%i7UJMTFtwP>dK!%`Hw5Gfh2XCO z!Z?`#uusPE>PGJTs|Y!SzCtE8OKDydUObul%JFB^^Dh&5*<6a+I)#aTbbcf$^L)(F zVn!>n;E2%VxZ+54QQk?W9Q*g#sM zi9JzqDO*5R>p+!qO!yT|V0FuH*xl%WFs5Wn80ZPZ=2p0>aq%BI&eGL4LhiVQ z!9fAn`<*{{!m@U_%yc3VBt77Cf3DQ&VUJNWQ&jm6BC4i?WGo5!^Dg_lmSS4+=|)2kQYrxd06W(@Y{M@XDOqF;{fd11Vlb>hMe8 z%5gN+w&$;;`P_{129jfhr=XsU9cHvLPm5P*Rm_3kHBsRDLbMFw@Y}ep=W0p^C69+#`~_2#WW5l$H^i=|NV*j%wE;pNIn9sruRFODZ^lZ5cjW z54B8H)AFoG@Wh&vc&2fY`3a;=M1a0so*Vf7&nsOvh)(4RJ|}96{qeeA$Q9;>K(O|g zFE&W;lpLEtlOs9V-V|E;EmbOalEqc%Xkg$49ez!G>ScXsj9R{fJw{lQ)Q(}C?c#HDJMz5@rXb>Qi+x4jl2ZDs;SjjGgrciPjcgJZ0 z+Sa!vXROUMC}3oqs4E(Udpdr93S1RFE@=xiMuM602rc0N zWu*A5w+!WR1@aN=_XlqN5F#T=85g1%Nt;e1=b;vX+Pf?iXtFh=x;wPC28A29!PXUb z(QEBu$&8w|OIRH=tHe58zh}SAtA@I2Gn`(>J5?c>{I$cjO@iBqmoJPmPpH(~;7&F? z3~D%vNiVm9|3hZ~EuF^^yJAHE*J8b7*FZBq0GawYkhqDr&$alt0K4-rR+UYeS`=EC zyvIZ04-HUZY_uyVp`i#wtGh}y{OTAZZEE7P7xSU`+6(7H3VS`;;NE)%Y zQw$z4vzbJgrJ!zBtFaFyl_m=7dh@|U3d^)J44RYs8i;5n^?`y+e7Txb+9;c~g@M2l ztLELfKKu?~+H0tOTfk^nsrvrm+q|QeDRUH6R-55@F)~Xmner2_4u-@#5urP{jW#}! zd4Bkk;gdOwZV``dVucCeGu9;GPUet$Kf@8DnM1b zFvb86;=B&qp>pJf>T1o`L648oX9#Ut0uEK#aE#f8TMeFSrAArf=?XLxxUCxmz96SL zH9P$^KX~in;H`tBhd!+4)y~cfaQ^RXdGMCztDBd?sOBXa>q&F&VOn-(t#u@7kah8b zg(00b;4hSu58dRZP@-EYrg@TcCz2efqIHtOa3uzj(Zb%xXmexxYBoCWv`-dNQIc}g zCX6v0OQlN>Z_g{|u5*yN=ArrCfa7-*sP*VcI|sA6rj_#=z3*(r@KaftYxN|ht*>=% zVkE?Nkj5KK=a#xgz`ki*vk{T^L6YI_?lRfQj>jHGgO#k5?>m-tKG4i$QD!zMlHF04 z%?cM!M@92VsQ@U^X5>!=ugv{Uwba$f3o=Ng)kv&NCcW|$w25Q1nFO0^(w2a0Gno%U z^ny#2LBQBa6eJJ#DYBb*&W-dr?jPN;Y=4P53!VkNJjGuz~jobC_l~d@9o%QQ5%q(43()DDGk!^OK>qZ&lD9Z z;wGP!DT@_zQZ6c#<0_UPX(;fHD{e)N{&85|l@af`Y?SR?CkJ(Vu&Kn^Xr@LQcRb(z zoBfV%HFwF^Zf5b7O2HIK#zh5GM+gA?{=I+v_(3O^!+U+#!~NHZ?o|)L_rV`c^eosk zR~FG9f=Rbm#7@5%Rr!E5FEqU5Fs%AUp1FKj34Vu7Hem!;@sgl-q2G=e+JQv?STF{j zA{mPLQ-?5!)3Gzv%jEQvR0KMter( zpENFf@ee>;|jfP3IYi_6az2q~+ zKW?;oRI;T`uV>oboT;@_hn4>h*CuM5Ue_YVmxq@OU8h^76+iuGm1>=g&#p}UVc!79 zdOjM<0KdnNQ?=|b0AY^TEI@7N_>Un(Yy7E&y7M5G{AO&1Lf+lJjtwYPbP@+FAk@#- zku*59%&DUxvnlUY_m`p+%DctFK*8V+GXwbK)eH{}m%3%#2@CFg-J8Q<4!huzooebio%hbQBK9blSGE^0aT!j7(Va9M644B+DX zjUw4UZzk3Lh*2LV_eW*Nlrk=|$GVYdSVVT56f z*~1U<@eQxGD)P4oVD@AVJyCqI($n9&;^2}bT;5@?NN?Ei@)wM(?Q{ZBit0hS8 ze-vQGq_);*zl+fe%6#Ikd0y)0%lWt=D4)-;o(BJG%JIlfjO zy4q!b;%&VthdCO*vPhvzW;P7px)o{2t{<%HvDTe58bqSD@&EfI5E5ZXje;jC-0sO*`buR#T zz7M?ti~B84bh!tC0ozpRyUBkp!-@+YdD0$LK5iMKcqb)^yRq3naBDr%1@!vB*41zQ z^a?uS40`y2!dVrS%9-mVy;iUYMn0OZTaJ!%KP^5#nDCsk#=HTkBAM>d73$Fv<6m;JQd^8k(f&B(eQQId&Jz&8 zh=!dhW?G?6X27nG15*{70O}FcfoQUE6}F#qVmXKon%K1Rh_(u@@_~gBxMcNz>K?OG zg^mwrJUBMOQiFP4WIAy{Xxr(;!u(UtH0PRCGZ5>lGi^4u+WjqZdV{%)k)gAaqA{9} zg+(!OwXUiU#GTR&9X;8ky@CV=VSe~mnO5oL1(wF8B%_Adm>V1@qxG}19y3c^=q=xc z+N5mAEi*q+j*bk;jc0hg5Hj4DD0B9?ipPwfg6Y&oo#`YeT_ZbiX`H(ud1Sg5;k9|Y zFBaa*2u#48?jNnyQAlWjMB>W>4EY^5@|SIsd1E`46O+_z_Lq8G!S%*SjYk+Mh7?Y7 zv`d2SqM0QS+ET#T!u0WsDH0;dS(BNf>}m-OHx`*m7UH87xKi{P!iau;$AkbNL)~mn zOXamuD7ls#WHXSHCIYq;rT`^yG~mKv?bC>CQfPema+L4 zdF2)L0q^e_SzR8GERuO}(`5zXZf|4G{JwdST&d~3%3r%XVe{j9+d17HE>N8BUk8y|Ve^mAz05@fzcwiqz$5r#)~(&tp(u#`e2NS9%( zdvqs-TwcTb`D0R~ph2qoLYmZm%{VP%#Y0f0q|2IL9plhRO^4*;>mu;#gEl;eos{z6 z@Tkqf?K;ZzS9u%kcD86Ae!!*38V zKg?;4tui~wFeq=I5Ytk7KhfmQ#`OYzVjgyzc$bO4F9@jd;hfK+S0DsNIpl`cww}y) z=hRWJC&Ax;QBk&Wuypa(_S^Ke!H#HI{Cw|C>`y)I2ZM2Sp`u%;{Ii_u*X8c^_0-;> zw%PSYeT|CTSn>rCn;h=Xe8DPDG15;_A-@@ab8SDF%+Z6?h+kGw^n@gZzGK86Zv;6p z(>{?G!wAe)%@`9|#gfZhebqSyKgX9$6S+y4dO6|WdCQH*@&5R6`2C>c?W~^m4dtdL zgCn&-tPoYDt!<>`qsYltYG+n>lebh*C)`K@h&)5QWD~u)DxuX5k=1&bKY#v^l0CBm zJ;x-@tMa>rRM60E(**hZ#Q3Pi=NMth+a0w+uue|SiH8k7GE=f{l{|1&q;JoB&{=o) z1N(jQ)XRMWtr=&a(G=M$xa<38sOa0cIU;k{e zr5BDmS9Wzch9ntTqtONp8f}=f`_+;<7?&;@s+RAeh~ zb>YV-4C6Zg!REB;`m@D&C-Y}mhRdpJSpCe+O?fgI&Xrq}cHT!P1?KAKrlX)*^$X4j zUfK)9FC-FE=KXTORjAED=*K+bkX$moVe^e#5G5mn799cgVl?}G2l%`8Q9My$zCXte zy7-ULCS`?!9R?lRkl*vv#M(P9fpDEbI?g{&I4}_6!b%hcM zz%FQ|^y@2~=tgy<19s1raI#5k$p+!^sYl4}W^j zl8X+U3I?#pfeBLdK;p0aOsqtk#QL@a)s$1Ao*E+1U|a1<-#Yg>!f^i%>H7AgP^ojj z_SvF4jXg+@mCRx!88&>CjnyVjVnWE41yQ1X6^vIyCSDwSs!Y6m;JC8THAEfF*$J-c zEB=2NX?BGt-oK2L9iaZrNHtP`vlLZ0d$HZd9~D)vro=wMAB^qzzI;k!CSRf7#{2{bm_FD zqj~Pk0q&>oN)qX{%7hN?NOqP@RB@VDo`c;{2YmB6Q@bM_jz>}~FL0=il;sk8l9D%YXh@4x` zh_DR`y@yUrqgaoBmn1;RG{)2sK|GK|XIdHctIv}k^#S0FAPVI=^_%pMee)0NrjO?O ztwSbN4{YkY%kOkvut?dBcyLtug!ZZK3wf$#&}I#Tq(#NSII{xSc6K-4@XR@q>v-}$4V zNXXRgyZEVYkw)YEy1Z`&vzVwW&o*uCO0%IeP{{9i(Zkx>h&NgnuN$CrDSS7n+kobQL{+>AHbtP< zI7mC9p@Xqcfn2PDUqTLGlM}ObMEe_^)O!V-(ZYs2+`(38NSr%pnmPN>syW3}YC4y4 zq6GSyF*EEh-nnNF+gr7*&$TXH$Dw$W~o3;wZ!RO=kcK+Q% zeCM*&<5GEIo5hj)lV6ArgWEZd6lB=*op7_TfD|VsWh5tnDUs(I`u8=AMFNeOR(p^ELxG& zyx5A(y2=`uU&@NFc?Q786yM7ci?y|KfRD3B|IUKZBD@{jYZ{=3{|Axc;(jAityb#l z5MeLk%%R_2=q%>@%I9;8mJW_?ehER57P0Q=HN3&^J>Jh}k)1wnu=&dRh#|&lPi`j` zBLt^(57}_v>uLLOKeM%eM_Ua9e~u6$)ON0M;q?M85i?504Ab-t#L=XU6VRR2{q-SW zq3n#$OyM}0W+?OY(pe+1SdSpn8CgtKMI}k&qe&AaQ8|vX190@D#>EAOiXJU$3jG|b zp-bXqV|#q>4pZ@0b!gNv1?sWGgx-7xoCL#!qA8?!1rdyqrk!x{*EYawE^2kuje8q& zZrZSkjr?xzq2X&}a~Y~R*pG{ey2N5f{Sx61_yQ1k?T%;{qTN}RqyE6b^Wdv2PTpc! zHDRYIguQ1yTZ+?xn9sxIi2Aoc*m1HF-ptrTpe+YSvefLv9##rzABn0M8NFRmeKoC7 z=^_6tfsMA*U+?krm~H%^Y8BAV*3nz&$F7~GeR5^>*sG_cU#8-#zM(^72qK$?&8+QG zo}{zT_^22}u}@ISs5M6(L%NtiAINkOoF30+B)Ei4%w&YZm`^^PQZjn&cFV!aE)_j4 zuRlBGX34OTIWAZ5;gpM+QYyS(FmKBH_o&_-Jf#Gh`#rujb#oAqdT-7|Z;FS^ zYWvKJyEt4^@JnVefnR5-H*2l7egAQg)SX4_gh-Flyilh@U7+lwIoo#h0E3gUm~2)w zPy-6?74A1$V8iEJOWfuzlGd;nArIKo?p&^nje${nLeUaZY7|F)NW$b7<1)DNvvrS5 zi}ei_O+H3YS+ch5${VF2(T#j3EMED(7WqEr`}*XDKl#4y@PF{Z@8APIZ{)%NcYYtk zySv|K{5?i0B_5EauG}29J*s(In{YQU`TFs3)&~xnD7g^e z>aGGW%+mzxF#I0dN~Wpm+!KFEQqAy@h7{S<-SXR^7cT@YQcxl@U(-=Sebk9vRj=n& znl*|)O0MTjROVdb&g3JeQr81Bi_-<>$xAjG-0FG7#T&sao&mZyn3HMr3Q^GV&Vw;) zsBX8*{*TrA$|<(DQh{n0K^_=r_+|ScdrUd?3|_^^8P!!!J!g5cY7e`O3WLd@Istw= zg~LhE&R$bKMmq^$2iBA24cOOM>>V@mV-v3|Cie|~$B1MHwSk*omR|E|d25+L1PrD; z=oTlQhakNcW%|K}L*>P<(t7c~g@BkUBuyta}1%QoXu19Lo4JN^ZM( zLAc)2bEi6^e-NNw*GvK2V2h4C?yZj}vwkN}XyNr0JM~;X&9w3NAg_KXO5V%ZL)iqd z`of$N8Iiydh(UEd3*>@amDMko3*kJ`Mw^%5AKlrB=2Re*zG;y}!OA!LbN2A~ou2!t zQd!eN1cUcKbhY#Y6ZQCWyoRF)GL5^=a4aZ4SGrN=aJucO14Te zM9c3R=C=WFie^#21H)AmOS((wtgj_>C-(=sM+x!3ha_w&?h}I*C+np%ixwz%dj%WA&Y3D$z#%iQd3nAQ{ z8hK->)sBw`y}hw9=|c=Zp9MZ`EZ7*aP%>Me_%^$gDfW0HkP+gRAQAfG1g70P>Of- zF|!493ga9;wuLzwS~>$mi&rvvc^^Hhg=9aRzXc4L@7;l^`XNlLA}d$q zQ*G|(E#q(y7YTtL2!@Sfr&o8H^a0JqLc=|+!5TW9}^7{I-dq)ife70@{R15)kvR zDjO=6hDU6HnHt!P2i&+Q!SO<^QvddD?U4HjDT8s5lK=dLIA`C~hyL1lvy+kdiT=(t zZZpFfAd;R^=uCbq;m56hVeP8RvTPY@hoeHn^4+M3cqh3ypSl4V-=DRYC{28iyQ%-v)JH{4fJkDQ!h!7L&a9vQPMa7*1pq`E4_}2kkoLuM`ztLrKv=p<2)#a$! zPXc+`2!OUe|Fes}fKXaei{3tj%&WU$7F&BNCRz;%IgzUvr(%Bn!eT?rih<0UvbpwR zq5?YEH? zShzAvOs`HnJ`KoQ=6z+l(jYEwX)dI}1l1`=RI$d;RF67LR(<0u`(pQu`tumwI~5P( z{D`={=d15ho08wf%8^z|=%IMXk!BKREas1ekEGQX(is+d8-pF9#Sxu`Q^LF*LLfF^ z?>d&-v(%DWc?2OHTcO3*s31~zS7an-9xJBh2cXYeSz14jo6)9zaG|h`YoGOufMW^{ zYz`N|48kr}@9*?}XOVhBWYw-JvQ)hLx`^)u`{_$GFsQ9_ldpDHsB<#@t3Iip{Gj_Z z{#Bn4R8H82HuV3aK0Dp)&~clzu6Iav-;i$?Huf~XV^pZdHor#G0<5|6@QrD6wwq-( zn`0Z{RpgvFi0cqZtkIY>i&j4tsJLv63D;GG4+1lL1z216d3{Quvkn2|U2R!4mjAAd z{-i6~r(9Xm!UgYP#*{-SIY;XsQBwwK?*TwF~q9%Xp43vr& ze1|I;X^=QBjD`?FhpCJz@2P#vUIM+|v^Kk9-U*+q%siiqko6FysXKvGTwPO}I!Q(u zBLZjkm|<>ClX?B?^&BrdE$jL_>fUJQ((>Nh{!8}Td1gsn*>Jb&@RQE93w{+GlP%@Up!ae(16wEZyc&pI!NM~}laERf) zpe5oMd$#5988)uYf1~OZl`AtuKOufvic){}`Es4mmN3UTXkWr=dnmF`s${pxdVz4%)E$ zq=&6>Pth6E&%SaK9yrX)L15@1WxxF0WU;2$&P6mOW7ot*hA&27z5Egj?iI_>PW&q% zr&zJhNPEXhopn=$`iixDTNHDKYCSrHHV@Y7hBOQszYxmru-i#(3mdq0-_IbDYjxTk z>P$uO#5Xci*vg(=k-AS$Cb8379MrbrG6a%5>M~_6GYQ#bx33!7kECVVmQIYQ#rN*Y zf|O#xL6>z73Mj*+VJ5Q@%|<3@i~@1+@$rL9PhKi(yNL*dim7+!2jO=s>EylxTeYQj zx}Xz>qJ;poCu_bk<|UrHo|>&Ln)x1OKk#%K>RQVKzVEF4s(+_5gbSR7@OUKA&Q{sX zh>#dDvxcWsu<4LwcsD^5TfUQgYV1Ga^Hi|Q9HRja>_}_%`D3V6_L7URQUlfa z{`b-v7G&(d*Co7SnxAVLf-c}8-rZ@690Npv_Md!yiwC@m`#*#pJ*6o`2hxDW^2BWf zmaS*UC0(C{+Q7kF4g|A#FOgEs!LFa+ik@km?o8{!6Y~ULGgBY}=l01MTa7+EmBw0j zS&21k???^tQZP1eG>_}tr$rCr>BMDY4d%^p!y08$!pk7*EbBwhgam#1Lm}#q5JB<;|lcE+B2LqGEiBDt^}qA(T+`$m*I(5qCSa16e}ewl40qhR!lDf9Ftm5b(nhpN&~w zW6aMHenj_|P%nhr4}xWX0R+lSfvpk7#!RQjGmfslq$61@@x$uYVoH+l?btXqB?Kpo z9d^cV=!x4$R*mScAJRLtFb3UwcpYxk+7Q{ks8^pX`FSRJB~;S+lc|iHf4oDEiDKy1 z;*4mTWWnD)s_yrC5?5JB=c?#~Ro=CB{gvWi+sV*%fxyOfd~^W{0(N6*%sF8*jpzb< zBhu-EQns(<xpRdC{yE+&WbvR10RGLL45_iYw)W2KKQTkWKK$9ZNQ1Klk1 zUDYccUQ7Lpsf)i7adT~$oo2DJ3w9p%I$6l@n|1oehxNQgH$FHV?^DX}3=hX0i>Gb} z3-ZK9;b^5%k@kgc$(zG@lv|R_7xTsN-G7gx&^;I#R%@CduwKH-Wr(fmEo3#ZoUL;ehQo^+C{m{fiSiOt?iGxz*YQ&rV z*0>q5TKbE}Mr&zvqb^mxh9|v_BE-*kKNYMT&gYIE_%)L`q0o||yK7Y<2*v%;ObXH8 zz11cW(&ScSA_i%N7P_$)V1_ZQrSwx>kbVHyt9NiKMmS|!hosboq(oP{t?qXkXGHmI zW8`1=q$Xj{NSZ|5U@S&ETg;@>I%;yy-SR4hur~%O;7hNBv0;Wx1%Oq*Fp*Mjq4VEl z*4~jMBnj@+a(t?#dV%eA92Kjo-5Bfb3;)hkVV=JX%StRc-}8WZRZ+Uj41-0-*m8qe@3 zD%TY2nbD(*#&6@Px~S=mwTxK9cXAkXfCL9c8V$=6AbNJb`e`062)e=dOOA2S>5gkIR0_EIQ zquZ#2e%eqQ1n=b!VfU)RxZ}D&OzH>-v$(Bt7SP(OdZPgHBPJB}4v)``#y?2luBaIw z4l$Xe%8LIN?F8-nhjvad#r<#ES)rOY7rSktNnGo_cEe89hW+B!<&B9JSgtJn023#a zcY6gz?B*WEYT;P{6E?rA%oyD2mN^%+!9q8I&OQ~S9I-8vk&ptic#J5xP>iYZwqci% z;OW~U3;v3&Am9oq%IdR7g0afnB@6tLP7c%oMvTwUH=;9V-Xt%uDMkuQ2WI_5t3e7= zCCQIt-M6LV?x#nG(%0se?_b3wK%J(k=SVZ~7OfTS7SgPO%#n@Oj|u>ZOC&UBQ9Pll z+WbTGBcCWSMCD)C8R=T|Yf^Mz*Ab z_VFVY!A-F^iS+k{2BcwPN)@oC5^Rz1(8S5SlB>}sVi|Go$|T6P>V{B*vF20nK=2@} z7W6Vb^!Hh0%;&^4XQ@98IHuMGrZjLY4yRp%i}`F#3z;e=n+pU7(Dd$yA|iC@m|-NC z%eoZuVuXL4$4&>=YDAix7U_2jwj>*a*=vB_5o=rC1vO1TqD?h2Q%#do4wX*Ktd8!i zQE;z@{i0GVT?zCRuraEod-oDxvONl-VlD2!2`=(Rsp!X@p?1p3M$H+@kfxpu`#Ymt zMb)_G59}cF2m9)X;=6@BCD6sL;akRLO$~{%mPzQHw3um*qu4dG%3zr;`ktax*I(@* z|G5FgYb&>xj`UPhrjk|*&4I)s_XjYVpwS~79rMWmnKmVL_Hxvt3zKP)J(g^ zN8XSYq_y6*)otB1KD#N|Tc?PC_XtJ8B=d)l*j~Lg8bklI&9!vQZpQe6v2p(1zg|=v zRH|mZdU+pT4w&w(#$oD1NyBC02$jSO8N+EDWEm}I>i}3{h3rl{kkcLOviSSTKi;0(kSoaC57vkZp1=q zmleJ2_)IC*bDs0V+g3i~nv2^lsZ1H4LIYz-PMI@p-oo{mAvP{9?z<)m1b~N^x90PC z^!_*5w4dAE#kkq9TrRKI-QoQUhvNsAW9M&FTX!g%vbW9K?BNQ!D`bxX6zJfi zEFXGle-11AdzO<7GqRqZT_PWWDJYwRg-Uq62E>KXl)YyqQ*%k!=Ca{IIZ1mJM|u`} z`u}Lu;sJhck$*I*jnNO5vVSzHocDhteJ&<242!b##>AI&$q*3-4l5^S2WWoucWD2X-jZ6wDK)dX^8P4r%2cZ1b&y_k zpzZpF(y3d`&Yee$U+|P0RS>=0jKy6)ewp7U0}D;7-}nV@1x7Wk3-_Y;cThb9#>G3e z(h4ttdNNZtr+-sh;VNc6YYWGpYUmxm8>Ko4Or0c|m^p`d zc&2K>zBatOzGv9EP6Sf3suN9ku65rz*EpsK?=`EPDa)++I}>@aUYylfufm1dqMX#= z*3g8kM07T@RS1u$cxw;eR0toQ6sQvovWPBmr6LVd=qRz64qY;XLr^sKS}KR*-=MC* zKDuutWYI`TvsNRYKIwNsi|gV$GLBR`)y=^)8Og_Lz6#wH?{y^v zC-4l5>$CN;yBAo8ZE5X|Yi5fRSo-Q~VsI3PlJRqwdRLi)aRE;_4W1V{)@p|c9R_Y9 zQLOmqnE|!m+slA85|qtCL&!Slab4Ait-ADfQJF>9jj^PomH2Z6lq=k0E~yjVdR`mb z-g<>^vb6LL#c*ft^Q1L+lzmt~|6N7Y&~Rz*w+zJbXRc z_Z{j8Gaf4=5PbXcJop^Fz4da31s}3X^*p51hsp~Bo1Tvl3Dh99i=bpIsn*Y$)QjhB zPeY9_AAh=1JILbQmG2{vlZ}m&z@K)B*eA<9!hEhm1zPu7Ui9KZ?O^>8=z1%^V}VzC*dbus8V@Ip zVI0{VZ(l|{sHB53S3^0-nX`&w-Tii1wnx1tOONsMnodtkmUQ|Ahpxg0SQ=<42gyjS zu00aw5s3F-jZJj0qm&s%<2uPo?_|3`BagEMa|88SQc6ME;J_bt2-NO{Bbb*wUEJmZ z%+pvsEkquI@@QvGFm14Cr7zwxN8OO?w9of=;VUZL*nY)V3j4*Xxsky^#PFQE% zbXxSoHY7ocK7~{Bgask(2O^FWf~EqFiE8^wzm`36uDh$}(83)N0NTo7+fym(bASj- zd(6Us6p7mmZb}wj0?F5St^Z=Ml8u)KTL!6I5xwRtq;`FMJphZuC&iI?k-y?L0gL1b z(Bt{^ajvrLyic-;GOWW>sk!mgai3~tLhh`uzA~uk36E}jzwDEgp zY-%zrNV%cH3eGfI{&g#KG}Wr-@4q`30odlX}8VA<+&+cFF)Zz^(igT z^Igl1>{gm}qkNMU*)Bg>m+MiQy%rbgF=aw;sW+A*bO(Cjk$P5pbtI^NX0Gb)IvxUN zQjgD&zeM<*(GT}oxg=HGWXCzoGj=m^qOxSY04#X3@WQOg^- zXt$e+EyorihPtinM@6N4$CH^E6ILG!d>pc;oK%p;Ej<;}8J|s0>fnD#ClN=zkAGZ@ z$LS+W=>Zf_=9S{|*|a9NhxEJz^KHn4Cc^MP&lcsV*S}-bwaryYJ#B@zf&$n1v=}akWwdx8Ji<1x{ zs`a-8>naBwDHVo(!epnQf?vlllPdv%NaJ-38J_U;2CaAAk&UhFV+xAurQ-f);PJeV zCt9aTdu7A?zgSKBAHr!9A@kSv*>37ErOS7SOD6NA(QfB|>wQ-qE&ut>U+OXB*-g!# zCnS3h|5K@eq~FB$Cq;-;x+fE&^wJDAL=9W)mB~lw_m@Z>HbvMMS@?t3!H#P`3b7Xm zH5|RZKDOa~4iFfS7KN}}c>FQVVd6RwOjF3|@f2habXxGWwik)DLC>{+^l5$u|pr{^u&7W3= z`mu|}zS}yqml*z>1;AMn0R6*6Wg|J+qP}n_Qaal zwr$&X`sDr2`Kr#JwQKKMwf=RlUb~;?zLHa*&DjJ$84=7l>OjjDiZkax?~r2BR#%m7 z3Se2cEJX5At-7hDFW!Ny8V^p3s?&}ol(8l2{8TLWsj7)XxaV)724pNE|HMbWbp_RL z@!z&c9s8UF0!``~mRGSpe=T#V-iBhlemtZhf^LHEyf-&f)u1)jWo^;sPa+kMHPF5P zbdjO8|Bh!{4!G0M2|aV$FYOyO-30H4>*_ZDj`Gt6}DMGweDZinn~qp^f9>GyT69Zzh>MhnWw zi0jKH@526?SLW@Fejj+sz$CBn!s8A5#St7ysieqpf(7z7Ft~CnzpLF` zQ#`(m3I583GUxNZD&nI|ag{vtj+${5Z|j_UI(ISWU1fJA!=t}4Q)Tu1zAu~y(~!8L zLf7B}UFX_sObl>zK&TJ**ebu(;2_l~6{mC25FJ*`^-7`4(f<8^>3{uCGE$jr{i5 zxOa%&I>RyI{PDXV&-w+G73^0J1Z3D((179hN>HD|1)wS7+4x&;_vtCc%)i=Oo(T@= zVL6`C6;CBsC<;SicZ4Lm%ZY1*?z)T58bKp^lw+WOq0$+v6}J@_&MDM#GRhf4Eai(K z9rqpzam0p-KweIw>ZjH>81Gty=`}g@Cjjj@y`VrZ{FBinsVsrwp9IZ{5uyznn)oVt zY`5XE*-o&Mpfv)nB%0F9*}@_(%Qj?r>)8!f7tDjgP>`?hD*`MJmc(CXx(HO_Cw?PQ z5MIOWN!Z`YfkVb|%OL_U6v!e(NcM;m%2c9d8IL4*g6I>_aSb6ryS>!41sKRkUMQty zhz-b+a}uYG>_A8C{<5hC+CWc*;~cY)tj zQF#IMap@k0oF)Y`pR{i`zZMlt-?pG`YSOJNPc%I_`Xqk#x*ztguz)(z*7K*TZmLjf z9`d>TO@OzYv>;2Gb!eF2A#~E1kyJ(l!Of@yS7KNJ`w-AGKUOrzd(1Y`j1^@x^4lW) z2_`5B4C3#Yj3UNxNX35P8x!WP^FqJLL;&SIS}v}zz%?K|h79L`{qk>Itr+h!L_F9} z{~d_O2!RQCKZrs6cA0@+iZ*U@Nym;eNEFGT5^X&qVSYNyDvDS$a&L3-PW|Fv2ky_9 zQbK6-rZY3St)YGKtER|e(3>c+Ox%F&MtkwHd-|7gTNZ!NoH+4;d-nn9(|8|jJRnQO zi|M2z(`>BSCP1WPE?Zl|LxD{X#x#n`ndQ{Dz({8**U?s*KjFY@Sz>l{N#HycMd+bA z@^C{{2hb@S`5IYqvZS&90ISnlFtG{rk0iBihxd3hmVd0Vw??z!tx#qW%-710&lm+k zVU<|)DMeNk7&j?);My%lw8SXPi@Ti<8BPBx0$ILqZnLN?w+zsZ=4KrL-kFT<n4^VuKsF*^}G6P>Pw*s z9~+d|(F|p4nEQG=QyXN;R@`+h&6}XdQ=APuyw?dwv&D(rJ?nYF@tl{gJ;kGO0ZB&V z0H_f%*Z$x9Ir|xkOyTi(z-**I=uz*P8=%Ce%9~cH0Q5i@Yjms%@m>N7l~V|0{>Of_ zM?GXLR)-OEZZqj)N(^k6_1p~cQP2=4G3JBQP<`r52b+H7xNF0rJNGjt(l>5Aa;0S9 zV5AFWZqPmit4hu+rV^v(M&hxx4z_n?{&6JU@wX;*(H<$^0tU!q9w{f$@6Y|Tg$u;A zvYTl=L#Ugw@K7uTPh2g<=$xE`tPaN+;xwyg7d-~FHZGBVnahZ;f*{%HAB!}+3woW>67Xb}#=&WU#8 zkC|z?4R%jdSe{@7+`cN18g*&VhAZAJ(i2a(;|`!;Jo#lz)7=eH2JD4Z#C)=q(TEgN z%-(29g+b3e%8+|c+2hD@uC@`Om=;_b80YMR`Y_Ji*wi(PQ@6i;HL~s1UOO4>!?>Be zLjwp`qtLK{ZyF)@Bc^K#BdQ0z9XYgnob?$TY&@nXXXX8EZeu0#!9Ip~hxw9Y5c~$$ zeOx`AUEfdVUqeSWUf=5vFJat%)SY(j&(u-}1WxT#$WHzgErX2y<%FR7v_?~PW7S98 zodEE0@v?UzC{-G|Nt$+9CR3X?EG&Am)zpbpTcIeu7_kc{p4C(e^i5USPdl(sN^#dQ zu8GFPMnnv|X*xT)?jH7@8c@l3xR&~WdEb(f%PR4QqVz4Ngi(D_>u~EQ1BzT^=`{3d zMT&p-P0#1*H%oit4I3LyL6Iv#;X5OS?Z}MV`7UGQJu2z-#17Fo^(@jc5+@PbQ;EgJ zDi>8UJ)WUu^Nmm0>hka>kv7r6L zOjF06_jPB6Y`QdlEuXO<=!)y?hnuE{jB&e-SUN>DH(`9W_|EMR*m^IuaKqkQKpUrE z(H}TKT@Mn0r0rw|`mW%KXIMfprm(Gw?g3_L=+)C^ascO&e$PEvRzNsB%nTjz?GP;Z|*9$D4r>W5B+X zqsqxzppQ!4<%LDVcYsGM;EKr)j3kKmM9B|5z8+0h&r;1NMtS{BvX>GKLN~e$SJ|>Uz`R972fJ#Li~9sWoN8_+Z{K@C81c;bW-X#j`Hd zO#!N}#3P@3HMI4mS#d>ZtlmY3w<|jnn92i2lwstwM3<8^{8)bd1xRxzA@j&rhl|<)-^vXCdm_(2Z{6GN^hA=H#;Et*T{%x9WSFY z#4OVVy(5_T#C|7Dax;CyB~Nrk>hWtYHt@`CtlA&d$3l!LfnPg~!WP3mu2Nr=d$ca? zkF!?ExaV|^-~PDiHwy7QsJWpzPXRK*`F8LezYM)22dV*N1-_$1;_RoQp2w=NVM}%M zVJ?0#tCJD({FbaC89CA4h}gIBU)*3XUUI>TMz}p@8o69i%Hlsd8l2)!!{V0?Us(W; zA~hKb%$uvpzQ>P_R_OJ0>9&xd=;hb*Q@?#papP}dFc<2GJu*kRcpi39$rPqJH;YV# zw;i>MmozmXln`#UUWA=gQ#u@gAblM1xA59iB+;GJ@M!UKR-FyvbzK-b?KSJD8D1cY z@WofJXmxIH@7rMEVH2!+6y~o;gRmkg$X6ML%c`7+TSXL~X-P?1p2Z((*u{shT2# zrG*Pyw$1W&VTIZoNL3U>r~L1`=jU_CQW%`@>zPn|;9`xc`rWlUA{0V39%nw7@?Qn0 zi&s$f#Y48VGUfFiiBXlbZz?4An6n1-Qbh(NO2%4lP1SdDK^J18J`h8f1&fjkLTlo! zZo^tB*g=;n#)f1$FDR_oJK%?P(;*B|@iX){+)T8E!HZD%Wk9H;xgF+CP2^<9_^CfI z+C!7=$|J3-9`LjgDA}DDb|edzt?U27XlSfFSdsBwztXOgNcyYp6$<@{U;Y~7*4>A= z_m>=~Rw}4M16wm{6UVcn4R53~bS2z4@er_VZKIvw)BF)@G9Fh`7T~l3*KeL}x!zzgP5nSg+O<<@pYg^OU)Dd(F9;-#TogTOXdNRvKVePRb^5D1#bx7d1 z>-?u})5!&U$cAWEITbIHS0j*Q9&{m4EH~kpnZ`vy9P*Gw>;KTTBW-U=mCZ#a6nJ|&N*#=w|y-Biyt)Mu;ivn3#aQ9{ljZQq#$R%u@2%#v2~#N{!1dD;52K6GGdv{?`RnX=_It)bW>VY z3yra)yRGx>_W7~)#IEBo+cU|qA58{-*Pp*jSu!ymK*hj0gmKnEhrc(k4x3a!vJ+WT ztv-z?BP_^NXK_y*re91smO=4WApuuh;_>kP8LHjg6C$sEOOh@h(jz1%1i_M*Z`UIw zJAnCZuJ|U2%ubBRZ*Pyu#Yv|6 zR-fN~;Ala6qR#KMH@d!m`zIy*W%F%iZy~E=-t?;$oi%UX!%HD6iG0&NJ&G#oSyYaN z2FzMGBfu=}aTGw3Hwp-j`uLmSrQayk+}34!^az4c)QLG5A`pN9T)H)@d!Un7x&hKq zO}@t!-r;YH-Atasq92!SU8DXBxB7fQL)EVUX%_pIyxIRklKvm5?te5|nc>WgU5zV? zAEK=!n^}um$nEP!W92x}tCa?7y)s^KLP_o6E0d3bf7v!}))MExsR%*xkarj*A$@6! ze}`NDGLP4NDvUE@SEJ>xw877gZrdjtK0*F3eG@YF(<|L5WYX~9!7PX9AhXk9og z{m(O7E1nwkrsabQu#lhOskOqodSq$-XFf}Y|m1b2& zKPy=N`GHpCmrU&ZvC+1{#44owV9-mPQ##7;6&qQR9@?MDy*)6l6f>>B&?JXM z`E~4)6xm3a!^sxKtKYv_wf@v!S5+h3nxfBByj;rWK?Ky1s>?uZGpJBsa82nAlr0Dw zz(>G7cKXAd3PD8D4BTbeRF;R?RJ2$YH&UWjJM&+lGyW=|KrVILlYC|KBzBZz`@zwQ zD=ceDEsG1+-6?A>YkqLFTr15{0ZwG!7Lb#xBOg-ld!X)U%CI14c52l^+ASrygy ztZgMc{)mVMCBuhxPe~C1l zJT$hL44EGyO;-Gs8HT_LCp$Ivh+0}8)0wPP9qHqc;W(>rJ!lPYatcR!tdr!}(v?hb zhx`u^N2gz%skD{I`YM|C9P}=NaCFDEavixHK=$a;zYEeM8W;f|&}Thh%*BbtKCi~N$ktG1Wor1g zzFlwj@5ft1q;05?dosJXeHud?Jpc8-SP*vfS_N^iJq`)wfaMv7;8f$qoW?_T@@~;& zsBh8k!aRKO@S!8oj-Wm{gO6vYjyypymTx)X#u{N!QZaVS#wE!+gp<3I=;uX|rN38t z!q%!rk#8h~d*Ggb&~E0{_l#%c98*W-5vkqS(SExDqnRl@Sh7t8QX3*wx0)M6in>Vu&25r;WSIYZ4 zBH>Qy7cQcR!X-uW6&A&o$$F7Rqvz3sGn=Jb%qK;|OsF7B!HJ(hk}Tb*;4ErR5E2rp zFo)JgGcbOZ7bYkp$&Ca575TE+PN@;hfGAZ6Hyk-b*uDq!VgV1?IMUxq%>|}z~oY)2>m0V z{wHY_NN-{~(Bwx+OU$F&j>q#T81aPu;4Q>qtO;W17>$at#-JzV=Oi-ZF6|&e6(-vr zoR)ZSOXXqShRk2`%w>Q75oOHA_R%B;XQ<+#(ry-3lfpm?N0TYel|JYg%rruPc z!i{suOXpOmA46J*6w_rH$8dEuKPFd_L7HdYsXz5>WxZTy0=GaC z*K{2PyL}fvZ?%ttkM}s5JgSa~#0j{uq=S`XX8lnW3RdCw&YnOtfnKNU(-rj_s^alr z@;Ef{{-JCYwg7RP;j%wc{DZ;Zduc`{3#6yIEg~Nk)Qc)aQc2Q5W}-RWVWJA&-rH&- zj#wxkQsDZ>QkR*lQ%Ql}H*Frh=4%Bk&o$^p`Ua}2VH4HtP;=IuFE^Z%iaGT6-z77= zI4U@Qv|j)Y^z;}HApkegd9AqdUR00RPoLvTwrMesG2J!Zkc}^_F3NK=w)<;hX03@^ zB0a(IE;-Df@+Ljmd9ucmBV^{`2BgQn0%rwNJ!bgfF^k&SO{^V-Kq*_GJqnRQEixb! z_7cC2?HKit(?KN9tvTt^#0NK|TVknql>XRSSQN+5oABHfBZHQ@NW5fmP&}B`b8)&- z>f4m8bf4t$Z_yPn-2YH%TffnQA-h(@jMi8SN|=LmF+d;9A{Q!rqmA*93}k_CaJ z%h>O}cWu*8q@TTAdro?5QNkTkiY7H-dzA?$DNEd_@#V<&feF+@AlESKhFHI7-*|aW z-iMq20+m}Z3#moSw0Y)$|0ktw5QgjxM~hjFPm?oTB;Hv3f-84(quP$F_r}j1sSkf} z3g}PYCV{?zIkFjC1#430v0n-%!_0R-0Y$e z6{IriJ`phMUGF;>zm#&GCPM@qyJ|nq`}>{;tGp12mtN-ZZpwU()CAk7D!KDEd8gzKtcfP`iUa*+k~>-8`)|%MOBp?R%-#mdf*z6aNx5Fh5!m+Fk<%s# zDJpOx17pOr>JDMNdLV~uxC z(}1i%;!Ojol3KVU!f5AHe?+bPm{j^?7wiU^f-%6gMw$Wlq7?ofIw>X%%1fFOH5lRf zs35gn23+QN*VR2dwL+|j<8XGF=HSWV-WfB~2^`cCS~T(HzqK6OJ~rV~qGrST`(pV5 zo18BZTraR1r7^V_2G9AHMKu)@2?>_P;wL%PG<}3!bUuWM_`CQ`9|hVC_Ee=R^^&M; zaECNGe^9<%xN6^R4p&|cT37C;6QgygeH8xhl*pb8N@D^#ID+)K9yv3xVrY8U0Cfq7 zaH8kq8b-~ z^3XHA=}mTY6QbCvc7M{+nc7<>Wxnrkz*uzjq`+J@X`C-nCO^biCKuWAb6IQJC(Zf; zxE@lOImZcMh1p#dY4|g@qT;DuD6p8a{^Qb+KJ+b)h*$}GHT>dT5Fapsnr4GTPTmLL ziaW}u;A~u2;dG!U53CyB3}8l~;eB2g9)vHm-W*A7G|s4$-aeLx;RAZS)p0ZiNfybe z|8U~)6Jd#COP2{I4P;Zc!2O_DeYihfnw1fk3|#9b=?be><=9@G)b?=_r+%p}Tr!*9 z-eoo4CyS+BsVar0ZuB;q$c=jVWf27YpS;B1&%Igne8B6x*$GHuR;b1cy9W{7p;IoM zkddN5zl*j>V58>$wppR26G{|c=|@(T(bq$mkFt(|8#6YYv_V;{H7US&9uE@*wg}_3 zlHtB3Ln;$TW$#|;x{v=>>LOVd29+^dd|@$(wh`PU7k8>8*J4xN+OWk%)g zFaS1(VkMD3B`m?b*9c#z+(zV&Xv@q2S00}rUAe^qHXnIq7uhDyRMRTe;43u^98-ky+#!f}6 zUts8Gf7?C|#w^O&U~bMZ$iryJuu2`m1{3Byeh3i!0;+cD?~AtF&&~yhX4C9eG9Jbv z9GaFn+p3`Mcq^--&hr#=jNty{BpPeDnQGt+9joelq88xdC}8Li)SHr`YOsZ|dt6nZ z-aS&*_5CO6O!KP5ha`(f5Z6=a{s#@7p|PMbo*VHOBGWPD^yDsa`T3frUTBAlT8*abMi$=vX z!m{Kf7h0U@)Qc7@OQ2$82HZv-rpsee-vgFpx?KpBy69SdO-NV*#*)UWXuLq-3D`Er zFm&__fzb9EQI_n`^NXwmE)OxQ!JMP~jP5i@^XDdt3lLS!k%M@xmFUd#U2^C$wwDX8 zy;@|}`h!k{H4#OxJ7qtn!|_!g>E*ZZAthSUVb0(|rYGxOOu3?;5C8`s#E4r|_-IA@ z(M3=r!m}q&o>`LTpHe^Q(N5ln*MFY`+%Bs(Zez7&H`^cxVv>b?=YEYkOxWip1>>fb6I!v{$4QNks9ZRIFHH7c|DTu^%&eGd zkaP1RreXCMe>9CnDK-3vX-axMWEe5oAzl`ji5;b@24^-!jjV^z@D%jqF&-B97F#M` zt?CaGIP}27z(=Ocq?)mk~l&%N^FUaJN439Q8;bCZQ3eGQLa|q5hlhhZe>fs3K{}{I=VH>B)0vSAL_sY+W7iu1w6dB#@CB=nvvE<8Dj%NhXEfMcO_7 z$WgPIbOY+3?945^xe`&L4Oa32y%MGgif*P%K~SVv9qM=qROr7=Cg^29Utbv8F!x`S zL@uCRuFJ>ftrG^~WSrBV2xD=KeH{!R+pXQl6(ZEwW~e09x%Ep-%jT6oWLh(_BySfw zqZJjNf^{WY|Io6u*je`qzg9+*iUmw_DAr_EwO(3AQwr>wp;g7sq-N#WXDUmMhL*}n zM$^*2JPoS~$f@;~3Z$v^@e#mWQ+E%k&l%S4nsgW^WGVK1DSFxl$pCcoh`D-B6L!et z+0xKBa`eIo4(71WJ|fAGc0OuRhA35O&lrIL&Jgq1N5$&yJTiem_Cc;nc(iDVn&>us zMl*0^!fk@Tw+!_IhQ1H5=t`A>%UV@RlwRLHwCG*I#|{=_&AWs1$p_&)2ItP z!Z+}Mx?CzgtBXW#wG?)@t;mh)!8OTjS*@hOGi{gDMHTV9nv%`Pd?C{*mo4h4Vo?<; zZ_}oDg_&~FQCzCTb#64vMGq16Q|O&zO8h%@O8r5`v8kMi#n_{B$%2~^>!Wey5iFM; zJ>ri923(8pNJ9�Uu+sqh8}8deYj0*(2D`h6|Cg8jpM~6D6b>*M+dhxVDx_6uJPT zF=Rz=(9S6EWeh`|`7SMV@s3tBtK|*$-?OR4XcsIltPH#z8M6ox3jJP=atE1B@0IIV zt!Q~WPHpTQ!-)vm^qc8YkSu0oSImm)UXH6};^L!==c>6gt1Z4?*3U!FmzCwIS_AJD zN6nT)OK&_pFgeSLv~3j{&KfHoQ#BjZED0u+J-Y$gh$qpuGE^61w@)0Dj1LF+;#|$T z*nFnipGDZONHEndJ-SxaAF$g$!>Z5!m3yqVe)mGky=Eb+?UYqU(Z$p9#tM7og zDa3c}dUu|jgDcgwI`M#_fG@>U$k2AhQO5lMHioV0K{nO{Z>1v-^Ico2E?&rdGm4bQ z!n)TPVrcN6E=V0mNyFp2a3<=u!=H^aH-V?rU(d3xCM zlMzLjtW2RUgx$!SHc8hK0T(GI_{K?lq@Q*;lA>zH$XRJRaadK}nmV;HzG_q3MTLAi zqP5c$nL;(ee#u9Wb9=e4SbK<$olZMq7EZcN%nR|b_N=yi0gj9lWfi6vLV(nAzZh|h=9J0>RKc`Y|^$l>AfLHd<8cjD2 z$$Q^cQW2c(6a*{332?dDSxYD(3c^MS9c{p6Gf}MAjh|T$nkfO3NQ`iwt-Ncy_V`=B z{wOlY6GiA^|0|svRX*Y_mso~%5_eI)*FB8#Q)e=fTA#n7)JN)oLCKg18X}N-DO8Ru$VkQm4tvTZQ6C{t@=DMt}E_vs7HfZH<6-<5IW?_ zF3tP$#S?$e>W_vZ`=XOtpG}VBVF`;8aUef;JUjI7Wz^i9cm!QX^%?mWTQ%cV^;PBP z+F*#{or?s7Yb$W7i8A%GUj@YpS4C&%MY)l>Spov^o>)}Zq`)yJpeElY>Tz>bMI5oX zpH&eu9LW%ZHb8qve=#Xh`2#hC)6$SD=Z|jxM3$Te!hF9)rN(Y8zV%U~jm_#|8B=gW z^GX;x6SSm3i2k)y40>^HFV#Qm(_{Z4(d}(HE(JV1X-$m@1Ly1sEa?HE_-nun)KkzT zkcT$FB05^=iCX1!Sx9H7=1FOBiYIBbx;$Fht5QG6F&M@tU{rBkgDAN-w7ej{=gX_< z%IT-Up{OW=%-NUb!|*O7qjLRL9OLm>lXV5&)~s74mG;<5n-YkGrR-wJ@El63{%~)v06VS|;h_!LL2dA$%l+^SfRB&UmFdQtmOE`i_V%fZ zCVg{5x1DXWe3`7opw)AqjqZVbbj&38>U9Z*{;MkFhO_=);*QrVm0+?pVPT3wgpEWi zC|A2<5BxC~iK4XX73=RKe!A&Rf$bAdRzf+NLk=o<`+#smYnHBYz4&mFzUV1#82RQI zG=a_Gb&7PvAnjXOY33hC^Sg9NYF1*)!I(C-08QSXKPD9rnV&JlGn{73o5w3j%Ut%J z-H8T$Q*Wj<-v3T?FL;fE{*oS&Z+PAAH#-!5z7oeahCFP)-`9(i?@E%LH@Begon3yG zRkQkgB1d>Wp~xv``+H&$&!~oMtnMPBya;&hVbD1NS7qr@>lEmb*`5>1+BH=lD>9?CDx`jhy(26>FQRfo(f#RBP##_D-?PMF@ z1(NC_7MOCyMtUeRzxRX{Q=y#{U1^3)Ij_PlOkhHR>4)-i@I98QzUZSiUD@LMeb8T7n*IIfvR(tVod@z~rb7WpP9%M~t9Uj0Txf zSHZ$jLbp*@h|nf8_+nJ`DT5Z?$LTgcjK9T=JnXM{+Ji3Y#%)y<+x>9n7} zl&D?$-Wcm$p$-i=zW`GZQO8>Q1kfi4PzUC(E4gHxo7K;kl{=7ZbpITJOBuxBN&U-P zP{`&$0%GMdoe=O&rAq~U5EvAn+L@JWt-PVd! zkJz;Pm2l®30FP4BidzT3Hq7W6|HJiBy%j;BE1 z8y8QJfGc>s-{}pLZt)U zrta~!KQHC2ZSE*=8!JhmX4!Od<9h(0;d38e=p&nE@!jXA{-lln`C7H@%gL8VSgZ@Dc>zX#+=-`H|CIui$&u(q{<8c~%_)YeR4R5Iq7XD)N1(^F<_IvHqjPi-&mOmK$LHaQnUg0m*aWhj#i%bxDuo*wE8 zzaW0@-OZWLzP#7IfAxJ=`W(mU;y!;A3B|#m#y{)AhYF29hjj%7eP0|5%uxZ{Z!H&Z zUVdlF6p=vH2={iaLAU)+dC<0~mR4|`9A)Xr9*^}VI$^>sZeAeD{l-Z(4SCo({6k`T zf#s~Ciz}@Cu)Ij@0%v$49dbOB|0%)u_BFbz>37**JMo8St^*28Ty^t z@GHs`sAx?cO?z`%-b2e&9_0Ud`IC@)oB>r5Nr9;HE|__OO76ercV*o9hlB8=E0?A> zio#EBRG{`HHfzX;b+;e;2xHrUCzAv8m6>)adnJl$(=&ln#0AdP%A?3AJm5@~&qYx8 zMfZhzk>9#4uy#w#$wwIIOnR_iSNF-YmeO+!Z`)IUAmW#soPCY-%ml*H>C!C=53jGw z;aeA;Ni8CT^C*HIe!VZio*oNVVVw^T=jA01qSkZZ`!65&{TCtb+hZLcr>6^l&#+Ka zEK?&+3#7>=9`*2*zz}TshMbFF&oGnHrI@R>a?2JD&ZXL8qMtA9TTtWWq4B4fCM`P6 z2u1Fzvcl&c=!bBbLa*%T&Fzbu6c(@YvV7~5$LXhEUU!G5m+bVmp0D5Cz|2Zn3&ssy z6e7))#agzsT7CcyM1RLm49p@^`=|o4=dcc)8Q3~YEdmO-`JjKsZh&asDp~4S=Zxb` zrkV{ig(~g~a=5lK3M*+omsftHazbv3H`@(S7z#Gax7bvX2PMJe$vN>ku7faR3DP-s zkJQRI2{H0>js8jl%1^zsobcxFiJ{ThEP?UGLqs2REO#%eKFVEkGxVWYpcJ z#MC?~n(OobByYLs?L#LPgHeAkbYk0DF7NHJI}v=vY8QhVr@{^Q0iPG~?B9-x5gFdk zc{khX^^pcGH1O#*&WUv~pl!Q(isn4tI{@SvjF!Ra+Ocou!Y8`2`B!#=66f%j8yHz$I;dNYcxJa0}28hLYf2{^cNGnaTxQw|GiY20Jx|h_c3>cMvCwy5KP;J z!ZSmG7aXWb3F5tONC2^K;Ag76$;_b6w=Pk?ODwmRO<46xpA=;U{#g_6s)lV-n?!Gg29oZOw>eNR0O0R z`5?On3ct<#?Agtq__EASEH%{p(c;dE<`$`YEDOu z_^?g{*C;#=HqFxlr7E!CnH6kvM8MhNMIb9uxry3vWWG7jN_aAvax=$hd$q z3up^Xt5ZtlG)66tqQWX>fmAHb$8$($E9XS$dhyyQDcOmp;)S*1CIb9FD1 znU?D2_zI3_g93i02WnM;okA~D!(wAy%jkP&^;tVw%M?xb7~sIYN_Ptg`=|ztm}&-O zP+ORGlxsFyMWzr3ICYA?Yl)IH%h~??lv6dpZbvtGQ6&hSFI2@iX1FPYQ4HO6Geq?} zHh zeaD`S!(i_}^{1oC_l78e@zLtV511_3FHCac@XBow$nBOZzbCW1ko{NHJr2R4 zc@Qk4_bi^PJ|mg=CVtrW5$@5`@Sr;}nX^s#fPY3va9^=cH1R=af_wD)nj`3l-Q=rm z%XWX+G%aHS8TO`8L!&G$OV7@BX2++M+sDn<$;H$4TDZ&K>+z*N{kX`px6pn{a;bUm zgQ|jz{H)tW30vPn`%(C(p6v^fPh0yN=l~-u^e5X)2A0$Ll0{Lf<#6@_q>O&{qh~u? z58(Lz6JCtb(!*=onrLRflz%gAS4%f-%iHMzxPIJkxD)4y+ux6!86dsDei5ghhwp+s zxsAIuVtb$@$>YnT_Eel>c}Q zp}g-v7$&({3jGtG+f`XeuC*+;eN??qGvY+!Re5@N?1^yv+}`=`Q2-MDoyRSpVVAnC zc)&w8)#;t?qmfHX{&TJ`&0h)}=NpjN&jDlNbGv`hA?dd{r3d;jopM2&(Uss-Xl=hO zIof7!{v-8n(l1jyl!rRw2sC17-^`X_yT^K+ahBbcU@kP<6tkoPD19oV<>}kmQiA(T z-T_}h2c4fSJ6z|uE%!TQnN)x_Q%m~NvdpjSMlB7js=fPWgn${xtK0;~>_P(Avfa7V z%qgpwnIFEyO}j^43Nm#a;0gXU^PRtA_r!;7@igt%Tn;bSBld7zT|=*ME8J(v)f-tA zr_4-%6zskWpW@Ye(fC0lh%7Ne9W&C$I1!I%9QBKKMs|TdWs)2>H|Ks^*|7+*wW&NQi;yBlDl{d2O1Q5gf=2mNrMs80N zD5eRCk*^R7ROR|fIJG>c8a5j)B*N_>_}#6OZ?^#$9YV>3v_2eurd?wdgO|$;KDp80 z4mKN+J`?*l3m+Hg6#Shm-2Hag=)YGMPH9)j$K4y|hiWF;MR7r!w;c=t3_D_7t@Jkk zd$pNv4Qm0=#y01Tz3cc^`y1fkym<^*mDY;-Y(W<_?XuRRZx2u)Ao-92eZyok5@nbk z+e(abKR&iyGhNx~(iO}%`P2iv=Jx_{Z}5GtzVl+BE7t;_sw!M3)&M?AAsnVg2y=%j z)Vp-dyS&L#^feD{%o$ETd}<=~EcQXB#>P-rShZ_BW{9R&vmRlaFH?S@(h6T|uENq_PLdQ&(Xx+?FFc@lU5bv>XjQW$&eR81jozW8kd{=;zfUBJ!%hAKv=U- z2opapaU|6yP#h@)mlKc7W>ra*nsRz9U;S|5B0qQb`g|tfXYmE+g@;M+4yCq zCqMwfYiqU!uPtT>!O1n>!t)9$gw>7|z3vdy4vjbo@!xceo7Pj!R1=Z)>R@y&C>iBVSX`%kSMy-FDSC8xJ;A z6Mjy%@~<`Vf4nok{buO~{jOiUMn0-PTOwG=zm*nNVCwDmN^1p_UP=n?My#mv{5qas ziF@j4xBw%NU4>tEfP5YRwgvn_PYSTVuGy0*)w#7=`pY5$HbKYzwXP# z7X$hr#|?tDjekMokUA36iR-PaM|XRS{` zBU)q$+U@L#YFkv;KN=fHyhUEG?$qCHOI>NXw`5U&TE}^Uz5T-*24MX~3Pq&yF>}{;ua2 z|E}krnWgg0xrvXU>!Ew|bg{>PeTk2U|NOFcQ557;%jV95^XO^q&g^}J+qkE1|M~u; zu)}3KQX3{VGV+Lq3l~=~qbU;E%y_W&c69dR6Zy4r@OAL^eAzp^eSKWGovh$@_qcm` z`T97#4TSZ4zwcdszCRDlVA$ycSw#h93UAC5FDq#ASD6CWKdJ1G(|4M}*Q|7HSNgEx zbef7ev%AZ@AVL=Ho&I%WX6JrB{k|}Ao!#)0=`!%6=Y008eGdcOxo8a9wsJkKAJFxA zw6(HtVrk7afv&ZZtJFc|-hW#k*d}-%^aQ!gy z4NL(&-x|R!=<_S|jRlnqr%OA@AivTik$)BW)6Z+6ON@iU67f^a@(ZhUsXd%V3_OhbY8=B@@CLJh z;<+z9v7BUmNU6`HwP?5IfZ@SFIxh5`e$blo+NO)*g*i9$Ok-X#Sd4T*3$7z3>@&br z5W)}us)pk8$AVqzW3KMjT-yCr?zo_VW!EkGGuZ225jo`BZx3=*Tpp)iH+rtnZF>bH zP#tD>(m||OiD~}XTI~8LD)dJ>f>)(3_6wJd7Iyymgi>Rmm;Mw-YVIp*w}ehm`bk1E zyn=c;m*N9E_!S7Q>o!Y5$Jtq!zJEP?uk^p2qQV1oXZtm(_>u49XT(9d6Codw`{R*D zIlzbz&pnKZUKXL(YCgNsQ$|^vIRBMiaK@i~w;x*r^mUnCXpa>t<}Yk(VA7Kx2E9*Y zvaOL2FJv*dspMLhoi4Qc&|5b5-7K1rFHa2m4MUYhqJA^xJq~P%(i|V{>W$f@Dn%XI zq7gS9Zk^jZlJxi-kG=9fJzU2}*aycUti4UdPViu4^RcXC`=m&RQ7?OYzN?_Zl5!(u z$K%`CHEr(N3RE{8+3!!(UaI(guS@RPm6WJRDT3!|s0Csg7hxj(`RYg0)z{V2RC}js zE_nxtsrU{y4}Q1!X+Hw6;ohsi?3iqp-s9F}=2d;QosPu7Y_uNkv?|}iKi)eld9YX; zd~-%N3n{6%_fdBEZNw&mOpQ!b#@Vn)%GFxym8td} zNU6PG zl3{W*E+-}48|cO=e`SG3rA0m?mLyR_JT`LQMk{$UXWTsD==Iwvd8yl~<}q(lDPttn zr;Y}&cnoa8K0nV*kR>}br<$>@oKo(;(-<$|ffhyR6qi0$?8X(5ksaR4M<_O3i&9dE zpFW;928D3&)5Qej*v{3Xj#x#Q)P`ToW`NbFxDf7Roy;mZ0y0geN4{5ly`2&RK-{Xre4ti>s1mgows zlvkpul_SdB1y;@nQ9(fuN;O>nKRH6Dg#$I|9L02$Ls(4#|Oppe{j_1 zf7wi{JpVa2!cCn1D!;|2Jo~xvp7!JyhFZh9U%Xv5EsWW=&!4wColdpcW`3HVdA^C& zmE6i+r3Ec7`=kZ4DGL=1GHmg=q{D#O?mJr8>!_H9(nh##t2hDu;HukS$^f(gU|BMt z4I)idf}aI*T%7A?mHS}@`fp2ip=y6l%{R9#wf`QL^1mMqTKd0{_N4XSDy>45XjC8= zg>V6Izj31BS0@Y=h2b#tynLG#16@1hp2sSofjNv4zB9xN|L~bqJOs$WKxvUSe3U8p zZ@?vfKoSifu~M7qBw*$v)M|rIP^|4Kg!2aHKNgA78|IemtCbjJ+4(;x<^MW3-tV{P ze-o`){?AGjSe-A(b<^=w9GsACJz^&cXvjKdIJ6KhsdBUD6mRS#+&>}Px$ak?7GHXE zHqZ*Ch0K<%qv}`ImdStpK{5aD!Ql97_y2D|Siel=FKnBy|5Xdc9wq#3q~2HFTQvK1 zt(Cs&!fIXhy(}+Q{cu~^>)UJ1$y7t{o3iuQfXh>Mws})OSct9%=46 zdg}wGI^elhpc)2Uip9A|mI5JP(JSxlcH{iQL#{Xt-mrkqQlGa$Z@xcVzu=Ad4OKQ< zqetSi+26Ul*A{YX{TN$6#@3H<4Q&Pazr<@Tvji=({|rk0e@BN$U%USID{0N^zg2Ag zqqMbO8Ulapw!-<37>heJQ4LHKRoUi&wuZzjsM+9bI-qJ2j@BTT`?A) z=Jve~iCBvtpXQw3vU?W1Q&#zf61!y&rov|@znoec$cUq-XE>oM-8`+wfTFTe~MxzWu`dkkUKUzndeYjDn}tA7E>s+a{h@+ zknCFTj&HdwB~y>8{EKa={8#k;zYug{U{r>>~0RR7- K9ZdBA{09Kkwm+u; literal 0 HcmV?d00001 diff --git a/knative/helm/knative-serving/crds/certificate-crd.yaml b/knative/helm/knative-serving/crds/certificate-crd.yaml new file mode 100644 index 000000000..2ebb632e5 --- /dev/null +++ b/knative/helm/knative-serving/crds/certificate-crd.yaml @@ -0,0 +1,132 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: certificates.networking.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: Certificate is responsible for provisioning a SSL certificate for the given hosts. It is a Knative abstraction for various SSL certificate provisioning solutions (such as cert-manager or self-signed SSL certificate). + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the Certificate. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - dnsNames + - secretName + properties: + dnsNames: + description: DNSNames is a list of DNS names the Certificate could support. The wildcard format of DNSNames (e.g. *.default.example.com) is supported. + type: array + items: + type: string + domain: + description: Domain is the top level domain of the values for DNSNames. + type: string + secretName: + description: SecretName is the name of the secret resource to store the SSL certificate in. + type: string + status: + description: 'Status is the current state of the Certificate. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + http01Challenges: + description: HTTP01Challenges is a list of HTTP01 challenges that need to be fulfilled in order to get the TLS certificate.. + type: array + items: + description: HTTP01Challenge defines the status of a HTTP01 challenge that a certificate needs to fulfill. + type: object + properties: + serviceName: + description: ServiceName is the name of the service to serve HTTP01 challenge requests. + type: string + serviceNamespace: + description: ServiceNamespace is the namespace of the service to serve HTTP01 challenge requests. + type: string + servicePort: + description: ServicePort is the port of the service to serve HTTP01 challenge requests. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + url: + description: URL is the URL that the HTTP01 challenge is expected to serve on. + type: string + notAfter: + description: The expiration time of the TLS certificate stored in the secret named by this resource in spec.secretName. + type: string + format: date-time + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" + names: + kind: Certificate + plural: certificates + singular: certificate + categories: + - knative-internal + - networking + shortNames: + - kcert + scope: Namespaced diff --git a/knative/helm/knative-serving/crds/clusterdomainclaim-crd.yaml b/knative/helm/knative-serving/crds/clusterdomainclaim-crd.yaml new file mode 100644 index 000000000..053cf32f4 --- /dev/null +++ b/knative/helm/knative-serving/crds/clusterdomainclaim-crd.yaml @@ -0,0 +1,49 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterdomainclaims.networking.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: ClusterDomainClaim is a cluster-wide reservation for a particular domain name. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the ClusterDomainClaim. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - namespace + properties: + namespace: + description: Namespace is the namespace which is allowed to create a DomainMapping using this ClusterDomainClaim's name. + type: string + names: + kind: ClusterDomainClaim + plural: clusterdomainclaims + singular: clusterdomainclaim + categories: + - knative-internal + - networking + shortNames: + - cdc + scope: Cluster diff --git a/knative/helm/knative-serving/crds/configuration-crd.yaml b/knative/helm/knative-serving/crds/configuration-crd.yaml new file mode 100644 index 000000000..fd9dd1be4 --- /dev/null +++ b/knative/helm/knative-serving/crds/configuration-crd.yaml @@ -0,0 +1,919 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: configurations.serving.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" + duck.knative.dev/podspecable: "true" +spec: + group: serving.knative.dev + names: + kind: Configuration + plural: configurations + singular: configuration + categories: + - all + - knative + - serving + shortNames: + - config + - cfg + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: LatestCreated + type: string + jsonPath: .status.latestCreatedRevisionName + - name: LatestReady + type: string + jsonPath: .status.latestReadyRevisionName + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + schema: + openAPIV3Schema: + description: 'Configuration represents the "floating HEAD" of a linear history of Revisions. Users create new Revisions by updating the Configuration''s spec. The "latest created" revision''s name is available under status, as is the "latest ready" revision''s name. See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#configuration' + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigurationSpec holds the desired state of the Configuration (from the client). + type: object + properties: + template: + description: Template holds the latest specification for the Revision to be stamped out. + type: object + properties: + metadata: + type: object + properties: + annotations: + type: object + additionalProperties: + type: string + finalizers: + type: array + items: + type: string + labels: + type: object + additionalProperties: + type: string + name: + type: string + namespace: + type: string + x-kubernetes-preserve-unknown-fields: true + spec: + description: RevisionSpec holds the desired state of the Revision (from the client). + type: object + required: + - containers + properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity + type: object + x-kubernetes-preserve-unknown-fields: true + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + type: boolean + containerConcurrency: + description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means concurrency to the application is not limited, and the system decides the target concurrency for the autoscaler. + type: integer + format: int64 + containers: + description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. + type: array + items: + description: A single application container that you want to run within a pod. + type: object + properties: + args: + description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + type: array + items: + type: string + command: + description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + type: array + items: + type: string + env: + description: List of environment variables to set in the container. Cannot be updated. + type: array + items: + description: EnvVar represents an environment variable present in a Container. + type: object + required: + - name + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + type: object + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + type: object + required: + - key + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + type: object + required: + - key + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + type: array + items: + description: EnvFromSource represents the source of a set of ConfigMaps + type: object + properties: + configMapRef: + description: The ConfigMap to select from + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + x-kubernetes-map-type: atomic + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + livenessProbe: + description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + name: + description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. + type: array + items: + description: ContainerPort represents a network port in a single container. + type: object + required: + - containerPort + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + type: integer + format: int32 + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + default: TCP + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + resources: + description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + requests: + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + securityContext: + description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + type: object + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + type: object + properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + drop: + description: Removed capabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + seccompProfile: + description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + type: object + required: + - type + properties: + localhostProfile: + description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + type: array + items: + description: VolumeMount describes a mounting of a Volume within a container. + type: object + required: + - mountPath + - name + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' + type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed to stay open while not receiving any bytes from the user's application. If unspecified, a system default will be provided. + type: integer + format: int64 + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: ResponseStartTimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true + timeoutSeconds: + description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. + type: integer + format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true + volumes: + description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + type: array + items: + description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + type: object + required: + - name + properties: + configMap: + description: configMap represents a configMap that should populate this volume + type: object + properties: + defaultMode: + description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + items: + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true + name: + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true + projected: + description: projected items for all in one resources secrets, configmaps, and downward API + type: object + properties: + defaultMode: + description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + sources: + description: sources is the list of volume projections + type: array + items: + description: Projection that may be projected along with other supported volume types + type: object + properties: + configMap: + description: configMap information about the configMap data to project + type: object + properties: + items: + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI data to project + type: object + properties: + items: + description: Items is a list of DownwardAPIVolume file + type: array + items: + description: DownwardAPIVolumeFile represents information to create the file containing the pod field + type: object + required: + - path + properties: + fieldRef: + description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' + type: object + required: + - fieldPath + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' + type: object + required: + - resource + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + x-kubernetes-map-type: atomic + secret: + description: secret information about the secret data to project + type: object + properties: + items: + description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional field specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the serviceAccountToken data to project + type: object + required: + - path + properties: + audience: + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + type: integer + format: int64 + path: + description: path is the path relative to the mount point of the file to project the token into. + type: string + secret: + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: object + properties: + defaultMode: + description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + items: + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + optional: + description: optional field specify whether the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + status: + description: ConfigurationStatus communicates the observed state of the Configuration (from the controller). + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + latestCreatedRevisionName: + description: LatestCreatedRevisionName is the last revision that was created from this Configuration. It might not be ready yet, for that use LatestReadyRevisionName. + type: string + latestReadyRevisionName: + description: LatestReadyRevisionName holds the name of the latest Revision stamped out from this Configuration that has had its "Ready" condition become "True". + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 diff --git a/knative/helm/knative-serving/crds/crds.yaml b/knative/helm/knative-serving/crds/crds.yaml deleted file mode 100644 index bab174417..000000000 --- a/knative/helm/knative-serving/crds/crds.yaml +++ /dev/null @@ -1,3179 +0,0 @@ -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: certificates.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: networking.internal.knative.dev - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # this is a work around so we don't need to flush out the - # schema for each version at this time - # - # see issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type==\"Ready\")].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" - names: - kind: Certificate - plural: certificates - singular: certificate - categories: - - knative-internal - - networking - shortNames: - - kcert - scope: Namespaced - ---- -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Note: The schema part of the spec is auto-generated by hack/update-schemas.sh. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: configurations.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" - duck.knative.dev/podspecable: "true" -spec: - group: serving.knative.dev - names: - kind: Configuration - plural: configurations - singular: configuration - categories: - - all - - knative - - serving - shortNames: - - config - - cfg - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: LatestCreated - type: string - jsonPath: .status.latestCreatedRevisionName - - name: LatestReady - type: string - jsonPath: .status.latestReadyRevisionName - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - schema: - openAPIV3Schema: - description: 'Configuration represents the "floating HEAD" of a linear history of Revisions. Users create new Revisions by updating the Configuration''s spec. The "latest created" revision''s name is available under status, as is the "latest ready" revision''s name. See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#configuration' - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConfigurationSpec holds the desired state of the Configuration (from the client). - type: object - properties: - template: - description: Template holds the latest specification for the Revision to be stamped out. - type: object - properties: - metadata: - type: object - properties: - annotations: - type: object - additionalProperties: - type: string - finalizers: - type: array - items: - type: string - labels: - type: object - additionalProperties: - type: string - name: - type: string - namespace: - type: string - x-kubernetes-preserve-unknown-fields: true - spec: - description: RevisionSpec holds the desired state of the Revision (from the client). - type: object - required: - - containers - properties: - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containerConcurrency: - description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means concurrency to the application is not limited, and the system decides the target concurrency for the autoscaler. - type: integer - format: int64 - containers: - description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. - type: array - items: - description: A single application container that you want to run within a pod. - type: object - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - type: array - items: - type: string - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - type: array - items: - type: string - env: - description: List of environment variables to set in the container. Cannot be updated. - type: array - items: - description: EnvVar represents an environment variable present in a Container. - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - type: object - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - type: object - required: - - key - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - type: object - required: - - key - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-preserve-unknown-fields: true - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - type: array - items: - description: EnvFromSource represents the source of a set of ConfigMaps - type: object - properties: - configMapRef: - description: The ConfigMap to select from - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: object - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - type: object - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - type: integer - format: int32 - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - path: - description: Path to access on the HTTP server. - type: string - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - x-kubernetes-preserve-unknown-fields: true - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - type: array - items: - description: ContainerPort represents a network port in a single container. - type: object - required: - - containerPort - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - type: integer - format: int32 - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - default: TCP - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: object - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - type: object - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - type: integer - format: int32 - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - path: - description: Path to access on the HTTP server. - type: string - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - x-kubernetes-preserve-unknown-fields: true - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - properties: - limits: - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - type: object - properties: - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - type: object - properties: - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-preserve-unknown-fields: true - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: integer - format: int64 - x-kubernetes-preserve-unknown-fields: true - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - type: array - items: - description: VolumeMount describes a mounting of a Volume within a container. - type: object - required: - - mountPath - - name - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - x-kubernetes-preserve-unknown-fields: true - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' - type: boolean - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - timeoutSeconds: - description: TimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (send network traffic). If unspecified, a system default will be provided. - type: integer - format: int64 - volumes: - description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - type: array - items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. - type: object - required: - - name - properties: - configMap: - description: ConfigMap represents a configMap that should populate this volume - type: object - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - projected: - description: Items for all in one resources secrets, configmaps, and downward API - type: object - properties: - defaultMode: - description: Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - sources: - description: list of volume projections - type: array - items: - description: Projection that may be projected along with other supported volume types - type: object - properties: - configMap: - description: information about the configMap data to project - type: object - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - secret: - description: information about the secret data to project - type: object - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - serviceAccountToken: - description: information about the serviceAccountToken data to project - type: object - required: - - path - properties: - audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. - type: integer - format: int64 - path: - description: Path is the path relative to the mount point of the file to project the token into. - type: string - secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: object - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - optional: - description: Specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-preserve-unknown-fields: true - status: - description: ConfigurationStatus communicates the observed state of the Configuration (from the controller). - type: object - properties: - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - latestCreatedRevisionName: - description: LatestCreatedRevisionName is the last revision that was created from this Configuration. It might not be ready yet, for that use LatestReadyRevisionName. - type: string - latestReadyRevisionName: - description: LatestReadyRevisionName holds the name of the latest Revision stamped out from this Configuration that has had its "Ready" condition become "True". - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: clusterdomainclaims.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: networking.internal.knative.dev - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # this is a work around so we don't need to flush out the - # schema for each version at this time - # - # see issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - names: - kind: ClusterDomainClaim - plural: clusterdomainclaims - singular: clusterdomainclaim - categories: - - knative-internal - - networking - shortNames: - - cdc - scope: Cluster - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: domainmappings.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: serving.knative.dev - versions: - - name: v1beta1 - served: true - storage: false - subresources: - status: {} - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - "schema": - "openAPIV3Schema": - description: DomainMapping is a mapping from a custom hostname to an Addressable. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec is the desired state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - required: - - ref - properties: - ref: - description: "Ref specifies the target of the Domain Mapping. \n The object identified by the Ref must be an Addressable with a URL of the form `{name}.{namespace}.{domain}` where `{domain}` is the cluster domain, and `{name}` and `{namespace}` are the name and namespace of a Kubernetes Service. \n This contract is satisfied by Knative types such as Knative Services and Knative Routes, and by Kubernetes Services." - type: object - required: - - kind - - name - properties: - apiVersion: - description: API version of the referent. - type: string - group: - description: 'Group of the API, without the version of the group. This can be used as an alternative to the APIVersion, and then resolved using ResolveGroup. Note: This API is EXPERIMENTAL and might break anytime. For more details: https://github.com/knative/eventing/issues/5086' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.' - type: string - tls: - description: TLS allows the DomainMapping to terminate TLS traffic with an existing secret. - type: object - required: - - secretName - properties: - secretName: - description: SecretName is the name of the existing secret used to terminate TLS traffic. - type: string - status: - description: 'Status is the current state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - address: - description: Address holds the information needed for a DomainMapping to be the target of an event. - type: object - properties: - url: - type: string - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - url: - description: URL is the URL of this DomainMapping. - type: string - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - description: DomainMapping is a mapping from a custom hostname to an Addressable. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Spec is the desired state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - required: - - ref - properties: - ref: - description: "Ref specifies the target of the Domain Mapping. \n The object identified by the Ref must be an Addressable with a URL of the form `{name}.{namespace}.{domain}` where `{domain}` is the cluster domain, and `{name}` and `{namespace}` are the name and namespace of a Kubernetes Service. \n This contract is satisfied by Knative types such as Knative Services and Knative Routes, and by Kubernetes Services." - type: object - required: - - kind - - name - properties: - apiVersion: - description: API version of the referent. - type: string - group: - description: 'Group of the API, without the version of the group. This can be used as an alternative to the APIVersion, and then resolved using ResolveGroup. Note: This API is EXPERIMENTAL and might break anytime. For more details: https://github.com/knative/eventing/issues/5086' - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.' - type: string - tls: - description: TLS allows the DomainMapping to terminate TLS traffic with an existing secret. - type: object - required: - - secretName - properties: - secretName: - description: SecretName is the name of the existing secret used to terminate TLS traffic. - type: string - status: - description: 'Status is the current state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' - type: object - properties: - address: - description: Address holds the information needed for a DomainMapping to be the target of an event. - type: object - properties: - url: - type: string - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - url: - description: URL is the URL of this DomainMapping. - type: string - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - names: - kind: DomainMapping - plural: domainmappings - singular: domainmapping - categories: - - all - - knative - - serving - shortNames: - - dm - scope: Namespaced - ---- -# Copyright 2020 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: ingresses.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: networking.internal.knative.dev - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # this is a work around so we don't need to flush out the - # schema for each version at this time - # - # see issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - names: - kind: Ingress - plural: ingresses - singular: ingress - categories: - - knative-internal - - networking - shortNames: - - kingress - - king - scope: Namespaced - ---- -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Note: The schema part of the spec is auto-generated by hack/update-schemas.sh. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: metrics.autoscaling.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: autoscaling.internal.knative.dev - names: - kind: Metric - plural: metrics - singular: metric - categories: - - knative-internal - - autoscaling - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - schema: - openAPIV3Schema: - description: Metric represents a resource to configure the metric collector with. - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec holds the desired state of the Metric (from the client). - type: object - required: - - panicWindow - - scrapeTarget - - stableWindow - properties: - panicWindow: - description: PanicWindow is the aggregation window for metrics where quick reactions are needed. - type: integer - format: int64 - scrapeTarget: - description: ScrapeTarget is the K8s service that publishes the metric endpoint. - type: string - stableWindow: - description: StableWindow is the aggregation window for metrics in a stable state. - type: integer - format: int64 - status: - description: Status communicates the observed state of the Metric (from the controller). - type: object - properties: - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - ---- -# Copyright 2018 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Note: The schema part of the spec is auto-generated by hack/update-schemas.sh. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: podautoscalers.autoscaling.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: autoscaling.internal.knative.dev - names: - kind: PodAutoscaler - plural: podautoscalers - singular: podautoscaler - categories: - - knative-internal - - autoscaling - shortNames: - - kpa - - pa - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: DesiredScale - type: integer - jsonPath: ".status.desiredScale" - - name: ActualScale - type: integer - jsonPath: ".status.actualScale" - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - schema: - openAPIV3Schema: - description: 'PodAutoscaler is a Knative abstraction that encapsulates the interface by which Knative components instantiate autoscalers. This definition is an abstraction that may be backed by multiple definitions. For more information, see the Knative Pluggability presentation: https://docs.google.com/presentation/d/10KWynvAJYuOEWy69VBa6bHJVCqIsz1TNdEKosNvcpPY/edit' - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec holds the desired state of the PodAutoscaler (from the client). - type: object - required: - - protocolType - - scaleTargetRef - properties: - containerConcurrency: - description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means unlimited concurrency. - type: integer - format: int64 - protocolType: - description: The application-layer protocol. Matches `ProtocolType` inferred from the revision spec. - type: string - reachability: - description: Reachability specifies whether or not the `ScaleTargetRef` can be reached (ie. has a route). Defaults to `ReachabilityUnknown` - type: string - scaleTargetRef: - description: ScaleTargetRef defines the /scale-able resource that this PodAutoscaler is responsible for quickly right-sizing. - type: object - properties: - apiVersion: - description: API version of the referent. - type: string - kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - status: - description: Status communicates the observed state of the PodAutoscaler (from the controller). - type: object - required: - - metricsServiceName - - serviceName - properties: - actualScale: - description: ActualScale shows the actual number of replicas for the revision. - type: integer - format: int32 - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - desiredScale: - description: DesiredScale shows the current desired number of replicas for the revision. - type: integer - format: int32 - metricsServiceName: - description: MetricsServiceName is the K8s Service name that provides revision metrics. The service is managed by the PA object. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - serviceName: - description: ServiceName is the K8s Service name that serves the revision, scaled by this PA. The service is created and owned by the ServerlessService object owned by this PA. - type: string - ---- -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Note: The schema part of the spec is auto-generated by hack/update-schemas.sh. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: revisions.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: serving.knative.dev - names: - kind: Revision - plural: revisions - singular: revision - categories: - - all - - knative - - serving - shortNames: - - rev - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: Config Name - type: string - jsonPath: ".metadata.labels['serving\\.knative\\.dev/configuration']" - - name: K8s Service Name - type: string - jsonPath: ".status.serviceName" - - name: Generation - type: string # int in string form :( - jsonPath: ".metadata.labels['serving\\.knative\\.dev/configurationGeneration']" - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - - name: Actual Replicas - type: integer - jsonPath: ".status.actualReplicas" - - name: Desired Replicas - type: integer - jsonPath: ".status.desiredReplicas" - schema: - openAPIV3Schema: - description: "Revision is an immutable snapshot of code and configuration. A revision references a container image. Revisions are created by updates to a Configuration. \n See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#revision" - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: RevisionSpec holds the desired state of the Revision (from the client). - type: object - required: - - containers - properties: - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containerConcurrency: - description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means concurrency to the application is not limited, and the system decides the target concurrency for the autoscaler. - type: integer - format: int64 - containers: - description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. - type: array - items: - description: A single application container that you want to run within a pod. - type: object - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - type: array - items: - type: string - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - type: array - items: - type: string - env: - description: List of environment variables to set in the container. Cannot be updated. - type: array - items: - description: EnvVar represents an environment variable present in a Container. - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - type: object - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - type: object - required: - - key - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - type: object - required: - - key - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-preserve-unknown-fields: true - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - type: array - items: - description: EnvFromSource represents the source of a set of ConfigMaps - type: object - properties: - configMapRef: - description: The ConfigMap to select from - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: object - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - type: object - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - type: integer - format: int32 - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - path: - description: Path to access on the HTTP server. - type: string - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - x-kubernetes-preserve-unknown-fields: true - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - type: array - items: - description: ContainerPort represents a network port in a single container. - type: object - required: - - containerPort - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - type: integer - format: int32 - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - default: TCP - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: object - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - type: object - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - type: integer - format: int32 - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - path: - description: Path to access on the HTTP server. - type: string - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - x-kubernetes-preserve-unknown-fields: true - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - properties: - limits: - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - type: object - properties: - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - type: object - properties: - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-preserve-unknown-fields: true - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: integer - format: int64 - x-kubernetes-preserve-unknown-fields: true - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - type: array - items: - description: VolumeMount describes a mounting of a Volume within a container. - type: object - required: - - mountPath - - name - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - x-kubernetes-preserve-unknown-fields: true - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' - type: boolean - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - timeoutSeconds: - description: TimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (send network traffic). If unspecified, a system default will be provided. - type: integer - format: int64 - volumes: - description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - type: array - items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. - type: object - required: - - name - properties: - configMap: - description: ConfigMap represents a configMap that should populate this volume - type: object - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - projected: - description: Items for all in one resources secrets, configmaps, and downward API - type: object - properties: - defaultMode: - description: Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - sources: - description: list of volume projections - type: array - items: - description: Projection that may be projected along with other supported volume types - type: object - properties: - configMap: - description: information about the configMap data to project - type: object - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - secret: - description: information about the secret data to project - type: object - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - serviceAccountToken: - description: information about the serviceAccountToken data to project - type: object - required: - - path - properties: - audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. - type: integer - format: int64 - path: - description: Path is the path relative to the mount point of the file to project the token into. - type: string - secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: object - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - optional: - description: Specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-preserve-unknown-fields: true - status: - description: RevisionStatus communicates the observed state of the Revision (from the controller). - type: object - properties: - actualReplicas: - description: ActualReplicas reflects the amount of ready pods running this revision. - type: integer - format: int32 - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - containerStatuses: - description: 'ContainerStatuses is a slice of images present in .Spec.Container[*].Image to their respective digests and their container name. The digests are resolved during the creation of Revision. ContainerStatuses holds the container name and image digests for both serving and non serving containers. ref: http://bit.ly/image-digests' - type: array - items: - description: ContainerStatus holds the information of container name and image digest value - type: object - properties: - imageDigest: - type: string - name: - type: string - desiredReplicas: - description: DesiredReplicas reflects the desired amount of pods running this revision. - type: integer - format: int32 - logUrl: - description: LogURL specifies the generated logging url for this particular revision based on the revision url template specified in the controller's config. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - ---- -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Note: The schema part of the spec is auto-generated by hack/update-schemas.sh. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: routes.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" - duck.knative.dev/addressable: "true" -spec: - group: serving.knative.dev - names: - kind: Route - plural: routes - singular: route - categories: - - all - - knative - - serving - shortNames: - - rt - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - schema: - openAPIV3Schema: - description: 'Route is responsible for configuring ingress over a collection of Revisions. Some of the Revisions a Route distributes traffic over may be specified by referencing the Configuration responsible for creating them; in these cases the Route is additionally responsible for monitoring the Configuration for "latest ready revision" changes, and smoothly rolling out latest revisions. See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#route' - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec holds the desired state of the Route (from the client). - type: object - properties: - traffic: - description: Traffic specifies how to distribute traffic over a collection of revisions and configurations. - type: array - items: - description: TrafficTarget holds a single entry of the routing table for a Route. - type: object - properties: - configurationName: - description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. - type: string - latestRevision: - description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. - type: boolean - percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' - type: integer - format: int64 - revisionName: - description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. - type: string - tag: - description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. - type: string - url: - description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) - type: string - status: - description: Status communicates the observed state of the Route (from the controller). - type: object - properties: - address: - description: Address holds the information needed for a Route to be the target of an event. - type: object - properties: - url: - type: string - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - traffic: - description: Traffic holds the configured traffic distribution. These entries will always contain RevisionName references. When ConfigurationName appears in the spec, this will hold the LatestReadyRevisionName that we last observed. - type: array - items: - description: TrafficTarget holds a single entry of the routing table for a Route. - type: object - properties: - configurationName: - description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. - type: string - latestRevision: - description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. - type: boolean - percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' - type: integer - format: int64 - revisionName: - description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. - type: string - tag: - description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. - type: string - url: - description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) - type: string - url: - description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} - type: string - ---- -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: serverlessservices.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" -spec: - group: networking.internal.knative.dev - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # this is a work around so we don't need to flush out the - # schema for each version at this time - # - # see issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Mode - type: string - jsonPath: ".spec.mode" - - name: Activators - type: integer - jsonPath: ".spec.numActivators" - - name: ServiceName - type: string - jsonPath: ".status.serviceName" - - name: PrivateServiceName - type: string - jsonPath: ".status.privateServiceName" - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - names: - kind: ServerlessService - plural: serverlessservices - singular: serverlessservice - categories: - - knative-internal - - networking - shortNames: - - sks - scope: Namespaced - ---- -# Copyright 2019 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Note: The schema part of the spec is auto-generated by hack/update-schemas.sh. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: services.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - knative.dev/crd-install: "true" - duck.knative.dev/addressable: "true" - duck.knative.dev/podspecable: "true" -spec: - group: serving.knative.dev - names: - kind: Service - plural: services - singular: service - categories: - - all - - knative - - serving - shortNames: - - kservice - - ksvc - scope: Namespaced - versions: - - name: v1 - served: true - storage: true - subresources: - status: {} - additionalPrinterColumns: - - name: URL - type: string - jsonPath: .status.url - - name: LatestCreated - type: string - jsonPath: .status.latestCreatedRevisionName - - name: LatestReady - type: string - jsonPath: .status.latestReadyRevisionName - - name: Ready - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].status" - - name: Reason - type: string - jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - schema: - openAPIV3Schema: - description: "Service acts as a top-level container that manages a Route and Configuration which implement a network service. Service exists to provide a singular abstraction which can be access controlled, reasoned about, and which encapsulates software lifecycle decisions such as rollout policy and team resource ownership. Service acts only as an orchestrator of the underlying Routes and Configurations (much as a kubernetes Deployment orchestrates ReplicaSets), and its usage is optional but recommended. \n The Service's controller will track the statuses of its owned Configuration and Route, reflecting their statuses and conditions as its own. \n See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#service" - type: object - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ServiceSpec represents the configuration for the Service object. A Service's specification is the union of the specifications for a Route and Configuration. The Service restricts what can be expressed in these fields, e.g. the Route must reference the provided Configuration; however, these limitations also enable friendlier defaulting, e.g. Route never needs a Configuration name, and may be defaulted to the appropriate "run latest" spec. - type: object - properties: - template: - description: Template holds the latest specification for the Revision to be stamped out. - type: object - properties: - metadata: - type: object - properties: - annotations: - type: object - additionalProperties: - type: string - finalizers: - type: array - items: - type: string - labels: - type: object - additionalProperties: - type: string - name: - type: string - namespace: - type: string - x-kubernetes-preserve-unknown-fields: true - spec: - description: RevisionSpec holds the desired state of the Revision (from the client). - type: object - required: - - containers - properties: - automountServiceAccountToken: - description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. - type: boolean - containerConcurrency: - description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means concurrency to the application is not limited, and the system decides the target concurrency for the autoscaler. - type: integer - format: int64 - containers: - description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. - type: array - items: - description: A single application container that you want to run within a pod. - type: object - properties: - args: - description: 'Arguments to the entrypoint. The docker image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - type: array - items: - type: string - command: - description: 'Entrypoint array. Not executed within a shell. The docker image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' - type: array - items: - type: string - env: - description: List of environment variables to set in the container. Cannot be updated. - type: array - items: - description: EnvVar represents an environment variable present in a Container. - type: object - required: - - name - properties: - name: - description: Name of the environment variable. Must be a C_IDENTIFIER. - type: string - value: - description: 'Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' - type: string - valueFrom: - description: Source for the environment variable's value. Cannot be used if value is not empty. - type: object - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - type: object - required: - - key - properties: - key: - description: The key to select. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its key must be defined - type: boolean - secretKeyRef: - description: Selects a key of a secret in the pod's namespace - type: object - required: - - key - properties: - key: - description: The key of the secret to select from. Must be a valid secret key. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - x-kubernetes-preserve-unknown-fields: true - envFrom: - description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. - type: array - items: - description: EnvFromSource represents the source of a set of ConfigMaps - type: object - properties: - configMapRef: - description: The ConfigMap to select from - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap must be defined - type: boolean - prefix: - description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. - type: string - secretRef: - description: The Secret to select from - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret must be defined - type: boolean - image: - description: 'Docker image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' - type: string - imagePullPolicy: - description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' - type: string - livenessProbe: - description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: object - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - type: object - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - type: integer - format: int32 - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - path: - description: Path to access on the HTTP server. - type: string - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - x-kubernetes-preserve-unknown-fields: true - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - name: - description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. - type: string - ports: - description: List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated. - type: array - items: - description: ContainerPort represents a network port in a single container. - type: object - required: - - containerPort - properties: - containerPort: - description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. - type: integer - format: int32 - name: - description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. - type: string - protocol: - description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". - type: string - default: TCP - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-list-map-keys: - - containerPort - - protocol - x-kubernetes-list-type: map - readinessProbe: - description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: object - properties: - exec: - description: One and only one of the following should be specified. Exec specifies the action to take. - type: object - properties: - command: - description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. - type: array - items: - type: string - failureThreshold: - description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. - type: integer - format: int32 - httpGet: - description: HTTPGet specifies the http request to perform. - type: object - properties: - host: - description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. - type: string - httpHeaders: - description: Custom headers to set in the request. HTTP allows repeated headers. - type: array - items: - description: HTTPHeader describes a custom header to be used in HTTP probes - type: object - required: - - name - - value - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - path: - description: Path to access on the HTTP server. - type: string - scheme: - description: Scheme to use for connecting to the host. Defaults to HTTP. - type: string - x-kubernetes-preserve-unknown-fields: true - initialDelaySeconds: - description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - periodSeconds: - description: How often (in seconds) to perform the probe. - type: integer - format: int32 - successThreshold: - description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - type: integer - format: int32 - tcpSocket: - description: 'TCPSocket specifies an action involving a TCP port. TCP hooks not yet supported TODO: implement a realistic TCP lifecycle hook' - type: object - properties: - host: - description: 'Optional: Host name to connect to, defaults to the pod IP.' - type: string - x-kubernetes-preserve-unknown-fields: true - timeoutSeconds: - description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' - type: integer - format: int32 - resources: - description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - properties: - limits: - description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - requests: - description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - additionalProperties: - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - securityContext: - description: 'Security options the pod should run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/ More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' - type: object - properties: - capabilities: - description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. - type: object - properties: - drop: - description: Removed capabilities - type: array - items: - description: Capability represent POSIX capabilities type - type: string - x-kubernetes-preserve-unknown-fields: true - readOnlyRootFilesystem: - description: Whether this container has a read-only root filesystem. Default is false. - type: boolean - runAsUser: - description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. - type: integer - format: int64 - x-kubernetes-preserve-unknown-fields: true - terminationMessagePath: - description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' - type: string - terminationMessagePolicy: - description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. - type: string - volumeMounts: - description: Pod volumes to mount into the container's filesystem. Cannot be updated. - type: array - items: - description: VolumeMount describes a mounting of a Volume within a container. - type: object - required: - - mountPath - - name - properties: - mountPath: - description: Path within the container at which the volume should be mounted. Must not contain ':'. - type: string - name: - description: This must match the Name of a Volume. - type: string - readOnly: - description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. - type: boolean - subPath: - description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). - type: string - workingDir: - description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. - type: string - x-kubernetes-preserve-unknown-fields: true - enableServiceLinks: - description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Defaults to true.' - type: boolean - imagePullSecrets: - description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. For example, in the case of docker, only DockerConfig type secrets are honored. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' - type: array - items: - description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. - type: object - properties: - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - serviceAccountName: - description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' - type: string - timeoutSeconds: - description: TimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin replying (send network traffic). If unspecified, a system default will be provided. - type: integer - format: int64 - volumes: - description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' - type: array - items: - description: Volume represents a named volume in a pod that may be accessed by any container in the pod. - type: object - required: - - name - properties: - configMap: - description: ConfigMap represents a configMap that should populate this volume - type: object - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - name: - description: 'Volume''s name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' - type: string - projected: - description: Items for all in one resources secrets, configmaps, and downward API - type: object - properties: - defaultMode: - description: Mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. - type: integer - format: int32 - sources: - description: list of volume projections - type: array - items: - description: Projection that may be projected along with other supported volume types - type: object - properties: - configMap: - description: information about the configMap data to project - type: object - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the ConfigMap or its keys must be defined - type: boolean - secret: - description: information about the secret data to project - type: object - properties: - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' - type: string - optional: - description: Specify whether the Secret or its key must be defined - type: boolean - serviceAccountToken: - description: information about the serviceAccountToken data to project - type: object - required: - - path - properties: - audience: - description: Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. - type: string - expirationSeconds: - description: ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. - type: integer - format: int64 - path: - description: Path is the path relative to the mount point of the file to project the token into. - type: string - secret: - description: 'Secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: object - properties: - defaultMode: - description: 'Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - items: - description: If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. - type: array - items: - description: Maps a string key to a path within a volume. - type: object - required: - - key - - path - properties: - key: - description: The key to project. - type: string - mode: - description: 'Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' - type: integer - format: int32 - path: - description: The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. - type: string - optional: - description: Specify whether the Secret or its keys must be defined - type: boolean - secretName: - description: 'Name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' - type: string - x-kubernetes-preserve-unknown-fields: true - x-kubernetes-preserve-unknown-fields: true - traffic: - description: Traffic specifies how to distribute traffic over a collection of revisions and configurations. - type: array - items: - description: TrafficTarget holds a single entry of the routing table for a Route. - type: object - properties: - configurationName: - description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. - type: string - latestRevision: - description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. - type: boolean - percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' - type: integer - format: int64 - revisionName: - description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. - type: string - tag: - description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. - type: string - url: - description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) - type: string - status: - description: ServiceStatus represents the Status stanza of the Service resource. - type: object - properties: - address: - description: Address holds the information needed for a Route to be the target of an event. - type: object - properties: - url: - type: string - annotations: - description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. - type: object - additionalProperties: - type: string - conditions: - description: Conditions the latest available observations of a resource's current state. - type: array - items: - description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' - type: object - required: - - status - - type - properties: - lastTransitionTime: - description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). - type: string - format: date-time - message: - description: A human readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - severity: - description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of condition. - type: string - latestCreatedRevisionName: - description: LatestCreatedRevisionName is the last revision that was created from this Configuration. It might not be ready yet, for that use LatestReadyRevisionName. - type: string - latestReadyRevisionName: - description: LatestReadyRevisionName holds the name of the latest Revision stamped out from this Configuration that has had its "Ready" condition become "True". - type: string - observedGeneration: - description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. - type: integer - format: int64 - traffic: - description: Traffic holds the configured traffic distribution. These entries will always contain RevisionName references. When ConfigurationName appears in the spec, this will hold the LatestReadyRevisionName that we last observed. - type: array - items: - description: TrafficTarget holds a single entry of the routing table for a Route. - type: object - properties: - configurationName: - description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. - type: string - latestRevision: - description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. - type: boolean - percent: - description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' - type: integer - format: int64 - revisionName: - description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. - type: string - tag: - description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. - type: string - url: - description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) - type: string - url: - description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} - type: string - ---- -# Copyright 2018 The Knative Authors -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# https://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - name: images.caching.internal.knative.dev - labels: - knative.dev/crd-install: "true" -spec: - group: caching.internal.knative.dev - names: - kind: Image - plural: images - singular: image - categories: - - knative-internal - - caching - shortNames: - - img - scope: Namespaced - versions: - - name: v1alpha1 - served: true - storage: true - subresources: - status: {} - schema: - openAPIV3Schema: - type: object - # this is a work around so we don't need to flush out the - # schema for each version at this time - # - # see issue: https://github.com/knative/serving/issues/912 - x-kubernetes-preserve-unknown-fields: true - additionalPrinterColumns: - - name: Image - type: string - jsonPath: .spec.image - ---- diff --git a/knative/helm/knative-serving/crds/domainmapping-crd.yaml b/knative/helm/knative-serving/crds/domainmapping-crd.yaml new file mode 100644 index 000000000..e715109ff --- /dev/null +++ b/knative/helm/knative-serving/crds/domainmapping-crd.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: domainmappings.serving.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: serving.knative.dev + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: URL + type: string + jsonPath: .status.url + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + "schema": + "openAPIV3Schema": + description: DomainMapping is a mapping from a custom hostname to an Addressable. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - ref + properties: + ref: + description: "Ref specifies the target of the Domain Mapping. \n The object identified by the Ref must be an Addressable with a URL of the form `{name}.{namespace}.{domain}` where `{domain}` is the cluster domain, and `{name}` and `{namespace}` are the name and namespace of a Kubernetes Service. \n This contract is satisfied by Knative types such as Knative Services and Knative Routes, and by Kubernetes Services." + type: object + required: + - kind + - name + properties: + address: + description: Address points to a specific Address Name. + type: string + apiVersion: + description: API version of the referent. + type: string + group: + description: 'Group of the API, without the version of the group. This can be used as an alternative to the APIVersion, and then resolved using ResolveGroup. Note: This API is EXPERIMENTAL and might break anytime. For more details: https://github.com/knative/eventing/issues/5086' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ This is optional field, it gets defaulted to the object holding it if left out.' + type: string + tls: + description: TLS allows the DomainMapping to terminate TLS traffic with an existing secret. + type: object + required: + - secretName + properties: + secretName: + description: SecretName is the name of the existing secret used to terminate TLS traffic. + type: string + status: + description: 'Status is the current state of the DomainMapping. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + address: + description: Address holds the information needed for a DomainMapping to be the target of an event. + type: object + properties: + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + audience: + description: Audience is the OIDC audience for this address. + type: string + name: + description: Name is the name of the address. + type: string + url: + type: string + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + url: + description: URL is the URL of this DomainMapping. + type: string + names: + kind: DomainMapping + plural: domainmappings + singular: domainmapping + categories: + - all + - knative + - serving + shortNames: + - dm + scope: Namespaced diff --git a/knative/helm/knative-serving/crds/image-crd.yaml b/knative/helm/knative-serving/crds/image-crd.yaml new file mode 100644 index 000000000..a4fb14f7c --- /dev/null +++ b/knative/helm/knative-serving/crds/image-crd.yaml @@ -0,0 +1,105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: images.caching.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: caching.internal.knative.dev + names: + kind: Image + plural: images + singular: image + categories: + - knative-internal + - caching + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: Image is a Knative abstraction that encapsulates the interface by which Knative components express a desire to have a particular image cached. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds the desired state of the Image (from the client). + type: object + required: + - image + properties: + image: + description: Image is the name of the container image url to cache across the cluster. + type: string + imagePullSecrets: + description: ImagePullSecrets contains the names of the Kubernetes Secrets containing login information used by the Pods which will run this container. + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + serviceAccountName: + description: 'ServiceAccountName is the name of the Kubernetes ServiceAccount as which the Pods will run this container. This is potentially used to authenticate the image pull if the service account has attached pull secrets. For more information: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account' + type: string + status: + description: Status communicates the observed state of the Image (from the controller). + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + additionalPrinterColumns: + - name: Image + type: string + jsonPath: .spec.image diff --git a/knative/helm/knative-serving/crds/ingress-crd.yaml b/knative/helm/knative-serving/crds/ingress-crd.yaml new file mode 100644 index 000000000..6db63d671 --- /dev/null +++ b/knative/helm/knative-serving/crds/ingress-crd.yaml @@ -0,0 +1,243 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ingresses.networking.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: "Ingress is a collection of rules that allow inbound connections to reach the endpoints defined by a backend. An Ingress can be configured to give services externally-reachable URLs, load balance traffic, offer name based virtual hosting, etc. \n This is heavily based on K8s Ingress https://godoc.org/k8s.io/api/networking/v1beta1#Ingress which some highlighted modifications." + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the Ingress. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + httpOption: + description: 'HTTPOption is the option of HTTP. It has the following two values: `HTTPOptionEnabled`, `HTTPOptionRedirected`' + type: string + rules: + description: A list of host rules used to configure the Ingress. + type: array + items: + description: IngressRule represents the rules mapping the paths under a specified host to the related backend services. Incoming requests are first evaluated for a host match, then routed to the backend associated with the matching IngressRuleValue. + type: object + properties: + hosts: + description: 'Host is the fully qualified domain name of a network host, as defined by RFC 3986. Note the following deviations from the "host" part of the URI as defined in the RFC: 1. IPs are not allowed. Currently a rule value can only apply to the IP in the Spec of the parent . 2. The `:` delimiter is not respected because ports are not allowed. Currently the port of an Ingress is implicitly :80 for http and :443 for https. Both these may change in the future. If the host is unspecified, the Ingress routes all traffic based on the specified IngressRuleValue. If multiple matching Hosts were provided, the first rule will take precedent.' + type: array + items: + type: string + http: + description: HTTP represents a rule to apply against incoming requests. If the rule is satisfied, the request is routed to the specified backend. + type: object + required: + - paths + properties: + paths: + description: "A collection of paths that map requests to backends. \n If they are multiple matching paths, the first match takes precedence." + type: array + items: + description: HTTPIngressPath associates a path regex with a backend. Incoming URLs matching the path are forwarded to the backend. + type: object + required: + - splits + properties: + appendHeaders: + description: "AppendHeaders allow specifying additional HTTP headers to add before forwarding a request to the destination service. \n NOTE: This differs from K8s Ingress which doesn't allow header appending." + type: object + additionalProperties: + type: string + headers: + description: Headers defines header matching rules which is a map from a header name to HeaderMatch which specify a matching condition. When a request matched with all the header matching rules, the request is routed by the corresponding ingress rule. If it is empty, the headers are not used for matching + type: object + additionalProperties: + description: HeaderMatch represents a matching value of Headers in HTTPIngressPath. Currently, only the exact matching is supported. + type: object + required: + - exact + properties: + exact: + type: string + path: + description: Path represents a literal prefix to which this rule should apply. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend. + type: string + rewriteHost: + description: "RewriteHost rewrites the incoming request's host header. \n This field is currently experimental and not supported by all Ingress implementations." + type: string + splits: + description: Splits defines the referenced service endpoints to which the traffic will be forwarded to. + type: array + items: + description: IngressBackendSplit describes all endpoints for a given service and port. + type: object + required: + - serviceName + - serviceNamespace + - servicePort + properties: + appendHeaders: + description: "AppendHeaders allow specifying additional HTTP headers to add before forwarding a request to the destination service. \n NOTE: This differs from K8s Ingress which doesn't allow header appending." + type: object + additionalProperties: + type: string + percent: + description: "Specifies the split percentage, a number between 0 and 100. If only one split is specified, we default to 100. \n NOTE: This differs from K8s Ingress to allow percentage split." + type: integer + serviceName: + description: Specifies the name of the referenced service. + type: string + serviceNamespace: + description: "Specifies the namespace of the referenced service. \n NOTE: This differs from K8s Ingress to allow routing to different namespaces." + type: string + servicePort: + description: Specifies the port of the referenced service. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + visibility: + description: Visibility signifies whether this rule should `ClusterLocal`. If it's not specified then it defaults to `ExternalIP`. + type: string + tls: + description: 'TLS configuration. Currently Ingress only supports a single TLS port: 443. If multiple members of this list specify different hosts, they will be multiplexed on the same port according to the hostname specified through the SNI TLS extension, if the ingress controller fulfilling the ingress supports SNI.' + type: array + items: + description: IngressTLS describes the transport layer security associated with an Ingress. + type: object + properties: + hosts: + description: Hosts is a list of hosts included in the TLS certificate. The values in this list must match the name/s used in the tlsSecret. Defaults to the wildcard host setting for the loadbalancer controller fulfilling this Ingress, if left unspecified. + type: array + items: + type: string + secretName: + description: SecretName is the name of the secret used to terminate SSL traffic. + type: string + secretNamespace: + description: SecretNamespace is the namespace of the secret used to terminate SSL traffic. If not set the namespace should be assumed to be the same as the Ingress. If set the secret should have the same namespace as the Ingress otherwise the behaviour is undefined and not supported. + type: string + status: + description: 'Status is the current state of the Ingress. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + privateLoadBalancer: + description: PrivateLoadBalancer contains the current status of the load-balancer. + type: object + properties: + ingress: + description: Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. + type: array + items: + description: 'LoadBalancerIngressStatus represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.' + type: object + properties: + domain: + description: Domain is set for load-balancer ingress points that are DNS based (typically AWS load-balancers) + type: string + domainInternal: + description: "DomainInternal is set if there is a cluster-local DNS name to access the Ingress. \n NOTE: This differs from K8s Ingress, since we also desire to have a cluster-local DNS name to allow routing in case of not having a mesh." + type: string + ip: + description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) + type: string + meshOnly: + description: MeshOnly is set if the Ingress is only load-balanced through a Service mesh. + type: boolean + publicLoadBalancer: + description: PublicLoadBalancer contains the current status of the load-balancer. + type: object + properties: + ingress: + description: Ingress is a list containing ingress points for the load-balancer. Traffic intended for the service should be sent to these ingress points. + type: array + items: + description: 'LoadBalancerIngressStatus represents the status of a load-balancer ingress point: traffic intended for the service should be sent to an ingress point.' + type: object + properties: + domain: + description: Domain is set for load-balancer ingress points that are DNS based (typically AWS load-balancers) + type: string + domainInternal: + description: "DomainInternal is set if there is a cluster-local DNS name to access the Ingress. \n NOTE: This differs from K8s Ingress, since we also desire to have a cluster-local DNS name to allow routing in case of not having a mesh." + type: string + ip: + description: IP is set for load-balancer ingress points that are IP based (typically GCE or OpenStack load-balancers) + type: string + meshOnly: + description: MeshOnly is set if the Ingress is only load-balanced through a Service mesh. + type: boolean + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + names: + kind: Ingress + plural: ingresses + singular: ingress + categories: + - knative-internal + - networking + shortNames: + - kingress + - king + scope: Namespaced diff --git a/knative/helm/knative-serving/crds/metric-crd.yaml b/knative/helm/knative-serving/crds/metric-crd.yaml new file mode 100644 index 000000000..8792389a3 --- /dev/null +++ b/knative/helm/knative-serving/crds/metric-crd.yaml @@ -0,0 +1,104 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: metrics.autoscaling.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: autoscaling.internal.knative.dev + names: + kind: Metric + plural: metrics + singular: metric + categories: + - knative-internal + - autoscaling + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + schema: + openAPIV3Schema: + description: Metric represents a resource to configure the metric collector with. + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds the desired state of the Metric (from the client). + type: object + required: + - panicWindow + - scrapeTarget + - stableWindow + properties: + panicWindow: + description: PanicWindow is the aggregation window for metrics where quick reactions are needed. + type: integer + format: int64 + scrapeTarget: + description: ScrapeTarget is the K8s service that publishes the metric endpoint. + type: string + stableWindow: + description: StableWindow is the aggregation window for metrics in a stable state. + type: integer + format: int64 + status: + description: Status communicates the observed state of the Metric (from the controller). + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 diff --git a/knative/helm/knative-serving/crds/podautoscaler-crd.yaml b/knative/helm/knative-serving/crds/podautoscaler-crd.yaml new file mode 100644 index 000000000..6a5eead3a --- /dev/null +++ b/knative/helm/knative-serving/crds/podautoscaler-crd.yaml @@ -0,0 +1,142 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: podautoscalers.autoscaling.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: autoscaling.internal.knative.dev + names: + kind: PodAutoscaler + plural: podautoscalers + singular: podautoscaler + categories: + - knative-internal + - autoscaling + shortNames: + - kpa + - pa + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: DesiredScale + type: integer + jsonPath: ".status.desiredScale" + - name: ActualScale + type: integer + jsonPath: ".status.actualScale" + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + schema: + openAPIV3Schema: + description: 'PodAutoscaler is a Knative abstraction that encapsulates the interface by which Knative components instantiate autoscalers. This definition is an abstraction that may be backed by multiple definitions. For more information, see the Knative Pluggability presentation: https://docs.google.com/presentation/d/19vW9HFZ6Puxt31biNZF3uLRejDmu82rxJIk1cWmxF7w/edit' + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds the desired state of the PodAutoscaler (from the client). + type: object + required: + - protocolType + - scaleTargetRef + properties: + containerConcurrency: + description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means unlimited concurrency. + type: integer + format: int64 + protocolType: + description: The application-layer protocol. Matches `ProtocolType` inferred from the revision spec. + type: string + reachability: + description: Reachability specifies whether or not the `ScaleTargetRef` can be reached (ie. has a route). Defaults to `ReachabilityUnknown` + type: string + scaleTargetRef: + description: ScaleTargetRef defines the /scale-able resource that this PodAutoscaler is responsible for quickly right-sizing. + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + x-kubernetes-map-type: atomic + status: + description: Status communicates the observed state of the PodAutoscaler (from the controller). + type: object + required: + - metricsServiceName + - serviceName + properties: + actualScale: + description: ActualScale shows the actual number of replicas for the revision. + type: integer + format: int32 + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + desiredScale: + description: DesiredScale shows the current desired number of replicas for the revision. + type: integer + format: int32 + metricsServiceName: + description: MetricsServiceName is the K8s Service name that provides revision metrics. The service is managed by the PA object. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + serviceName: + description: ServiceName is the K8s Service name that serves the revision, scaled by this PA. The service is created and owned by the ServerlessService object owned by this PA. + type: string diff --git a/knative/helm/knative-serving/crds/revision-crd.yaml b/knative/helm/knative-serving/crds/revision-crd.yaml new file mode 100644 index 000000000..42b7542ff --- /dev/null +++ b/knative/helm/knative-serving/crds/revision-crd.yaml @@ -0,0 +1,925 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: revisions.serving.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: serving.knative.dev + names: + kind: Revision + plural: revisions + singular: revision + categories: + - all + - knative + - serving + shortNames: + - rev + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Config Name + type: string + jsonPath: ".metadata.labels['serving\\.knative\\.dev/configuration']" + - name: K8s Service Name + type: string + jsonPath: ".status.serviceName" + - name: Generation + type: string # int in string form :( + jsonPath: ".metadata.labels['serving\\.knative\\.dev/configurationGeneration']" + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + - name: Actual Replicas + type: integer + jsonPath: ".status.actualReplicas" + - name: Desired Replicas + type: integer + jsonPath: ".status.desiredReplicas" + schema: + openAPIV3Schema: + description: "Revision is an immutable snapshot of code and configuration. A revision references a container image. Revisions are created by updates to a Configuration. \n See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#revision" + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: RevisionSpec holds the desired state of the Revision (from the client). + type: object + required: + - containers + properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity + type: object + x-kubernetes-preserve-unknown-fields: true + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + type: boolean + containerConcurrency: + description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means concurrency to the application is not limited, and the system decides the target concurrency for the autoscaler. + type: integer + format: int64 + containers: + description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. + type: array + items: + description: A single application container that you want to run within a pod. + type: object + properties: + args: + description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + type: array + items: + type: string + command: + description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + type: array + items: + type: string + env: + description: List of environment variables to set in the container. Cannot be updated. + type: array + items: + description: EnvVar represents an environment variable present in a Container. + type: object + required: + - name + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + type: object + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + type: object + required: + - key + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + type: object + required: + - key + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + type: array + items: + description: EnvFromSource represents the source of a set of ConfigMaps + type: object + properties: + configMapRef: + description: The ConfigMap to select from + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + x-kubernetes-map-type: atomic + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + livenessProbe: + description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + name: + description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. + type: array + items: + description: ContainerPort represents a network port in a single container. + type: object + required: + - containerPort + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + type: integer + format: int32 + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + default: TCP + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + resources: + description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + requests: + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + securityContext: + description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + type: object + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + type: object + properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + drop: + description: Removed capabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + seccompProfile: + description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + type: object + required: + - type + properties: + localhostProfile: + description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + type: array + items: + description: VolumeMount describes a mounting of a Volume within a container. + type: object + required: + - mountPath + - name + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' + type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed to stay open while not receiving any bytes from the user's application. If unspecified, a system default will be provided. + type: integer + format: int64 + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: ResponseStartTimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true + timeoutSeconds: + description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. + type: integer + format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true + volumes: + description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + type: array + items: + description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + type: object + required: + - name + properties: + configMap: + description: configMap represents a configMap that should populate this volume + type: object + properties: + defaultMode: + description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + items: + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true + name: + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true + projected: + description: projected items for all in one resources secrets, configmaps, and downward API + type: object + properties: + defaultMode: + description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + sources: + description: sources is the list of volume projections + type: array + items: + description: Projection that may be projected along with other supported volume types + type: object + properties: + configMap: + description: configMap information about the configMap data to project + type: object + properties: + items: + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI data to project + type: object + properties: + items: + description: Items is a list of DownwardAPIVolume file + type: array + items: + description: DownwardAPIVolumeFile represents information to create the file containing the pod field + type: object + required: + - path + properties: + fieldRef: + description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' + type: object + required: + - fieldPath + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' + type: object + required: + - resource + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + x-kubernetes-map-type: atomic + secret: + description: secret information about the secret data to project + type: object + properties: + items: + description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional field specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the serviceAccountToken data to project + type: object + required: + - path + properties: + audience: + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + type: integer + format: int64 + path: + description: path is the path relative to the mount point of the file to project the token into. + type: string + secret: + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: object + properties: + defaultMode: + description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + items: + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + optional: + description: optional field specify whether the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + status: + description: RevisionStatus communicates the observed state of the Revision (from the controller). + type: object + properties: + actualReplicas: + description: ActualReplicas reflects the amount of ready pods running this revision. + type: integer + format: int32 + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + containerStatuses: + description: 'ContainerStatuses is a slice of images present in .Spec.Container[*].Image to their respective digests and their container name. The digests are resolved during the creation of Revision. ContainerStatuses holds the container name and image digests for both serving and non serving containers. ref: http://bit.ly/image-digests' + type: array + items: + description: ContainerStatus holds the information of container name and image digest value + type: object + properties: + imageDigest: + type: string + name: + type: string + desiredReplicas: + description: DesiredReplicas reflects the desired amount of pods running this revision. + type: integer + format: int32 + initContainerStatuses: + description: 'InitContainerStatuses is a slice of images present in .Spec.InitContainer[*].Image to their respective digests and their container name. The digests are resolved during the creation of Revision. ContainerStatuses holds the container name and image digests for both serving and non serving containers. ref: http://bit.ly/image-digests' + type: array + items: + description: ContainerStatus holds the information of container name and image digest value + type: object + properties: + imageDigest: + type: string + name: + type: string + logUrl: + description: LogURL specifies the generated logging url for this particular revision based on the revision url template specified in the controller's config. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 diff --git a/knative/helm/knative-serving/crds/route-crd.yaml b/knative/helm/knative-serving/crds/route-crd.yaml new file mode 100644 index 000000000..e7dfc51f1 --- /dev/null +++ b/knative/helm/knative-serving/crds/route-crd.yaml @@ -0,0 +1,166 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: routes.serving.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" + duck.knative.dev/addressable: "true" +spec: + group: serving.knative.dev + names: + kind: Route + plural: routes + singular: route + categories: + - all + - knative + - serving + shortNames: + - rt + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: URL + type: string + jsonPath: .status.url + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + schema: + openAPIV3Schema: + description: 'Route is responsible for configuring ingress over a collection of Revisions. Some of the Revisions a Route distributes traffic over may be specified by referencing the Configuration responsible for creating them; in these cases the Route is additionally responsible for monitoring the Configuration for "latest ready revision" changes, and smoothly rolling out latest revisions. See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#route' + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec holds the desired state of the Route (from the client). + type: object + properties: + traffic: + description: Traffic specifies how to distribute traffic over a collection of revisions and configurations. + type: array + items: + description: TrafficTarget holds a single entry of the routing table for a Route. + type: object + properties: + configurationName: + description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. + type: string + latestRevision: + description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. + type: boolean + percent: + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + type: integer + format: int64 + revisionName: + description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. + type: string + tag: + description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. + type: string + url: + description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + type: string + status: + description: Status communicates the observed state of the Route (from the controller). + type: object + properties: + address: + description: Address holds the information needed for a Route to be the target of an event. + type: object + properties: + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + audience: + description: Audience is the OIDC audience for this address. + type: string + name: + description: Name is the name of the address. + type: string + url: + type: string + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + traffic: + description: Traffic holds the configured traffic distribution. These entries will always contain RevisionName references. When ConfigurationName appears in the spec, this will hold the LatestReadyRevisionName that we last observed. + type: array + items: + description: TrafficTarget holds a single entry of the routing table for a Route. + type: object + properties: + configurationName: + description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. + type: string + latestRevision: + description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. + type: boolean + percent: + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + type: integer + format: int64 + revisionName: + description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. + type: string + tag: + description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. + type: string + url: + description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + type: string + url: + description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} + type: string diff --git a/knative/helm/knative-serving/crds/serverlessservice-crd.yaml b/knative/helm/knative-serving/crds/serverlessservice-crd.yaml new file mode 100644 index 000000000..912457627 --- /dev/null +++ b/knative/helm/knative-serving/crds/serverlessservice-crd.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serverlessservices.networking.internal.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/component: networking + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" +spec: + group: networking.internal.knative.dev + versions: + - name: v1alpha1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: 'ServerlessService is a proxy for the K8s service objects containing the endpoints for the revision, whether those are endpoints of the activator or revision pods. See: https://knative.page.link/naxz for details.' + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Spec is the desired state of the ServerlessService. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + required: + - objectRef + - protocolType + properties: + mode: + description: Mode describes the mode of operation of the ServerlessService. + type: string + numActivators: + description: NumActivators contains number of Activators that this revision should be assigned. O means — assign all. + type: integer + format: int32 + objectRef: + description: ObjectRef defines the resource that this ServerlessService is responsible for making "serverless". + type: object + properties: + apiVersion: + description: API version of the referent. + type: string + fieldPath: + description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' + type: string + kind: + description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + namespace: + description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + type: string + resourceVersion: + description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + type: string + uid: + description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + type: string + x-kubernetes-map-type: atomic + protocolType: + description: The application-layer protocol. Matches `RevisionProtocolType` set on the owning pa/revision. serving imports networking, so just use string. + type: string + status: + description: 'Status is the current state of the ServerlessService. More info: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#spec-and-status' + type: object + properties: + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + privateServiceName: + description: PrivateServiceName holds the name of a core K8s Service resource that load balances over the user service pods backing this Revision. + type: string + serviceName: + description: ServiceName holds the name of a core K8s Service resource that load balances over the pods backing this Revision (activator or revision). + type: string + additionalPrinterColumns: + - name: Mode + type: string + jsonPath: ".spec.mode" + - name: Activators + type: integer + jsonPath: ".spec.numActivators" + - name: ServiceName + type: string + jsonPath: ".status.serviceName" + - name: PrivateServiceName + type: string + jsonPath: ".status.privateServiceName" + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + names: + kind: ServerlessService + plural: serverlessservices + singular: serverlessservice + categories: + - knative-internal + - networking + shortNames: + - sks + scope: Namespaced diff --git a/knative/helm/knative-serving/crds/service-crd.yaml b/knative/helm/knative-serving/crds/service-crd.yaml new file mode 100644 index 000000000..73e0d4943 --- /dev/null +++ b/knative/helm/knative-serving/crds/service-crd.yaml @@ -0,0 +1,993 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: services.serving.knative.dev + labels: + app.kubernetes.io/name: knative-serving + app.kubernetes.io/version: "1.12.2" + knative.dev/crd-install: "true" + duck.knative.dev/addressable: "true" + duck.knative.dev/podspecable: "true" +spec: + group: serving.knative.dev + names: + kind: Service + plural: services + singular: service + categories: + - all + - knative + - serving + shortNames: + - kservice + - ksvc + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: URL + type: string + jsonPath: .status.url + - name: LatestCreated + type: string + jsonPath: .status.latestCreatedRevisionName + - name: LatestReady + type: string + jsonPath: .status.latestReadyRevisionName + - name: Ready + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].status" + - name: Reason + type: string + jsonPath: ".status.conditions[?(@.type=='Ready')].reason" + schema: + openAPIV3Schema: + description: "Service acts as a top-level container that manages a Route and Configuration which implement a network service. Service exists to provide a singular abstraction which can be access controlled, reasoned about, and which encapsulates software lifecycle decisions such as rollout policy and team resource ownership. Service acts only as an orchestrator of the underlying Routes and Configurations (much as a kubernetes Deployment orchestrates ReplicaSets), and its usage is optional but recommended. \n The Service's controller will track the statuses of its owned Configuration and Route, reflecting their statuses and conditions as its own. \n See also: https://github.com/knative/serving/blob/main/docs/spec/overview.md#service" + type: object + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ServiceSpec represents the configuration for the Service object. A Service's specification is the union of the specifications for a Route and Configuration. The Service restricts what can be expressed in these fields, e.g. the Route must reference the provided Configuration; however, these limitations also enable friendlier defaulting, e.g. Route never needs a Configuration name, and may be defaulted to the appropriate "run latest" spec. + type: object + properties: + template: + description: Template holds the latest specification for the Revision to be stamped out. + type: object + properties: + metadata: + type: object + properties: + annotations: + type: object + additionalProperties: + type: string + finalizers: + type: array + items: + type: string + labels: + type: object + additionalProperties: + type: string + name: + type: string + namespace: + type: string + x-kubernetes-preserve-unknown-fields: true + spec: + description: RevisionSpec holds the desired state of the Revision (from the client). + type: object + required: + - containers + properties: + affinity: + description: This is accessible behind a feature flag - kubernetes.podspec-affinity + type: object + x-kubernetes-preserve-unknown-fields: true + automountServiceAccountToken: + description: AutomountServiceAccountToken indicates whether a service account token should be automatically mounted. + type: boolean + containerConcurrency: + description: ContainerConcurrency specifies the maximum allowed in-flight (concurrent) requests per container of the Revision. Defaults to `0` which means concurrency to the application is not limited, and the system decides the target concurrency for the autoscaler. + type: integer + format: int64 + containers: + description: List of containers belonging to the pod. Containers cannot currently be added or removed. There must be at least one container in a Pod. Cannot be updated. + type: array + items: + description: A single application container that you want to run within a pod. + type: object + properties: + args: + description: 'Arguments to the entrypoint. The container image''s CMD is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + type: array + items: + type: string + command: + description: 'Entrypoint array. Not executed within a shell. The container image''s ENTRYPOINT is used if this is not provided. Variable references $(VAR_NAME) are expanded using the container''s environment. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Cannot be updated. More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell' + type: array + items: + type: string + env: + description: List of environment variables to set in the container. Cannot be updated. + type: array + items: + description: EnvVar represents an environment variable present in a Container. + type: object + required: + - name + properties: + name: + description: Name of the environment variable. Must be a C_IDENTIFIER. + type: string + value: + description: 'Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to "".' + type: string + valueFrom: + description: Source for the environment variable's value. Cannot be used if value is not empty. + type: object + properties: + configMapKeyRef: + description: Selects a key of a ConfigMap. + type: object + required: + - key + properties: + key: + description: The key to select. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + fieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + resourceFieldRef: + description: This is accessible behind a feature flag - kubernetes.podspec-fieldref + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + secretKeyRef: + description: Selects a key of a secret in the pod's namespace + type: object + required: + - key + properties: + key: + description: The key of the secret to select from. Must be a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + envFrom: + description: List of sources to populate environment variables in the container. The keys defined within a source must be a C_IDENTIFIER. All invalid keys will be reported as an event when the container is starting. When a key exists in multiple sources, the value associated with the last source will take precedence. Values defined by an Env with a duplicate key will take precedence. Cannot be updated. + type: array + items: + description: EnvFromSource represents the source of a set of ConfigMaps + type: object + properties: + configMapRef: + description: The ConfigMap to select from + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the ConfigMap must be defined + type: boolean + x-kubernetes-map-type: atomic + prefix: + description: An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. + type: string + secretRef: + description: The Secret to select from + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret must be defined + type: boolean + x-kubernetes-map-type: atomic + image: + description: 'Container image name. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.' + type: string + imagePullPolicy: + description: 'Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images' + type: string + livenessProbe: + description: 'Periodic probe of container liveness. Container will be restarted if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + name: + description: Name of the container specified as a DNS_LABEL. Each container in a pod must have a unique name (DNS_LABEL). Cannot be updated. + type: string + ports: + description: List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated. + type: array + items: + description: ContainerPort represents a network port in a single container. + type: object + required: + - containerPort + properties: + containerPort: + description: Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. + type: integer + format: int32 + name: + description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. + type: string + protocol: + description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP". + type: string + default: TCP + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + description: 'Periodic probe of container service readiness. Container will be removed from service endpoints if the probe fails. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: object + properties: + exec: + description: Exec specifies the action to take. + type: object + properties: + command: + description: Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. + type: array + items: + type: string + failureThreshold: + description: Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. + type: integer + format: int32 + grpc: + description: GRPC specifies an action involving a GRPC port. + type: object + required: + - port + properties: + port: + description: Port number of the gRPC service. Number must be in the range 1 to 65535. + type: integer + format: int32 + service: + description: "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). \n If this is not specified, the default behavior is defined by gRPC." + type: string + httpGet: + description: HTTPGet specifies the http request to perform. + type: object + properties: + host: + description: Host name to connect to, defaults to the pod IP. You probably want to set "Host" in httpHeaders instead. + type: string + httpHeaders: + description: Custom headers to set in the request. HTTP allows repeated headers. + type: array + items: + description: HTTPHeader describes a custom header to be used in HTTP probes + type: object + required: + - name + - value + properties: + name: + description: The header field name. This will be canonicalized upon output, so case-variant names will be understood as the same header. + type: string + value: + description: The header field value + type: string + path: + description: Path to access on the HTTP server. + type: string + port: + description: Name or number of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + description: Scheme to use for connecting to the host. Defaults to HTTP. + type: string + initialDelaySeconds: + description: 'Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + periodSeconds: + description: How often (in seconds) to perform the probe. + type: integer + format: int32 + successThreshold: + description: Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. + type: integer + format: int32 + tcpSocket: + description: TCPSocket specifies an action involving a TCP port. + type: object + properties: + host: + description: 'Optional: Host name to connect to, defaults to the pod IP.' + type: string + port: + description: Number or name of the port to access on the container. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + timeoutSeconds: + description: 'Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes' + type: integer + format: int32 + resources: + description: 'Compute Resources required by this container. Cannot be updated. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + properties: + claims: + description: "Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container. \n This is an alpha field and requires enabling the DynamicResourceAllocation feature gate. \n This field is immutable. It can only be set for containers." + type: array + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + type: object + required: + - name + properties: + name: + description: Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container. + type: string + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + description: 'Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + requests: + description: 'Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + additionalProperties: + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + securityContext: + description: 'SecurityContext defines the security options the container should be run with. If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/' + type: object + properties: + allowPrivilegeEscalation: + description: 'AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.' + type: boolean + capabilities: + description: The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows. + type: object + properties: + add: + description: This is accessible behind a feature flag - kubernetes.containerspec-addcapabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + drop: + description: Removed capabilities + type: array + items: + description: Capability represent POSIX capabilities type + type: string + readOnlyRootFilesystem: + description: Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. + type: boolean + runAsGroup: + description: The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + runAsNonRoot: + description: Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. + type: boolean + runAsUser: + description: The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. + type: integer + format: int64 + seccompProfile: + description: The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. + type: object + required: + - type + properties: + localhostProfile: + description: localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is "Localhost". + type: string + type: + description: "type indicates which kind of seccomp profile will be applied. Valid options are: \n Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied." + type: string + terminationMessagePath: + description: 'Optional: Path at which the file to which the container''s termination message will be written is mounted into the container''s filesystem. Message written is intended to be brief final status, such as an assertion failure message. Will be truncated by the node if greater than 4096 bytes. The total message length across all containers will be limited to 12kb. Defaults to /dev/termination-log. Cannot be updated.' + type: string + terminationMessagePolicy: + description: Indicate how the termination message should be populated. File will use the contents of terminationMessagePath to populate the container status message on both success and failure. FallbackToLogsOnError will use the last chunk of container log output if the termination message file is empty and the container exited with an error. The log output is limited to 2048 bytes or 80 lines, whichever is smaller. Defaults to File. Cannot be updated. + type: string + volumeMounts: + description: Pod volumes to mount into the container's filesystem. Cannot be updated. + type: array + items: + description: VolumeMount describes a mounting of a Volume within a container. + type: object + required: + - mountPath + - name + properties: + mountPath: + description: Path within the container at which the volume should be mounted. Must not contain ':'. + type: string + name: + description: This must match the Name of a Volume. + type: string + readOnly: + description: Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. + type: boolean + subPath: + description: Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root). + type: string + workingDir: + description: Container's working directory. If not specified, the container runtime's default will be used, which might be configured in the container image. Cannot be updated. + type: string + dnsConfig: + description: This is accessible behind a feature flag - kubernetes.podspec-dnsconfig + type: object + x-kubernetes-preserve-unknown-fields: true + dnsPolicy: + description: This is accessible behind a feature flag - kubernetes.podspec-dnspolicy + type: string + enableServiceLinks: + description: 'EnableServiceLinks indicates whether information about services should be injected into pod''s environment variables, matching the syntax of Docker links. Optional: Knative defaults this to false.' + type: boolean + hostAliases: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-hostaliases + type: object + x-kubernetes-preserve-unknown-fields: true + idleTimeoutSeconds: + description: IdleTimeoutSeconds is the maximum duration in seconds a request will be allowed to stay open while not receiving any bytes from the user's application. If unspecified, a system default will be provided. + type: integer + format: int64 + imagePullSecrets: + description: 'ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use. More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod' + type: array + items: + description: LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. + type: object + properties: + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + x-kubernetes-map-type: atomic + initContainers: + description: 'List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/' + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-init-containers + type: object + x-kubernetes-preserve-unknown-fields: true + nodeSelector: + description: This is accessible behind a feature flag - kubernetes.podspec-nodeselector + type: object + x-kubernetes-preserve-unknown-fields: true + x-kubernetes-map-type: atomic + priorityClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-priorityclassname + type: string + x-kubernetes-preserve-unknown-fields: true + responseStartTimeoutSeconds: + description: ResponseStartTimeoutSeconds is the maximum duration in seconds that the request routing layer will wait for a request delivered to a container to begin sending any network traffic. + type: integer + format: int64 + runtimeClassName: + description: This is accessible behind a feature flag - kubernetes.podspec-runtimeclassname + type: string + x-kubernetes-preserve-unknown-fields: true + schedulerName: + description: This is accessible behind a feature flag - kubernetes.podspec-schedulername + type: string + x-kubernetes-preserve-unknown-fields: true + securityContext: + description: This is accessible behind a feature flag - kubernetes.podspec-securitycontext + type: object + x-kubernetes-preserve-unknown-fields: true + serviceAccountName: + description: 'ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/' + type: string + shareProcessNamespace: + description: This is accessible behind a feature flag - kubernetes.podspec-shareproccessnamespace + type: boolean + x-kubernetes-preserve-unknown-fields: true + timeoutSeconds: + description: TimeoutSeconds is the maximum duration in seconds that the request instance is allowed to respond to a request. If unspecified, a system default will be provided. + type: integer + format: int64 + tolerations: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-tolerations + type: object + x-kubernetes-preserve-unknown-fields: true + topologySpreadConstraints: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: array + items: + description: This is accessible behind a feature flag - kubernetes.podspec-topologyspreadconstraints + type: object + x-kubernetes-preserve-unknown-fields: true + volumes: + description: 'List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes' + type: array + items: + description: Volume represents a named volume in a pod that may be accessed by any container in the pod. + type: object + required: + - name + properties: + configMap: + description: configMap represents a configMap that should populate this volume + type: object + properties: + defaultMode: + description: 'defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + items: + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + emptyDir: + description: This is accessible behind a feature flag - kubernetes.podspec-emptydir + type: object + x-kubernetes-preserve-unknown-fields: true + name: + description: 'name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + type: string + persistentVolumeClaim: + description: This is accessible behind a feature flag - kubernetes.podspec-persistent-volume-claim + type: object + x-kubernetes-preserve-unknown-fields: true + projected: + description: projected items for all in one resources secrets, configmaps, and downward API + type: object + properties: + defaultMode: + description: defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. + type: integer + format: int32 + sources: + description: sources is the list of volume projections + type: array + items: + description: Projection that may be projected along with other supported volume types + type: object + properties: + configMap: + description: configMap information about the configMap data to project + type: object + properties: + items: + description: items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional specify whether the ConfigMap or its keys must be defined + type: boolean + x-kubernetes-map-type: atomic + downwardAPI: + description: downwardAPI information about the downwardAPI data to project + type: object + properties: + items: + description: Items is a list of DownwardAPIVolume file + type: array + items: + description: DownwardAPIVolumeFile represents information to create the file containing the pod field + type: object + required: + - path + properties: + fieldRef: + description: 'Required: Selects a field of the pod: only annotations, labels, name and namespace are supported.' + type: object + required: + - fieldPath + properties: + apiVersion: + description: Version of the schema the FieldPath is written in terms of, defaults to "v1". + type: string + fieldPath: + description: Path of the field to select in the specified API version. + type: string + x-kubernetes-map-type: atomic + mode: + description: 'Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..''' + type: string + resourceFieldRef: + description: 'Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported.' + type: object + required: + - resource + properties: + containerName: + description: 'Container name: required for volumes, optional for env vars' + type: string + divisor: + description: Specifies the output format of the exposed resources, defaults to "1" + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + resource: + description: 'Required: resource to select' + type: string + x-kubernetes-map-type: atomic + secret: + description: secret information about the secret data to project + type: object + properties: + items: + description: items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: optional field specify whether the Secret or its key must be defined + type: boolean + x-kubernetes-map-type: atomic + serviceAccountToken: + description: serviceAccountToken is information about the serviceAccountToken data to project + type: object + required: + - path + properties: + audience: + description: audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. + type: string + expirationSeconds: + description: expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. + type: integer + format: int64 + path: + description: path is the path relative to the mount point of the file to project the token into. + type: string + secret: + description: 'secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: object + properties: + defaultMode: + description: 'defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + items: + description: items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. + type: array + items: + description: Maps a string key to a path within a volume. + type: object + required: + - key + - path + properties: + key: + description: key is the key to project. + type: string + mode: + description: 'mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.' + type: integer + format: int32 + path: + description: path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'. + type: string + optional: + description: optional field specify whether the Secret or its keys must be defined + type: boolean + secretName: + description: 'secretName is the name of the secret in the pod''s namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret' + type: string + traffic: + description: Traffic specifies how to distribute traffic over a collection of revisions and configurations. + type: array + items: + description: TrafficTarget holds a single entry of the routing table for a Route. + type: object + properties: + configurationName: + description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. + type: string + latestRevision: + description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. + type: boolean + percent: + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + type: integer + format: int64 + revisionName: + description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. + type: string + tag: + description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. + type: string + url: + description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + type: string + status: + description: ServiceStatus represents the Status stanza of the Service resource. + type: object + properties: + address: + description: Address holds the information needed for a Route to be the target of an event. + type: object + properties: + CACerts: + description: CACerts is the Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. + type: string + audience: + description: Audience is the OIDC audience for this address. + type: string + name: + description: Name is the name of the address. + type: string + url: + type: string + annotations: + description: Annotations is additional Status fields for the Resource to save some additional State as well as convey more information to the user. This is roughly akin to Annotations on any k8s resource, just the reconciler conveying richer information outwards. + type: object + additionalProperties: + type: string + conditions: + description: Conditions the latest available observations of a resource's current state. + type: array + items: + description: 'Condition defines a readiness condition for a Knative resource. See: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#typical-status-properties' + type: object + required: + - status + - type + properties: + lastTransitionTime: + description: LastTransitionTime is the last time the condition transitioned from one status to another. We use VolatileTime in place of metav1.Time to exclude this from creating equality.Semantic differences (all other things held constant). + type: string + message: + description: A human readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + severity: + description: Severity with which to treat failures of this type of condition. When this is not specified, it defaults to Error. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of condition. + type: string + latestCreatedRevisionName: + description: LatestCreatedRevisionName is the last revision that was created from this Configuration. It might not be ready yet, for that use LatestReadyRevisionName. + type: string + latestReadyRevisionName: + description: LatestReadyRevisionName holds the name of the latest Revision stamped out from this Configuration that has had its "Ready" condition become "True". + type: string + observedGeneration: + description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller. + type: integer + format: int64 + traffic: + description: Traffic holds the configured traffic distribution. These entries will always contain RevisionName references. When ConfigurationName appears in the spec, this will hold the LatestReadyRevisionName that we last observed. + type: array + items: + description: TrafficTarget holds a single entry of the routing table for a Route. + type: object + properties: + configurationName: + description: ConfigurationName of a configuration to whose latest revision we will send this portion of traffic. When the "status.latestReadyRevisionName" of the referenced configuration changes, we will automatically migrate traffic from the prior "latest ready" revision to the new one. This field is never set in Route's status, only its spec. This is mutually exclusive with RevisionName. + type: string + latestRevision: + description: LatestRevision may be optionally provided to indicate that the latest ready Revision of the Configuration should be used for this traffic target. When provided LatestRevision must be true if RevisionName is empty; it must be false when RevisionName is non-empty. + type: boolean + percent: + description: 'Percent indicates that percentage based routing should be used and the value indicates the percent of traffic that is be routed to this Revision or Configuration. `0` (zero) mean no traffic, `100` means all traffic. When percentage based routing is being used the follow rules apply: - the sum of all percent values must equal 100 - when not specified, the implied value for `percent` is zero for that particular Revision or Configuration' + type: integer + format: int64 + revisionName: + description: RevisionName of a specific revision to which to send this portion of traffic. This is mutually exclusive with ConfigurationName. + type: string + tag: + description: Tag is optionally used to expose a dedicated url for referencing this target exclusively. + type: string + url: + description: URL displays the URL for accessing named traffic targets. URL is displayed in status, and is disallowed on spec. URL must contain a scheme (e.g. http://) and a hostname, but may not contain anything else (e.g. basic auth, url path, etc.) + type: string + url: + description: URL holds the url that will distribute traffic over the provided traffic targets. It generally has the form http[s]://{route-name}.{route-namespace}.{cluster-level-suffix} + type: string diff --git a/knative/helm/knative-serving/templates/_helpers.tpl b/knative/helm/knative-serving/templates/_helpers.tpl index f7c1ecbd8..ae47bf4ac 100644 --- a/knative/helm/knative-serving/templates/_helpers.tpl +++ b/knative/helm/knative-serving/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "knative-serving.name" -}} +{{- define "knative-serving-plural.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "knative-serving.fullname" -}} +{{- define "knative-serving-plural.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "knative-serving.chart" -}} +{{- define "knative-serving-plural.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "knative-serving.labels" -}} -helm.sh/chart: {{ include "knative-serving.chart" . }} -{{ include "knative-serving.selectorLabels" . }} +{{- define "knative-serving-plural.labels" -}} +helm.sh/chart: {{ include "knative-serving-plural.chart" . }} +{{ include "knative-serving-plural.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "knative-serving.selectorLabels" -}} -app.kubernetes.io/name: {{ include "knative-serving.name" . }} +{{- define "knative-serving-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "knative-serving-plural.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "knative-serving.serviceAccountName" -}} +{{- define "knative-serving-plural.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "knative-serving.fullname" .) .Values.serviceAccount.name }} +{{- default (include "knative-serving-plural.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} diff --git a/knative/helm/knative-serving/templates/authorizationpolicy.yaml b/knative/helm/knative-serving/templates/authorizationpolicy.yaml index ca44309cb..1b9a1a935 100644 --- a/knative/helm/knative-serving/templates/authorizationpolicy.yaml +++ b/knative/helm/knative-serving/templates/authorizationpolicy.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.kubeflow.enabled }} apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: @@ -10,3 +11,4 @@ spec: action: ALLOW rules: - {} +{{- end }} diff --git a/knative/helm/knative-serving/templates/clusterrole.yaml b/knative/helm/knative-serving/templates/clusterrole.yaml deleted file mode 100644 index d430381ff..000000000 --- a/knative/helm/knative-serving/templates/clusterrole.yaml +++ /dev/null @@ -1,187 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: knative-serving-addressable-resolver - labels: - serving.knative.dev/release: "v0.26.0" - # Labeled to facilitate aggregated cluster roles that act on Addressables. - duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -# Do not use this role directly. These rules will be added to the "addressable-resolver" role. -rules: - - apiGroups: - - serving.knative.dev - resources: - - routes - - routes/status - - services - - services/status - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - # Named like this to avoid clashing with eventing's existing `addressable-resolver` role - # (which should be identical, but isn't guaranteed to be installed alongside serving). - name: knative-serving-aggregated-addressable-resolver - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -aggregationRule: - clusterRoleSelectors: - - matchLabels: - duck.knative.dev/addressable: "true" ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - serving.knative.dev/controller: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - serving.knative.dev/release: v0.26.0 - name: knative-serving-admin -rules: [] ---- -aggregationRule: - clusterRoleSelectors: - - matchLabels: - duck.knative.dev/addressable: "true" -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - serving.knative.dev/release: v0.26.0 - name: knative-serving-aggregated-addressable-resolver -rules: [] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: knative-serving-core - labels: - serving.knative.dev/release: "v0.26.0" - serving.knative.dev/controller: "true" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -rules: - - apiGroups: [""] - resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", "events", "serviceaccounts"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: [""] - resources: ["endpoints/restricted"] # Permission for RestrictedEndpointsAdmission - verbs: ["create"] - - apiGroups: [""] - resources: ["namespaces/finalizers"] # finalizers are needed for the owner reference of the webhook - verbs: ["update"] - - apiGroups: ["apps"] - resources: ["deployments", "deployments/finalizers"] # finalizers are needed for the owner reference of the webhook - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["admissionregistration.k8s.io"] - resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions", "customresourcedefinitions/status"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["autoscaling"] - resources: ["horizontalpodautoscalers"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] - - apiGroups: ["serving.knative.dev", "autoscaling.internal.knative.dev", "networking.internal.knative.dev"] - resources: ["*", "*/status", "*/finalizers"] - verbs: ["get", "list", "create", "update", "delete", "deletecollection", "patch", "watch"] - - apiGroups: ["caching.internal.knative.dev"] - resources: ["images"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - # These are the permissions needed by the Istio Ingress implementation. - name: knative-serving-istio - labels: - serving.knative.dev/release: "v0.26.0" - serving.knative.dev/controller: "true" - networking.knative.dev/ingress-provider: istio -rules: - - apiGroups: ["networking.istio.io"] - resources: ["virtualservices", "gateways", "destinationrules"] - verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: knative-serving-namespaced-admin - labels: - rbac.authorization.k8s.io/aggregate-to-admin: "true" - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -rules: - - apiGroups: ["serving.knative.dev"] - resources: ["*"] - verbs: ["*"] - - apiGroups: ["networking.internal.knative.dev", "autoscaling.internal.knative.dev", "caching.internal.knative.dev"] - resources: ["*"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: knative-serving-namespaced-edit - labels: - rbac.authorization.k8s.io/aggregate-to-edit: "true" - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -rules: - - apiGroups: ["serving.knative.dev"] - resources: ["*"] - verbs: ["create", "update", "patch", "delete"] - - apiGroups: ["networking.internal.knative.dev", "autoscaling.internal.knative.dev", "caching.internal.knative.dev"] - resources: ["*"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: knative-serving-namespaced-view - labels: - rbac.authorization.k8s.io/aggregate-to-view: "true" - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -rules: - - apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev", "caching.internal.knative.dev"] - resources: ["*"] - verbs: ["get", "list", "watch"] ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: knative-serving-podspecable-binding - labels: - serving.knative.dev/release: "v0.26.0" - # Labeled to facilitate aggregated cluster roles that act on PodSpecables. - duck.knative.dev/podspecable: "true" - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -# Do not use this role directly. These rules will be added to the "podspecable-binder" role. -rules: - - apiGroups: - - serving.knative.dev - resources: - - configurations - - services - verbs: - - list - - watch - - patch diff --git a/knative/helm/knative-serving/templates/clusterrolebinding.yaml b/knative/helm/knative-serving/templates/clusterrolebinding.yaml deleted file mode 100644 index 9ef990e86..000000000 --- a/knative/helm/knative-serving/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: controller - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: knative-serving-controller-addressable-resolver -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: knative-serving-aggregated-addressable-resolver -subjects: - - kind: ServiceAccount - name: controller - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: controller - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: knative-serving-controller-admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: knative-serving-admin -subjects: - - kind: ServiceAccount - name: controller - namespace: {{ .Release.Namespace }} diff --git a/knative/helm/knative-serving/templates/configmap.yaml b/knative/helm/knative-serving/templates/configmap.yaml deleted file mode 100644 index 330566142..000000000 --- a/knative/helm/knative-serving/templates/configmap.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: v1 -{{ with .Values.autoscalerConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: 604cb513 - labels: - serving.knative.dev/release: v0.26.0 - name: config-autoscaler - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.defaultsConfig }} -data: -{{ toYaml . | nindent 2}} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: cdabec96 - labels: - serving.knative.dev/release: v0.26.0 - name: config-defaults - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.deploymentConfig }} -data: - {{ toYaml . | nindent 2 }} -{{ end }} - queueSidecarImage: gcr.io/knative-releases/knative.dev/serving/cmd/queue@sha256:6cd0c234bfbf88ac75df5243c2f9213dcc9def610414c506d418f9388187b771 -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: fa67b403 - labels: - serving.knative.dev/release: v0.26.0 - name: config-deployment - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ConfigMap -{{ with .Values.domainConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -metadata: - annotations: - knative.dev/example-checksum: 74c3fc6a - labels: - serving.knative.dev/release: v0.26.0 - name: config-domain - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ConfigMap -{{ with .Values.featuresConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -metadata: - annotations: - knative.dev/example-checksum: 2cf73688 - labels: - serving.knative.dev/release: v0.26.0 - name: config-features - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.gcConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: e6149382 - labels: - serving.knative.dev/release: v0.26.0 - name: config-gc - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.leaderElectionConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: 96896b00 - labels: - serving.knative.dev/release: v0.26.0 - name: config-leader-election - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.loggingConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: d9570453 - labels: - serving.knative.dev/release: v0.26.0 - name: config-logging - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.networkConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: 15954d34 - labels: - serving.knative.dev/release: v0.26.0 - name: config-network - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.observabilityConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: 97c1d10b - labels: - serving.knative.dev/release: v0.26.0 - name: config-observability - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.tracingConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - annotations: - knative.dev/example-checksum: 4002b4c2 - labels: - serving.knative.dev/release: v0.26.0 - name: config-tracing - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -{{ with .Values.istioConfig }} -data: -{{ toYaml . | nindent 2 }} -{{ end }} -kind: ConfigMap -metadata: - labels: - networking.knative.dev/ingress-provider: istio - serving.knative.dev/release: v0.26.0 - name: config-istio - namespace: {{ .Release.Namespace }} diff --git a/knative/helm/knative-serving/templates/deployment.yaml b/knative/helm/knative-serving/templates/deployment.yaml deleted file mode 100644 index d6040db57..000000000 --- a/knative/helm/knative-serving/templates/deployment.yaml +++ /dev/null @@ -1,682 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: activator - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: activator - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -spec: - selector: - matchLabels: - app: activator - role: activator - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app: activator - role: activator - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: activator - app.kubernetes.io/part-of: knative-serving - app.kubernetes.io/version: "0.26.0" - spec: - serviceAccountName: controller - containers: - - name: activator - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/serving/cmd/activator@sha256:8619f871364463cd821a7324636686b6d835ca65c3d671fb8c141b8437fd2a0b - # The numbers are based on performance test results from - # https://github.com/knative/serving/issues/1625#issuecomment-511930023 - resources: - requests: - cpu: 300m - memory: 60Mi - limits: - cpu: 1000m - memory: 600Mi - env: - # Run Activator with GC collection when newly generated memory is 500%. - - name: GOGC - value: "500" - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/internal/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: http1 - containerPort: 8012 - - name: h2c - containerPort: 8013 - readinessProbe: - httpGet: - port: 8012 - httpHeaders: - - name: k-kubelet-probe - value: "activator" - failureThreshold: 12 - livenessProbe: - httpGet: - port: 8012 - httpHeaders: - - name: k-kubelet-probe - value: "activator" - failureThreshold: 12 - initialDelaySeconds: 15 - # The activator (often) sits on the dataplane, and may proxy long (e.g. - # streaming, websockets) requests. We give a long grace period for the - # activator to "lame duck" and drain outstanding requests before we - # forcibly terminate the pod (and outstanding connections). This value - # should be at least as large as the upper bound on the Revision's - # timeoutSeconds property to avoid servicing events disrupting - # connections. - terminationGracePeriodSeconds: 600 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: autoscaler - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: autoscaler - app.kubernetes.io/part-of: knative-serving - app.kubernetes.io/version: "0.26.0" -spec: - replicas: 1 - selector: - matchLabels: - app: autoscaler - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app: autoscaler - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: autoscaler - app.kubernetes.io/part-of: knative-serving - app.kubernetes.io/version: "0.26.0" - spec: - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: autoscaler - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: autoscaler - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/serving/cmd/autoscaler@sha256:d083394e718a3cc157ecac6dae4812db56e700603ca72ec5f7ac19f5d9283d05 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 1000m - memory: 1000Mi - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: websocket - containerPort: 8080 - readinessProbe: - httpGet: - port: 8080 - httpHeaders: - - name: k-kubelet-probe - value: "autoscaler" - livenessProbe: - httpGet: - port: 8080 - httpHeaders: - - name: k-kubelet-probe - value: "autoscaler" - failureThreshold: 6 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: controller - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -spec: - selector: - matchLabels: - app: controller - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - labels: - app: controller - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: controller - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - spec: - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: controller - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: controller - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/serving/cmd/controller@sha256:cb49a3e48804f52b5a55a7e0fd7c8662bae092bfbb9e6dd9134c8962d0799e65 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 1000m - memory: 1000Mi - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/internal/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: domain-mapping - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: domain-mapping - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -spec: - selector: - matchLabels: - app: domain-mapping - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - labels: - app: domain-mapping - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: domain-mapping - app.kubernetes.io/part-of: knative-serving - app.kubernetes.io/version: "0.26.0" - spec: - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: domain-mapping - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: domain-mapping - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping@sha256:c746bb5ce65b28655a54b601cbf2d489db30e8673f3c8b9c269b4ee50eb4502c - resources: - requests: - cpu: 30m - memory: 40Mi - limits: - cpu: 300m - memory: 400Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: domainmapping-webhook - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: domainmapping-webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -spec: - selector: - matchLabels: - app: domainmapping-webhook - role: domainmapping-webhook - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app: domainmapping-webhook - app.kubernetes.io/name: domainmapping-webhook - app.kubernetes.io/part-of: knative-serving - app.kubernetes.io/version: "0.26.0" - role: domainmapping-webhook - serving.knative.dev/release: "v0.26.0" - spec: - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: domainmapping-webhook - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: domainmapping-webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/serving/cmd/domain-mapping-webhook@sha256:687d5a14aa94e17872d05df845d4b8c779daac401feee6d90b0f0a6fa7b594d8 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: WEBHOOK_PORT - value: "8443" - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - readinessProbe: - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - livenessProbe: - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - failureThreshold: 6 - initialDelaySeconds: 20 - # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently - # high value that we respect whatever value it has configured for the lame duck grace period. - terminationGracePeriodSeconds: 300 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: net-istio-controller - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: net-istio-controller - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "true" - # This must be outside of the mesh to probe the gateways. - # NOTE: this is allowed here and not elsewhere because - # this is the Istio controller, and so it may be Istio-aware. - sidecar.istio.io/inject: "false" - labels: - app: net-istio-controller - serving.knative.dev/release: "v0.26.0" - spec: - serviceAccountName: controller - containers: - - name: controller - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/controller@sha256:f7ee8b0170fba628b396c6fd6ac7a6644c4b06880913a4505ef227dbbc352091 - resources: - requests: - cpu: 30m - memory: 40Mi - limits: - cpu: 300m - memory: 400Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/net-istio - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: net-istio-webhook - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: net-istio-webhook - role: net-istio-webhook - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app: net-istio-webhook - role: net-istio-webhook - serving.knative.dev/release: "v0.26.0" - spec: - serviceAccountName: controller - containers: - - name: webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/net-istio/cmd/webhook@sha256:43293c73a6d49cf8af20f0a8822f74c6b6a23484757fecbd00b97e7aedbb2fc0 - resources: - requests: - cpu: 20m - memory: 20Mi - limits: - cpu: 200m - memory: 200Mi - env: - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/net-istio - - name: WEBHOOK_NAME - value: net-istio-webhook - securityContext: - allowPrivilegeEscalation: false - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: webhook - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -spec: - selector: - matchLabels: - app: webhook - role: webhook - template: - metadata: - annotations: - cluster-autoscaler.kubernetes.io/safe-to-evict: "false" - labels: - app: webhook - role: webhook - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - spec: - # To avoid node becoming SPOF, spread our replicas to different nodes. - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: webhook - topologyKey: kubernetes.io/hostname - weight: 100 - serviceAccountName: controller - containers: - - name: webhook - # This is the Go import path for the binary that is containerized - # and substituted here. - image: gcr.io/knative-releases/knative.dev/serving/cmd/webhook@sha256:d512342e1a1ec454ceade96923e21c24ec0f2cb780e86ced8e66eb62033c74b5 - resources: - requests: - cpu: 100m - memory: 100Mi - limits: - cpu: 500m - memory: 500Mi - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: SYSTEM_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIG_LOGGING_NAME - value: config-logging - - name: CONFIG_OBSERVABILITY_NAME - value: config-observability - - name: WEBHOOK_NAME - value: webhook - - name: WEBHOOK_PORT - value: "8443" - # TODO(https://github.com/knative/pkg/pull/953): Remove stackdriver specific config - - name: METRICS_DOMAIN - value: knative.dev/internal/serving - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - capabilities: - drop: - - all - ports: - - name: metrics - containerPort: 9090 - - name: profiling - containerPort: 8008 - - name: https-webhook - containerPort: 8443 - readinessProbe: - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - livenessProbe: - periodSeconds: 1 - httpGet: - scheme: HTTPS - port: 8443 - httpHeaders: - - name: k-kubelet-probe - value: "webhook" - failureThreshold: 6 - initialDelaySeconds: 20 - # Our webhook should gracefully terminate by lame ducking first, set this to a sufficiently - # high value that we respect whatever value it has configured for the lame duck grace period. - terminationGracePeriodSeconds: 300 diff --git a/knative/helm/knative-serving/templates/horizontalpodautoscaler.yaml b/knative/helm/knative-serving/templates/horizontalpodautoscaler.yaml deleted file mode 100644 index 8e7e7fd6e..000000000 --- a/knative/helm/knative-serving/templates/horizontalpodautoscaler.yaml +++ /dev/null @@ -1,49 +0,0 @@ -apiVersion: autoscaling/v2beta2 -kind: HorizontalPodAutoscaler -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: activator - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: activator - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: 20 - metrics: - - resource: - name: cpu - target: - averageUtilization: 100 - type: Utilization - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: activator ---- -apiVersion: autoscaling/v2beta2 -kind: HorizontalPodAutoscaler -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: webhook - namespace: {{ .Release.Namespace }} -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 100 - type: Utilization - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: webhook diff --git a/knative/helm/knative-serving/templates/image.yaml b/knative/helm/knative-serving/templates/image.yaml deleted file mode 100644 index c263e7858..000000000 --- a/knative/helm/knative-serving/templates/image.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: caching.internal.knative.dev/v1alpha1 -kind: Image -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: queue-proxy - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: queue-proxy - namespace: {{ .Release.Namespace }} -spec: - image: gcr.io/knative-releases/knative.dev/serving/cmd/queue:v0.26.0 diff --git a/knative/helm/knative-serving/templates/istio-resources.yaml b/knative/helm/knative-serving/templates/istio-resources.yaml deleted file mode 100644 index f7b2adfb7..000000000 --- a/knative/helm/knative-serving/templates/istio-resources.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: Gateway -metadata: - name: knative-local-gateway - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - app: knative-local-gateway - istio: knative-local-gateway - servers: - - port: - number: 8080 - name: http - protocol: HTTP - hosts: - - "*" diff --git a/knative/helm/knative-serving/templates/mutatingwebhookconfiguration.yaml b/knative/helm/knative-serving/templates/mutatingwebhookconfiguration.yaml deleted file mode 100644 index 2318bcb50..000000000 --- a/knative/helm/knative-serving/templates/mutatingwebhookconfiguration.yaml +++ /dev/null @@ -1,91 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.domainmapping.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: domainmapping-webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - name: webhook.domainmapping.serving.knative.dev - timeoutSeconds: 10 - rules: - - apiGroups: - - serving.knative.dev - apiVersions: - - v1alpha1 - - v1beta1 - operations: - - CREATE - - UPDATE - scope: "*" - resources: - - domainmappings ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: net-istio-webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - objectSelector: - matchExpressions: - - {key: "serving.knative.dev/configuration", operator: Exists} - name: webhook.istio.networking.internal.knative.dev ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: webhook.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: defaulting-webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - name: webhook.serving.knative.dev - timeoutSeconds: 10 - rules: - - apiGroups: - - autoscaling.internal.knative.dev - - networking.internal.knative.dev - - serving.knative.dev - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - scope: "*" - resources: - - metrics - - podautoscalers - - certificates - - ingresses - - serverlessservices - - configurations - - revisions - - routes - - services diff --git a/knative/helm/knative-serving/templates/peerauthentication.yaml b/knative/helm/knative-serving/templates/peerauthentication.yaml deleted file mode 100644 index a77449aac..000000000 --- a/knative/helm/knative-serving/templates/peerauthentication.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: force-strict-mtls - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: v0.26.0 - networking.knative.dev/ingress-provider: istio -spec: - mtls: - mode: STRICT ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: webhook - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: webhook - portLevelMtls: - 8443: - mode: PERMISSIVE ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: domainmapping-webhook - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: domainmapping-webhook - portLevelMtls: - 8443: - mode: PERMISSIVE ---- -apiVersion: security.istio.io/v1beta1 -kind: PeerAuthentication -metadata: - name: net-istio-webhook - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - selector: - matchLabels: - app: net-istio-webhook - portLevelMtls: - 8443: - mode: PERMISSIVE diff --git a/knative/helm/knative-serving/templates/poddisruptionbudget.yaml b/knative/helm/knative-serving/templates/poddisruptionbudget.yaml deleted file mode 100644 index 8e892943f..000000000 --- a/knative/helm/knative-serving/templates/poddisruptionbudget.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: activator - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: activator-pdb - namespace: {{ .Release.Namespace }} -spec: - minAvailable: 80% - selector: - matchLabels: - app: activator ---- -apiVersion: policy/v1beta1 -kind: PodDisruptionBudget -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: webhook-pdb - namespace: {{ .Release.Namespace }} -spec: - minAvailable: 80% - selector: - matchLabels: - app: webhook diff --git a/knative/helm/knative-serving/templates/secret.yaml b/knative/helm/knative-serving/templates/secret.yaml deleted file mode 100644 index 35e04287b..000000000 --- a/knative/helm/knative-serving/templates/secret.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - labels: - serving.knative.dev/release: v0.26.0 - name: domainmapping-webhook-certs - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: Secret -metadata: - labels: - networking.knative.dev/ingress-provider: istio - serving.knative.dev/release: v0.26.0 - name: net-istio-webhook-certs - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: webhook-certs - namespace: {{ .Release.Namespace }} - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving diff --git a/knative/helm/knative-serving/templates/service.yaml b/knative/helm/knative-serving/templates/service.yaml deleted file mode 100644 index 3294c6f9c..000000000 --- a/knative/helm/knative-serving/templates/service.yaml +++ /dev/null @@ -1,154 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: activator-service - namespace: {{ .Release.Namespace }} - labels: - app: activator - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: activator - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -spec: - selector: - app: activator - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: http - port: 80 - targetPort: 8012 - - name: http2 - port: 81 - targetPort: 8013 - type: ClusterIP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: autoscaler - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: autoscaler - app.kubernetes.io/part-of: knative-serving - app.kubernetes.io/version: "0.26.0" - name: autoscaler - namespace: {{ .Release.Namespace }} -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: http - port: 8080 - targetPort: 8080 - selector: - app: autoscaler ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app: controller - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: controller - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: controller - namespace: {{ .Release.Namespace }} -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - selector: - app: controller ---- -apiVersion: v1 -kind: Service -metadata: - labels: - role: domainmapping-webhook - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: domainmapping-webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: domainmapping-webhook - namespace: {{ .Release.Namespace }} -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - role: domainmapping-webhook ---- -apiVersion: v1 -kind: Service -metadata: - name: net-istio-webhook - namespace: {{ .Release.Namespace }} - labels: - role: net-istio-webhook - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - app: net-istio-webhook ---- -apiVersion: v1 -kind: Service -metadata: - labels: - role: webhook - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: webhook - namespace: {{ .Release.Namespace }} -spec: - ports: - # Define metrics and profiling for them to be accessible within service meshes. - - name: http-metrics - port: 9090 - targetPort: 9090 - - name: http-profiling - port: 8008 - targetPort: 8008 - - name: https-webhook - port: 443 - targetPort: 8443 - selector: - role: webhook diff --git a/knative/helm/knative-serving/templates/serviceaccount.yaml b/knative/helm/knative-serving/templates/serviceaccount.yaml deleted file mode 100644 index b2039cdae..000000000 --- a/knative/helm/knative-serving/templates/serviceaccount.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: controller - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving - name: controller - namespace: {{ .Release.Namespace }} diff --git a/knative/helm/knative-serving/templates/validatingwebhookconfiguration.yaml b/knative/helm/knative-serving/templates/validatingwebhookconfiguration.yaml deleted file mode 100644 index e2c32e223..000000000 --- a/knative/helm/knative-serving/templates/validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,121 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.istio.networking.internal.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - networking.knative.dev/ingress-provider: istio -webhooks: - - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: net-istio-webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - name: config.webhook.istio.networking.internal.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: config.webhook.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: configmap-validation-webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - name: config.webhook.serving.knative.dev - namespaceSelector: - matchExpressions: - - key: serving.knative.dev/release - operator: Exists - timeoutSeconds: 10 ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.domainmapping.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: domainmapping-webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: domainmapping-webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - name: validation.webhook.domainmapping.serving.knative.dev - timeoutSeconds: 10 - rules: - - apiGroups: - - serving.knative.dev - apiVersions: - - v1alpha1 - - v1beta1 - operations: - - CREATE - - UPDATE - - DELETE - scope: "*" - resources: - - domainmappings ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: validation.webhook.serving.knative.dev - labels: - serving.knative.dev/release: "v0.26.0" - app.kubernetes.io/name: validating-webhook - app.kubernetes.io/version: "0.26.0" - app.kubernetes.io/part-of: knative-serving -webhooks: - - admissionReviewVersions: ["v1", "v1beta1"] - clientConfig: - service: - name: webhook - namespace: {{ .Release.Namespace }} - failurePolicy: Fail - sideEffects: None - name: validation.webhook.serving.knative.dev - timeoutSeconds: 10 - rules: - - apiGroups: - - autoscaling.internal.knative.dev - - networking.internal.knative.dev - - serving.knative.dev - apiVersions: - - "*" - operations: - - CREATE - - UPDATE - - DELETE - scope: "*" - resources: - - metrics - - podautoscalers - - certificates - - ingresses - - serverlessservices - - configurations - - revisions - - routes - - services diff --git a/knative/helm/knative-serving/values.yaml b/knative/helm/knative-serving/values.yaml index 75a4af8b7..f595d4b1e 100644 --- a/knative/helm/knative-serving/values.yaml +++ b/knative/helm/knative-serving/values.yaml @@ -1,44 +1,38 @@ -# Default values for knative. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. -replicaCount: 1 - -observabilityConfig: - metrics.backend-destination: opencensus - request-metrics-backend-destination: opencensus - logging.request-log-template: '{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}' - logging.enable-request-log: "true" - logging.enable-probe-request-log: "true" - profiling.enable: "true" - metrics.opencensus-address: plural-otel-collector.monitoring.svc.cluster.local:55678 -networkConfig: - ingress.class: "istio.ingress.networking.knative.dev" - domainTemplate: "{{.Name}}-{{.Namespace}}.{{.Domain}}" - httpProtocol: "Redirected" - defaultExternalScheme: "https" -loggingConfig: - loglevel.controller: info - loglevel.autoscaler: info - loglevel.queueproxy: debug - loglevel.webhook: info - loglevel.activator: debug - loglevel.hpaautoscaler: info - loglevel.net-certmanager-controller: info - loglevel.net-istio-controller: debug - loglevel.net-nscert-controller: info -leaderElectionConfig: {} -gcConfig: {} -featuresConfig: {} -domainConfig: {} -deploymentConfig: - progressDeadline: 600s -defaultsConfig: {} -autoscalerConfig: {} -tracingConfig: {} -istioConfig: - gateway.kubeflow.kubeflow-gateway: istio-ingressgateway.istio.svc.cluster.local - local-gateway.knative.knative-local-gateway: "knative-local-gateway.istio.svc.cluster.local" - enable-virtualservice-status: 'true' +knative-serving: + configObservability: + data: + metrics.backend-destination: prometheus + metrics.request-metrics-backend-destination: prometheus + logging.request-log-template: '{{ `{"httpRequest": {"requestMethod": "{{.Request.Method}}", "requestUrl": "{{js .Request.RequestURI}}", "requestSize": "{{.Request.ContentLength}}", "status": {{.Response.Code}}, "responseSize": "{{.Response.Size}}", "userAgent": "{{js .Request.UserAgent}}", "remoteIp": "{{js .Request.RemoteAddr}}", "serverIp": "{{.Revision.PodIP}}", "referer": "{{js .Request.Referer}}", "latency": "{{.Response.Latency}}s", "protocol": "{{.Request.Proto}}"}, "traceId": "{{index .Request.Header "X-B3-Traceid"}}"}` }}' + logging.enable-request-log: "true" + logging.enable-probe-request-log: "true" + profiling.enable: "true" + # metrics.opencensus-address: plural-otel-collector.monitoring.svc.cluster.local:55678 + configNetwork: + data: + domain-template: '{{ `{{.Name}}-{{.Namespace}}.{{.Domain}}` }}' + http-protocol: "Redirected" + default-external-scheme: "https" + configLogging: + data: + loglevel.controller: info + loglevel.autoscaler: info + loglevel.queueproxy: debug + loglevel.webhook: info + loglevel.activator: debug + loglevel.hpaautoscaler: info + loglevel.net-certmanager-controller: info + loglevel.net-istio-controller: debug + loglevel.net-nscert-controller: info + configDeployment: + data: + progress-deadline: 600s + net-istio: + configIstio: + data: + gateway.kubeflow.kubeflow-gateway: istio-ingressgateway.istio.svc.cluster.local + local-gateway.knative.knative-local-gateway: "knative-local-gateway.istio.svc.cluster.local" + enable-virtualservice-status: 'true' kubeflow: - enabled: false \ No newline at end of file + enabled: false diff --git a/knative/helm/knative-serving/values.yaml.tpl b/knative/helm/knative-serving/values.yaml.tpl index 2adde2ff0..0c2ce495a 100644 --- a/knative/helm/knative-serving/values.yaml.tpl +++ b/knative/helm/knative-serving/values.yaml.tpl @@ -1,17 +1,22 @@ -{{ $monitoringNamespace := namespace "monitoring" }} -observabilityConfig: - metrics.opencensus-address: plural-otel-collector.{{ $monitoringNamespace }}.svc.cluster.local:55678 -tracingConfig: - backend: zipkin - zipkin-endpoint: "http://plural-otel-collector.{{ $monitoringNamespace }}.svc.cluster.local:9411/api/v2/spans" - sample-rate: "1.0" + {{- if .Configuration.kubeflow }} -domainConfig: - {{ .Configuration.kubeflow.hostname }}: "" -istioConfig: - gateway.kubeflow.kubeflow-gateway: istio-ingressgateway.istio.svc.cluster.local - local-gateway.knative.knative-local-gateway: "knative-local-gateway.istio.svc.cluster.local" - enable-virtualservice-status: 'true' +knative-serving: + configDomain: + data: + {{ .Configuration.kubeflow.hostname }}: "" + net-istio: + configIstio: + data: + gateway.kubeflow.kubeflow-gateway: kubeflow-gateway.kubeflow.svc.cluster.local + local-gateway.knative.knative-local-gateway: "knative-local-gateway.kubeflow.svc.cluster.local" + enable-virtualservice-status: 'true' + istio: + namespace: kubeflow + ingressGateway: + create: false + localGateway: + selector: + istio: kubeflow-gateway kubeflow: enabled: true {{- end }} diff --git a/kserve/helm/kserve/Chart.lock b/kserve/helm/kserve/Chart.lock index 5f019ab7e..85f2f6331 100644 --- a/kserve/helm/kserve/Chart.lock +++ b/kserve/helm/kserve/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: kserve - repository: https://pluralsh.github.io/plural-helm-charts - version: v0.8.0 -digest: sha256:816a20761d629f7c1989c4b8c372ecbaca9e9218bd5de4c816716eab033c14ce -generated: "2022-04-13T11:43:22.951658224+02:00" + repository: oci://ghcr.io/davidspek/charts + version: v0.11.2 +digest: sha256:be918af86166c5c17e1844be46f09931fe3375d26e8c728784770d43b28914d1 +generated: "2023-12-19T15:51:49.797619+01:00" diff --git a/kserve/helm/kserve/Chart.yaml b/kserve/helm/kserve/Chart.yaml index 60f70b32a..9b5291f77 100644 --- a/kserve/helm/kserve/Chart.yaml +++ b/kserve/helm/kserve/Chart.yaml @@ -3,8 +3,8 @@ name: kserve description: helm chart for kserve type: application version: 0.1.4 -appVersion: "v0.8.0" +appVersion: v0.11.2 dependencies: - name: kserve - version: 0.8.0 - repository: https://pluralsh.github.io/plural-helm-charts + version: v0.11.2 + repository: oci://ghcr.io/davidspek/charts diff --git a/kserve/helm/kserve/charts/kserve-v0.11.2.tgz b/kserve/helm/kserve/charts/kserve-v0.11.2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..9d6eaa89176b158f4672c0033a7845f7a3cb3884 GIT binary patch literal 11964 zcmV;tE<@2DiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYObK|(ND4fs!6?imHot)ge)T=$7RqmWqUXOOxmGO+r_D)W2 zD&>VpNJ2~!3;@dZZsxz=!W#*aAVpcS?3opl+L1}1(P(rx8jVKdmLa-Cz0(Dxy!!y7 z@DJO6`u%?Y_2HrXx8LuV|LqTtUjJcmcy!nw4PPG(kN?mg43GMwKY;!d;8J-~#v%Pf zf8(~wo%>22nBdQdGECwzSPl*X#C(bqF8}@sg%R)tXMh=@AV5h-9&kJdifI5vjHJ{@ z?BEtX+z}eE@qwp59(W)k0SY6;76&nm(Aa#?bwtqx=gGL&n`6F6r(K^!J{2z~w_wv7sM~(mZ0Dw%`{v$v$n1)>I zg-rNBF43RMWzWTz^ZbjhG&leN&QZ)o0|4L%&ND^OlON=J4(DU=zlzNs06lVmX%YrM+#j4pzkBb{(>IP0@c>ZU$1UXPERLSS2ur|{O#uKoi3;#oS5Qy z;j78%<>cC`qbr~|NC=Mk7<4-NRm#v$oF~kBMbTWMoV{2gif0d3S09S?K4Z#L82*s@ zx2Od2Bqs4gL{fH2QGjAWX{*5L$q#89gh;=N5U1E@a6YGK4mr_-j$$|s(YgG1qQ5D; zW-w%^V->ofBtm?FQg-E2nBaJBm-0!>DG5WvO=>EOP%IgD3_4e0NN9){Q$Xny`WKYk zKb$Gnnfp`>*ljvR(-emRqVl&V%6W+>I2If~k{l1f9CCCAAIxwDB!V~|19T6gBt&AS zD}1>|Q4&Hf5c%yl&=sQyzI^e_ZLX4|9$yu%qWE{F5==#Y<(c#7i7t*t1I(C_L)+kG$kzBwr>`4V^V& z`S(?rB`^p=)CkKeu?kw)Os}vty$JOe*>cAMlsw2!y}W>TJ7YGue)mnrLQI($lX!_j zl2kcg^HHgoVI~;jDRy^6e)77i7D-hQ6 z5#@M>eaO+a+(9e+KZAb%sO0}SIv(u(zdLzs|F0N&FM=_gt66n9IJm`eFb1bNPaH&u z!vJz96pr%i>Z#ik)%8ocVjTmqUcE#if(#WFvIi_d{#dTdqlm;GE%&f@ho%ccZat;b zJ*`H&b)dvD?f`%wmJ2p%y?UF0!i=SeUZR;&sfq$;@}*h`>Q09iSM5}ka>#K!*Yl3@hNRlFCQB?~h=ay5 ziUP8*qJjJwpb+VwbHwGpA!h1F0=d7CztSWy74GEAYJZZ1Rq@Up@;ksF<%Ib#RPKfn zB63Vg%wd?2z?4Mv>9LagASGnf&_pn)Z@$vz<61(?osizubY{1dny)mp2F!#6TZE?U zy62&eHd>+Yle98In{`S8e)?X;h~E)q zq|$g(lXbI;-cH-W_+)$KYTK_Hpye~N@LJgHl11X^1?5Zm4$uWORiNV345$c-oZ4XqxS4H#Q5)VmtBPfwjgko9yx z;E7s4m#gLhM#dS}awBC!)wYsuwrlX|C|7Vm?u>TN&GP%ldg}Cl$?(}|4rtc@!~XGb zP}Kj!{-}Sn*Z;eCY#mlTps*akFj>Ho2D?(_baY_763ZjA%)T?sjzefOEy=?6tyU94 z`5651P5({*j}4_DUyMPgr_T;_4gg?jBI=?*hBf|3Xar3_v!_uD@qEGO(b0=|41uTh7?xpi&;(zzA$>jBS`rv8n<^zBNht^iP> zAlZuK^;=8cuob+)BjMf8r-U%RHF#T4HAR3?I19<$2KY5aC=&iRL{$>rzC<<0r0cask{XXh6mCg+on*C*F!pFY~MEYCQsg|RbY+(O8O#ZTAQ z7dIE5F0Wlp3)yO_{QmOdw6^m1{l2rZ==RmkyR%DIB}?sgekW?Q5MTastPh1&MS_Q4 zk?mnqb`5bZRQpOSkZ)c{qSe;M?nNYu!VQh{6~GR^CTWWvF?Cv%_LBA@B&~Qp?BxjC z<|g#>i%5aCYe-44-d<2%grMXnLe0tl7bGn?a$8#?Hh^qz6b{?S;G8DDC;xgXLCpKI zh7?+riX!NfD1w56{@zO&?M-pq%gf#<@lmq-kDUpvlt!@xE4-zM@f(=n8V{C2VhS0$ z5o}j0?->|@4oUe9j&CCN_H{pR@0*wY>;UegrGB`5gH)Xk-caP*&5=72)QrsQ2x?xb zd9Jhu(PnSPA>~!U@E9i)*+S8?-WSSqrc*5yN~>4;pKd})f+)v`HTsLLuWqg;m!Hp0 zCpVLipC=zaT}&S3C9;UZYLA6mwEE@+*iJO?ND=ODUxd}fL94FaH;-IbZp9L44RSsA zP!5vB@%`5DTcHNCZb%N;unUbo>Rd-Y<*LHw*_2&Cf&%Y?Yf5Z;;{eFjf3nH^-{6}s4Pw5QA zCILVz<3C47<@le&{_B1G&n_NYxpwNcYp0}M6?dFw>Y=J&b?kwa>O+@Ryc`!&sFqW) zHs~2uqfxEsBDNN(2xV0yjSvm2q=?ldh-G=qYP~PjQ4*S|`=2Q;Df@(?8NMHbIUDzS zrFU#peYXf^j*@q1TKquK9NmvWXCYI%_Im%>{onunr|vW))2>e_>fYfvAa|@ABQC!E zsnb|*hGn|aw)Os7Rs54K@!ZV4e^x$K{cp~kZ!Z~mv;IFCRr7xw9S-*Te`pfyT!wH2I&C^NSA?aQf-vk7w_H zzLdd0X}3AP6A1MHS2O&PeMoU_4iZD&WyI!}7M( z11A4-@!{m`&7OkQ}VAY>mtk88-U*|o4q5`J$A;0m-2%&Z8~5KI_|`f zo$tyuw5=u6yJ|`9j6p{#bZ##czI<1}fbw?j+gT(xY5ld@M9OWK6aT2xh2in|rKZ3fzbjBJ?~>0QKa z6;4@Lu*6L}7##Su9@r9N$q}G@P5L{TaTWCot!zg75|clU@{RaB1>FzwUk4h^mOAh1 z`qSmf`w2Mvcy@hu^5N|NPA(s>{7Tx-EbPwmb)7A*g;A~!g=1AX)}1e~Sw}6tF4a;_ zkVvlGoP|D!b(<{mzFfdh(jthcS|G1p`lfQ;zrz&y{9@^UCSe+(bCSlQw7h@fpg2@( zP^OXfH5_0OsfOX#BybUf0*QqkA#gB@=dSuHreucHB~jwD6SWxg+y~HYH;g5nVvVH1 zL@md+ibsi4isZ<7r9uloNjF8n$%z#NTm;xo;{`4+wp-8V<_ZD^?iPqI5Y=X-4`UF? z0?E<`OId+|Ktc!~x+O-RS*1kZ5=xdhK!Gp=bx%@?MaPs`SS)Rzss@z_X}NNZEh!MI z>HaG~p+uf9U<}wp6yo?6U@px~z!s3AKsVS0KN1QeLIrJSg6IesuSwliW<8mvmGy?l zqvJ>Gk2Mwi>E-0z5QyYD8ifj z%w^8bed`LMA908bZgW2*Y2d*m33V1q&+2RUpNz!ywlf>K+G3;ZDyFk{rk%>&O;r<` zjjpN}IhneZtDIc*C;DC|QOWiFXMM?2-SJCG47l#A}!YtFeVMa-$R*-@njI!w($bTcL zRApp|D8&J?m&OMC^Z~F0`FJL8N0iI0Xr*rebBI*lJ76fp7G*SQ6=){Gv}Os~}m zCcQf}WtgL01Q|zE>ot8hl1915M&kbllu%L-{42%&Es)pVpjcoq6^rqczg~gK$IoC1 zDHi(2IJ95MFQ*|MXP5-UXI*&5x-f#jl31!XKg2y{FZ6^;ou@cJ;-zQEf;<#2myojV zf}05ZSKtT2Ne*~QI2mcE0=@ve9Q2GELlUnCldL7(N@1BVpub8Pj_0C5Oi3)NdRe!0 z%Q=@I@JmHTf00YjUz{@d3z%UP1`I%o0Exo~%}R=AGDe7CB4)qXjH;zaz<-{doP(dm z%%dQKzn}-8n);JLOhA`_p_e@Y`!WtnnS<%8)!ox9`625Q) z)VN)e5J}iN-viJIAHaWr2Gqrr4M9v|4@C)oP%%^X%-wB0eY|qtuvfHum7qumBe+{& ze*qSnST?cCGA_PLS?Lzqlj=hGsszfCRBHT+Vr*eAZ7Zuv%qMj)>s}VU$MOyq-^jpf1>F&?U&;o=8h#JmH zDDnlJeKE-6nkKE5{>xoN>)Vn-T!E0F>{c*xvKfwZDSkrxYR{ySekiO zn>4S0)27K-hiO$1B1sHQuDQ=FQF%fuX+@vm9RqBX&9h1tVGw99E~SViL}t7JmQIIZ zK3NH2Sbv4{s${l{X?c`OxMjp|Jo#$=ahZs(KxO_ZjT;+jUp=@*4*&;}qaST(I+}M( zb5#_yG+CIq(OA=Nb)aJ`*D4O?uF{p(t^=yEcdM&YweKN1m{L9F!X8Uw>y0R6rV(u? zmi=_Ez=_buVpS-k59FNNm!`y^T()X|J1|xjc!>(?B32{9Q)yc}pckxn2kgv#calS0 z?kZd0A?q;~0{a%A)yn}l{R<0%%wk4))5?nhO&(+2Juw(DarLrhk>PILvCMGcpt%8> z(gkb6=7P+UXvD96apS>|<0};DPuJHMSA{Yrw|~{E+-@Wq^;d22Nv6m2pSM6_s1WGA-ws zKt?Nsp9rgSxUXWWSEb8{OVX%6nhS=Nmz6FNK=&Nc7>0mTIGbU=r-v0P4${iMbw6(2l*WvYULp5 zm+M5i_|!?@K?onp{^5;e&q;8z-YgP)K^V8~Rx<#4$kw!{u+wK(O2N4~V zsiut+B&A`ASZA{mY|Mc20?GXuYf{OeTG_}{)0@zr!aIxbPRXpF!D zEim)7ZU#_3Y2{~vpVK1w+2X)b48 zeyvAOH`05hTg~*eyzu^M$HQ$$6x%FX5~Yza5vs~>f?|1Hd_32cdMOR%7X$?>oA|`c z&oq4iK8dC{7FCQRLAs*GrG6J?o-!ElpWwIOyn=<(0p6D{;7?U3%HpX7Rf1&fBPY1r z@ze@lUYvEs%Do1vyr{SpKz*fg1FWJ&XH~73dd}K2qmQytwlzv7CE3^NFtju@RqHi! zwKbmKj!9fZE;EWtav>O>sSgFsR31*Le6qLlYK*E@&l@Rf^yx!32GTv^qMy@jFA2EY zaIf{zNHx(sgT4YkEHvy4!%ay(AF3S&~h%q$x8x)%vCe)HRnk8A;BI~ZTYAm*&K)zUWCX#-eDHN>NJR3PyiZc?1y(mPL^~xH&k71O#!;%etwSeEv@16Am|#iW z{wAT3>qkbmX>^Nmkj>3)HR^F?Qw=eWIp>uZ%SB!h+E!RghIQ0=pMq;oQAC|NRg<@v z5}an!di=houKD5Q`t+x5Dw`?f{^IGhO+}Tgt7{q+O-XI6>Pw^E(3PK0aTo+zYYvAP zud6p&wYf#bv7)`|*gsZntZvB3Mr%sr$@|I2>+Q*+VyUlp-YD<`R)-%`lcb7ni2U| zg6?_ma&q$SeA11A^?GMcS5~@b2P`UJ09s#jdCH@x*=k8sjd=>7X9MH}pe3RYHflz; z^TP(2pJPf$h@d%C0M2G|V?uYvi7}4BzfzRyJ6q+sDZRmg;w4x@n(ctgVn7uuXCah$ zaVyFKFg?QZ`ZGIJw+-V|2cpV4U*$-AXJw@+1j2fpur-~UeSXx(9koIowQmf<_bM^veDMN18FP+pqm zqHCF@)jV{vQd6QjRY0ey%gMNU1<-8%H{1R$%S&j%vNLS=oqYfJF1F}jX=&23d#YAb z|8$8LGK#L#c3D^J531ECQFI@fvU|GfoYZRAj*7(=9LJ!xb71L<)r-n$9rq!dhVG2I zFe@Ka=mZ)M%rt^!juSf$(DtdAMtJ66jSGl<8bRpOEe-&M6DEx? zmf6u3cV{XmMpkvIcx=TDwC0${D$uSoDUJs0lNya6vjZfB?P&Ag(z4U=cKs5e+EyO+ z*e$NlvKB={j-*_cdUYq(YSg-=6wVStrh`j~0_w6QwS=l`n`}<@y`EOW2WNJwwYot0 z_B%j%Bl_9+lutm|b6+*6zmW^FNaR92^SU$xI)dak0B&Nvi)~bb%3HNy*Q!CjE;9Sk z@ZI=3!($&qB|nQ`b~a$gL$?ASI1cC31U9yWm4#CkVHUy$TY<}?6m2b33Ih3-jC6Yh z+C~cqk~HKRYe}B<(``Su1zhiR$tJ)CpFp*H8XnBxb?clpR_B`+nC%;JI3jYE-%9@9 zO8#dnNN!sRpjYJoKk8TWKffLh_xYc9@s#sF!z5w7ED3aOBi3J`k}GI0f-#&+H(i@N z&;W$;T!A`)p}}}b2;&vNfpr|m?mKCWaKsi1%Jlozkw1c*t1uJkD7x477E^F9c0ocs+&A?SjC1D#(Q zyvgf{5-1LeFIHdxXEPjQ{*YHPZ=SkkPC`Vr2REx{y?pxi6B3g7!&O2N3{FYRIE6Uo z1#D`HY=m3+k|OJxqI8NpI)%R4P{bL!_{NMP^;o+!LtdJ&*Qv{>8+DID=k7eP(_)Y&!zgH?9k~t@g2Z&O6|5oYq z^6j9XzmmHgHhvj}F66yb0vl_Msc0qlvkvka>UvcRNUy9uT2ZmVGPHT8aHEq3eUXOY z1qreLFa~F{kAz=P#E_NmMIl~B%P~0Gev-rTwn*qQoe>NW^`x@MKNW6?%-QSW)4Q9G zC+Cx^i<8qyVbLx(T7E1a9|S<1(YZvk@_YT|Lf!~w6n!_FCLN9I^f{vaYSWoAy+hLl zA-A5|x%PZyU9xFidLv{C&zgk6loew4+i#hOwy5xLz$uQvzkwFz!BD{{N%3m7{ocj4 z#SU7Z%>`#;aD95wAPe?=T^UO$epv}^nWtkdATHC)sh|{(`se~tOoA)qlQ>{wFfiTHsddY`vCxF_Alpo-=kjwB zpfNZc+B9OBL%xyCp4)WYKU;Vz>%Tmz#LfY=(Nb{L{cru@acTW`{QCHCzy90B(FNnX7|x#&IkgGuSnASDU3{eyLm(k@#aXTyyHO4qBHj{R04k zSh`Q89`!bcwjqRKW{(2^N*sbImgh^6zMB$im82dFaYAUIzD)6QcYgMbq^?;_KnJ-|1-&2w%mKoluxq8&g z(+#VI!4lD_{Z*!y$o>pah^#;7h-be;%;mR^)tlj1?QpG!%To|dO}H<8Xib8s%8M1G+<6yZqQ%6~ ziF~t)x!%3Bu0$lpoKPIk<(;}jUV5-%fOMUg(Sb^Qa2@jH8$!Q!^w-cYHRx>{A;uw3 zp9h(Qq5%6}A5-RdKlgB2m^|Y+7URiS-TRlOMIYP0=OndWOVv@_{rRgUd`)+@Pk)$l z!h9IwcwUE#T%C}Z!!RL%DQ_s+RG=lgPSdu{0O_7Rv(u&B`hSY$g&dD`1FZD_j!ORD z;b1fv?AQOhcy_k_|3R@(!42?LEb>=+E3|MNh~L^lYgAPOkq(R#*Y=UD_KdJ}`cLF@ zHa_rl{i{NxO(Tew-u1m7`1kXy*8inh{1J0Nv;H59M#p9SKO7#9_WFMp&j$LxdRTZl zfMK$LCGCHu%3Uf3`Wh#Is!lc09Z{$^&<5Rm@9HwwzSjF}w{n`|ke|gT0Zcg3fr_fw z^+RG+Ql_jT*SYLYgko;OS^5L{JwnkB>1>AR4-Xu%F&K;vhlAte;T!c;VERE_f_RN1 zL{ff^!w|DE_+GH*K{cw*D@H+?Fp~2RSCh-nlgpd)Pwyrlu5R9)U1nvnU?hDdTJOem z;YPox2lxK+;`HX?)8%y)T1RxUQ(yI`>+6e#s>6n=A3mMDGd(%EzPY+SxxD`Q!U3mv z2)u?G<=`w`IY^`E!IKp5X87K^Hm%x~Pgjm!WD#sD$ajA7KR4%-tE-dulba8dkMFO4 za`eQ@NU7ub7zzUt3sKR7H6Czz8{F$RP8 zID4y-232Zyjykm!=QQ!(K@QCs*RhNy8*6b8Un^hU9321M!%7xgWkS8QBForc z0P&WB4p|BvS@B1CO;1)#@3h~B2+~;NyEHnnlZREOoT!*&E2zuVzMoGC$<~c|?Ln*B zA)YVzd>U1%k7}#$mA6BAlV!xpirc(vRN5Qs-g@=^=FOYRydZFLD(rG3tmg@~eVfe@ z<}F2x->6RpzWJoKB5xAN7jKOgm;c=8FCk`J9-1#yo8b`MsEcTB5)y_tcM$U%reYJ{ z_6uc&T-}I8(v69lcIh{bWn($5z(|7PC60+kR4cJze>f~@F-^D{4OXLtj#enI$0@#@ z>90XM{bgu)gK1ffkc1&VXrqWo9N)Wi*i&em$}yD)-fJN{C9$7Uiemp^3_5c9|LS!U zrx9C0zv2UlV1D?k? z#XirA&+zFq6h&gVgifp$k@tdo3(k|bR`j_2jfpXYw}=*MYi$}YeHp$PFL8ij z&!)wAIO_Hfz2w1!<%f8Q1Qr*ROi?~;f`|omSRQrF3@HsuuRL!CarGs`Au8SbD_<|j zorfqTwDKu}_ny=l#SfkDJEb@JG>(j`To5KzaKE=4_7(_+e9;qK%&O>{rQe|tK4gLS z`2>*^Bl1W2yvLPXRfF|yIbM5eYBG=wtQS2wwKT485rwQWu?$-o$8~d3i>k>3Cp6o? zS+_PvF(Y&qlDq8#XxDWGfL50k$2(mY{N842!87WVOusZ+7rx}Dj8_YQ=0q=o73-{V zh3OE;qV#q$@$ER}UVT6AAIny%^Le>r#i>N2-OIm^``zR2!1I&TIp4nm+HTQ%r7CBl znhb$hWBeJ2g@wA(jLWQu_n2`oMKeMXU>s6z_I?$DcMBXM@OSY40S|%B|9^dTqmq^0 z{CM_Z(gFYYGYAMk{(^vxfQ;k0y6`e@vfJ%;{tQ@%Pyz;`c#QsRH6Z3X>(2@)^h_l% zE3TLbMRQ8hSSJT{d)tcmS_-@DXv^C*uC^#ro#-Z%B#3g18rD8L_TH@We3qzKV|*U> zkGJCc-0yGYPt*R7iBjG)5y*=D|55*_UylDD9qspjcJgen|C8_XOGY_|$=B!}v_582 zy5f9KACYATrc0&wQZB~e-?G_+1ndG)Z4jy5^*W*&MNNXdhB+v`KrjgNtZ9~+7nwZa zGGD>Cu%KwsTK2-EJJ0|)oIj%ewLH*Y#Oty=&s1j_HB*fG{V1O-%v8}iJbZJGI|uGr zM%QevMiJvOrNcOzWF`9+&Q&MIlkuity<~t}Q#5O>MA7y%Ekdwpy56MSIkM?#k>>l? zIYH|u?t!!J(O_sQ>l9xu_KtH;(4jr{@Iy;i)=o1_|V?jM%YZL1#v#P9k#e%!RD{t<3wx7IU(e4eU zZ~kep|F)J1ZiW4KbbM6K|91Skzd!%ElV=0_uT`qJufz(hBv)HI6m-qZ1r*8j2&|V*?oq?B!H_&^SlV~Kn18M=pIO0_c;>8fPF!}JU(Sicvt*j9!Q=(yoU4Xg z=-W~3q+-~LlxUM=&FKcrl8)V6oqoD-_yOzU(@e&)a*b-LvbscNb!o~fO--&(-`%*A zlxZZ3i)zIEASDlw3_& zUtDYE%+(z^L5O8s_Ccn7#Qfou#2nohh~vWqPH~7iMkVk8B}sYn`{cui>`j}ra)|rA zf&giMtVzOJVSuvJ%BF!MyIi@wN2Re_mCLCS1J`P|!4B9o9bOH2eB->d2dp7EUK@X5 zvE_C|dUS@q&2l<5tp8%f?+Cq3WQNX7mVm4L|403!()kbZYrp>6#k0ZsPxFV27AT$j z`=~yt^N)tR5r181r` z)rgSa(=cZT^PPh{%ZzBRI)pXDxItfBJk=l7@swRC%XnKZPlT>>$GWm#sd)G;R6OqOUS zOB_>aOzsqyU>7n?TJS4C^Ta<^(^m4GB>S$@*tBXMEp=+XYS;Gcq>_3db;1J$9`pTL zMlx=wE=f?#7I?;stYl@b&LLLE!+`OXH_OkR<;5{d*?#l?_wlTl|2Iqgq@NY@|KND= zx|08Su#f-T$@BE{|F@a=$z=v?mn`hO?SCh`A4gyn`UMRUwJbuSh_!w?6M z<9Pm8#ZRX;KQ-En#muu^SNi!%u8H!cgg6!}E6<0X+`X^0F?-EnRQjEEk7hl;L`#hB zin&fifu)Lx^h1ndt~#7W^1~m}I0(@goX+3AEr!CC&mguipY!6YuiMvVvWoXxs&PSi zD$}enOgxkHqcjGE5LL_go6FL%&mllajffA*N$w=uGUfnt>pd(4L1^~ zNfDQa#SD#3XJTHdK!R$))62=p^`!9X=ZkmtD`&)N<6RF72WT>z$+bTCNaE-BvRCx~ z)^>gKXQlmLx&QTWbi9xM+sX3^B#3Hl#sDWEAV9epfpIf-H{Pa;?W?5s8>nk+pytiz z*O54|sI;@`?(B23<^I{xgOK3Ej$(Z-`cKE{;ab929^9zNB!gBUjBFSJYrKvOU+a5=;RwZ zj?Eh{%Usg9hf^=ukJ-hlg|=p=i!S2UC|iZaYfebWv~C=O&Y;`xBx%qtmxSu-xzxl3T{;ahB2Ic+#*N2CD`)?=DQ*LxME1c%tu666S zGw7O1JoiXE&r^~At?l~cPqX|FhDS%0_|MnJ`}m)oJdfMdIZydITRP?2%b$2F$Ie+$ z+PT?uM`o4n`{?bMNKiE2jM44LotP=&aNw0`*ka$MLUt$iX4}OiQL1cFNQGOo;|2cS z(Fp2%ich$2Bb#};ZJWv!`(FjaBqU(lV}*nSo&-#`!VE`1gfs9Vr3&(oG zp@T(i61I?x0>!^>sd(y`5}Q=J5DB>rj7fZrBg8n2k}-(WFs#lda|)BiUR)j}E=3}) zGnFW+??t9bWQxRM&o491xUjwGJW6z&v}_?k?lIU4Qj;Ln#4|p-JnaQ(3xc$^1nos< z4bdsf%yWBttB>~oUrtWmolm+^@Dy#V-2WSvEu^*IeN_vw`kPe;Bybk{@FkKXaDTr`F{Zb O0RR7D=QgkaasdDxk(<>3 literal 0 HcmV?d00001 diff --git a/kserve/helm/kserve/charts/kserve-v0.8.0.tgz b/kserve/helm/kserve/charts/kserve-v0.8.0.tgz deleted file mode 100644 index 033f3aafc35a7c9ce517085d0a29da33a00cba42..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 39464 zcmYhi1yCJL6R?X03&Gt21lQp1?(VL^-Q{4xHMkSp-CcsaySvN5IdCrT_y70S-KyE` z>D`){+TEI&e!80^3LX>UzXMDIL1!$b!fYxf&mrf<&2GY~!EC0=Zl$Bj&7r8F!6C0{ zYi(?A=B1|Wz%ONPYX@=h?&q@6ddn1f?9hXl0_Z9KalDam80HslZ|7G-zDlsXWW0z(qk6lx{&T-xNn8x`fO-2f+R* zeI$~31Y=PodQQomf!TcNT!EAm!!hj~%l?B>CsdY!r^FarF@nTwPXIsd^Km_dL4GHqnbv+0_C;%2eCdA4tau zFelSCVe>KAqo%vyr3a~e2z;WASw}N1cT1xD!@{;bD~YL`VF@K%#IKlrbEc z*%Gx^(QkPj+tbPG;0vUWG)c#!m`|!G&l%&H^t2Ed4IvSqo<^imA8YbAz)oWsa9Dj8 zDHoec8;K?JAGYusLn=@O{~1dw60A-&@FUi@oCqfnpz#(qo5zU)q~^+>nOsgI8jDS6 z8rCEWpsvAl&pxf)tOj;RpzOI;BWuE$*JY%S6i3>`q*i{+(CAW#>*JHIwHv5`Ijy1< zMd?yxheSYX6Ctw|L;qet)ZSj6T)H3TLzXI=B;qwFD1s5MHIZPKDfX+5Ls~Vzg{53~ z)|5dX9rW=F6*-)3Mp?j##hms zr;yy)VOUf64E(|Lv88R_cYN44{`#ax`I=PGK2>m{Zp=?BUO8C#TAoy$wpKzD^^z=y zQ5~Bv`0=(4H%I~izsH%=46rgRn$tSy7Bsx>icfZZY+|B!@jO57sH@BCG#BuTbpmG(D$5EnQ83-_3?tII5NgGE=9k#Zw5y zhv~9CIrc*-CTjax)O?=2XR|SLmjMghbe+QhFfY$@zv>hlQ|jH_^z3zy;5>I+oJ^b_ zN8;-75L)j+ilLsg7k?T3VoL?m(7^sa&kcsZKPTxNI!+ugFRf{B#oQOl69Now2L{>Xr$@JJhi |Wt6OjanjwZ zV47y>p28DFf^*8ebcl}Y^+2Tue9Mxvf;l*DHxrmhW95I2djxEVzQ~c0*LW2_$LzHH z-u4?<6d(Prk%jjGT4o%w+wFKhdl>`(SJZ};G(H$~iOQp_UAEVyi<0Qm5%d=-p4EO8 zWIWh4TXAqsgxl&caW5MG>wJ|;rLfncMYl;WhaT%!$4LUG-y|)Axeq@lKedxHL1&A- zio2d8ulnbmX3)Nc&z+vbSQk&xdLWDox!c6tS#%zS6n8NTEB&N-J@x3~W0CiVuWFk0 zFAMtX8vg=?o{Z;7h4$`>v!dy_a{mG{nCUTubwwX*l*GZhEQkBkT8ZT7mhJNBOx?0- zagHhlFJ6Yp7$u9TIc21WJr%P>A;U~@@A=exAaHIF;~y$Bi=Tu z-BliHsTMK1MefzI53Mncae*~miX7vWa<2M%TMo)AKyUq4T-hcXv7Em* zHtKe%I`1d_Lk&`L*+-jN=2`AyuR2)2Lh&JPP)Y-=Q?C3ly?)4C0CTAQM^^czm%#Z^ zW>0%{jRVSHonx(Q%`e)^6`yYTm1ODi_9Ig%7uS`;Z`WD2^ou^xAgGxq)&a1#lDOF7)Jq*{ zOrUSs!d~;GW!cFFCmyBsoOn2}7kj7;d;`h1meSn%#e3T#242eV954>RKY-@i19W>m z6gPeJ@c8;YGgN^)@`~BF9IFjCI?b&72X&gCD`_=*&QA8nX={V!Mzttn?Oz*ZM(VlnT2Ch+-{l_Mf_vl}YZ#^wd6&D}=mHV4L zfDVB}x!5(82Jh4<0K1-3XaAK)Op)`WJ8eV}_VXuhf()-`->Q|(dy%n2dk^)CLzlGt z9s?#$SteDl^m&fbZ#R>CduU!5HcG$9tro$`#iVbwO;I0cjjIx%}~N2X%D&6PA61udK->c?^tyw_r4cbcO9=k8q@9Iu= z{-$jwt0@{Hdd!o6@$|N{Y#~{W-(1f2{urwctnULYVHK~$Z>~D|n0cVYx4RBy+$VJ; zW>uqygw0CM*OD@>HD+@Tb^H7nwazkoCVYS)ox^=$ zZpWQNIvfC>}^wd*h z*zLVI1onF0lx+uZ!Zz7`OpaTQYjPD)%2^xL(8BCczbbNzuFv>qezC#hbFOs^G_QX( zF|MfQl2xgGKzDR*!%x`;==4)9x&N)-4_I3=#?maV3$YUg01Ps&+}gSu8B9>14uQ*I zVGYUpx>`-g4qLupY5I??2(LCCs;dv%h#t?z4Yk^+B&rw#dI_2If|Iv_f$L?B4hmDp zxatCa4jh7Cx%NBa)oFPtsSX+Mt0x&fz8z;u2lzlxW@-&K$ue~_VBe~{clCa$`&;KE zWcy0YR+~vH&x6;8$k7q(I1uNBPrl9jq2*EGaT%1Ne;;v(!bj`q1jA#cy@_1XX`DxAbaWz^Sbqgz;(hbt9?X@@X0&^m zodfuN0IIsnhfZXRV5XzeojsqWZBw4LzPi7>#o6=>z4*TGYo9MKh9yH`TKn|L`3^2} z=-w6p2q2Kdu@pTmU}PUG$a54;-$A9brLPXd<8fP2NjT+(j@d(HSyUJ)$5zNOY*vnf z&khU?htaQoG^;M}-UW#7-U#XMyJmgermD*6!O-uodA~=xw#u-^8|3Njsn)-Nt}JE- zugC2x4X*6&cYxl+S(U zM@hvUIdlAeD}!!Crfv-0hfkr!EKZ!22z!ja(Eo_Ee9c26YIqn1m~WHoB74+o@ZE~$ zbE*QHo*Ik({*!HeXu8G**r#{3D_u&Wm>V=$EzXMdg)Ps3$|avI&|Hz)pFPG6TOJBS zUI4^_Hl=q^mD&kv3MK3MP0cNj9R8*1uN5*;xo1gq4XdAdW8xicg&b2nabH8Th(#wyE=^*IG?Vx?F*J({+E$||a z=;cT7NHgeBJ5H}PT}glVYa`}ZW6F~oLH(^RcP8h@+AMP?V&%h~ZHjkGC5S6)P#Y%Q zXS~4-RiT)+d9f#~d>U@7L2vPFax6?@jO?Jid*$lFN8gZRlse^9w#*_kGi$qQm~zoe zjKCpZ;7>poDC(sANO*SWecJk*@B(VY3GDKGw%Bs{mg``M{_&(x>eV=Mr&mL4kc(&W ze8|VYUksMnexmSP;3=$nk-JMW|8_OWr;kByUVeT&^BawiI(M;_KCu|8se0vDW~#Mq z4|pf1F&udaqJA~43jx=qV+G=@XPzbEvED8YhlWd$LYgc+Hu1b{nKejhDQn$(doSg) zOBCd}%F8rnK}Z+;nw3_b?&B|H%^<~#$%}r0%`HX3t~tckl`xm9s8ka#i)xd?s5WTq z=4$8W^K_|2H2fv0!Ivw?7Iz$}sPY$invz}`bNMxFAova-x!vOhe0_O^1L_eBu3m(B zD}wG8Jt?U1xt&Z`s-Y^mjrpUOHRw=#C-vnUGkp>Agyg-cl|H*rP;%W zP5IST!Ag(q^5!P$kz|>y58u1>cpD=tBf;Q zg{y6I#8qHFR|fN;c&A~HX;G`2xdAlz@YK$Z&g4o?kg$bnWS140U@|(b?cLLy$*MOg zrol)eNQ(_rtqzf!@}zGNBN1o9nJf?4sI|0FS9>CnFRD~rE{`sBFkpWhVFk>*)_1kj zc!hK36GY+QE5fEDO5fhqSK(@+;N(d{Y&c)C6GDgnv(eg#sVUKgRT3OMH!no=JUoO1 zg^KnuGKo{lkq6pQVtlyo*QkdFDe-Zq(z0Eeq!>J8AT>la_cZqZKp=A-eUFD`Q;p|STVl3uEODS_?H-7WD zFPY@fFAp-2w=r~uRkin~s#?jlP;}*@U4kf=FSxi|{uebMl1BoKU{lZOyIn%27{)OL z7NPv882t@?xjY|Odf6t31aG0egAp?gO48>O5|qgb#xldPxBfw5*U#p>Rv%WZsO}i6 z6g>P`iCjvwV!KJyq@lOoF)@2s0^t%oe3c(M3e0Z%iHc%|^Gmo^%u12INal>9hEq|a zjr*VFstu;`|F7GI?ApJy}cfkAIp~T0NrYpDwVXG5@^nzFT3tIrpA^e^*-tZ zyL`9XGH6uwxK~;6EI*WD7_!1Em?JD!j~;t1`sh~A8WHh(?3pqqF~f6Q1utKMP?$c^ z8*(=ID#Z5Dao2<2_j<|dl|)h1t|KG9s+o!AvDmcdx7~&v#UuZugzV;{pweD$2H_)k z{S(!_Y`1LtOCAGwNinx_VNb3DamVFd+TfM6@)i}pp8Z z;)`PLSv5RPP1SpU*mCs4?DBm-S{%Rb_EFzuOvdt0qDNc3?+l{;_%Ww;QgFf)hNLv= zJ?BSDAh4gV9WqC(Va${KLf}V3aoB2F;`?N3%$dxjy`%l&lgvuc?Qj^+N;v zH*=DuWt1oN_;=oPhoJV6$|~qUeVU2{;O|o(|9tu4VEG9%vjF^deue_)=f+Cr30D7- z7D*_8s~6p0J~}ZyShvXUrY#w)QjISTbI(^;C+Ed1es?eVdANGsO!ie2*B8ZnKZ}tn zv%e^G;HXP9V1&f<3CQT?wuKR|0G zV&hZ(1Kqs@cgqS@qJH*F7~^AI7fhfSXK_)T^Ek{Bbu4pB-)$IR%I{gB-L;?7sne2P z(Gxpr!gw3I{^*RQ!5cy8^iBfE(x(y;PxLh>r2Eoj1?nkywx&!x>A3DbXXv~3-1yB0 z@`dEB^ki&eR@ns4OzyvwU+hVhJTIew7!}3oQ-mO=sS?lV{nVdT$P0vSh4`s^a&7SDV++VCWn%7t?I2YHeE+l>gb^UVxH(QYk7q(5@ znRW2AD6C@n!+sVpX=z8$H*u?16a!G8OqHty3r8hco$`QZk! z(w%m&Ub5RZ{L+@tgNd2OJ+hFMvx}|*-AC-lY z0o_cj$!f$mp5`s^Ag#8+dv(T#t{%lRz9*IK_9xo7>ln}g9am@$=Kcb=K%WUEqJgGv zDi?sr4c>gq5>wdeq6(f7GqW6}nJLa#@jnk&g`vkQ%(}lSYVUX^J1m4uOd;8^+NO|* zuky*KHn&SMaF$%{JsRu4R(VWbMl)=;um4#SKjg095PV2|p+1wX;LD~M?UA<#=aI#GJVLse&uNE=k=te*PLa$3)@X?Z@4J+ZO7 zqK;EsjD+%3Ir;JGr`Gzrv^{%Gww^ynPNxV7upFQe*wyYvF(etayd1^_3R=WZoC&ayj6DfX;pk*l z^ZVJGQiENhD>HZfojFDolOiLDxN3jZNUZ&8Gu*bI@I#gL3pr7CNXI7mS+v4`k_o$l zC0BcQ1Eb~q6FzT`KjohR;nJAO+cr`TW#O|hE$LuODq+}OFy6NF&n}i~`&Rm{+5#!F zqX#;r#oxnRhs_27U;7H{D0QOLCu=bw-NHKnVR_IT2o`*VoDU zhIhcbdF1F{+Zb5}J+Ev*CL7y19+-x~jfAxfqpeX&Qg;yU+PQ?ZOeaW=^Umz+FYql4 zPb0+re9$Ql7)(u_Fw4&qqqJ`IHOn6n`zx<@!tkR$JI#reCABPT3k<``2rr%IVlv)2bSM8rA37ZkDFKg^wZ4$b zN+OF4x(RKT@+9p$pO?`kvnKXY7u>BfB-KYcn(LWj$%jxrc~i!TR7~swK2+?rRE!*E z(uf#xYMdNqIyKM3Q$mQsyHA9|`{@E8=A_kLmSxsylahaQpNECqj*L~rqOgN2J%MAk z3_ucdys&*|iX-8fc#+clo67hBc;iFnR$>l9gu#Ya)x|=tB+JWaTZuj_?(qINjQQnks^&n$kRKLq`^pHwyylK5qvrkV^oi-zPZVS6Mx)V8@tL9++ zTP~zsbU7@(=dZRGWD}nxR@2t8*nIGlBKR2aVR?59ex1+#aN>FyuK@!;b$OsT@a?A( z2*3tE=K?-}xgYm&xdQK={;yY>pEp3{nbXx3fcIlX@XobAEXxZp7kmyzLBF=Imyu#c zOHY?#FVk5baWN|S9eL^XO8*a@+lMU`JP&nK}mQf*pA~|lV6B|QLs_w%JhAO z<GX=TB^&sa|=i}_>e4D6%%MM*0;I6&0aPfn6=Wtz394J4cR7IjYxdwpTCJ0 z4)K7;#KU^$ z{3~7<$CfPJ#D9wb2S67Oj4?-c3~hu~P=U!$!H1b!hwZP+jSsewymOA0D6816C6x3H z9)Ff)4IHAdyt)n^pd$Y)cL*Ome4aNmM$a#4aDnIR|!&?g)c z4QSr{bLXv)iO9aebvd5?iNA0q1)`_OT2%C-Y`w|69ma`>zQU7U+?nBMS991jZ9*xi z6X!AyY?(_liZ9iD*C}KWczms0G4opH$t;mb!fSSvx69{t@JGn@>^2UJJT42@hErVM zSdgIQIQ#@tv2lo(%i$wloVHfdmiUeFb+Inw6;Abv-`ATS^9qUye6kYveKNNfJD?x4 zfD*;}s~mK9#1IBYcn?9*%XgCn+*@B^p2^hsSWeyU6etAMbmWDlyt=89 z519GA*Y5Z%jU;!;Jg$ zdK^eHpI*wQ{zcS!w-KpoR4q`|?9&qF-z( zwg1cITaN!p@`{h^1K&a2c)3}#eJ>n>FmMcGK}Vx4P8 zGGj@-Ah1?<20keecZdoxf)Uq_9N{}3-Om&kF(F+nv>A=zFqpPR z35S%aa58L8JOYIg7>!WWHd>MtpmxAHDD8>BGMGjgx#B#cJAvcJTzc|E! zhBtjy#eDaY9mvRl%feg$Nuq8MeQoSJCwZ926Q2DPrCxbEl@+$q$~ zWE|_chggfC>zn9sE_VL@wEt(J;E&l?WC0+P0WC>c0Go#KFAa#i_CU!NLG1kXT=vf* z@L7aR)Wsw#*k@;HiK;kY2)Acx)2XQwBJdeW(y3XLUElV}M+bV|oiL5|sypoLf%fCy zzRi4{p>FNyO-C{J2r^4GSu;dilKK9x{_GD$6nCCWUIpKeKzPrsz(1iot!*wD`+WGW z1}>cgA&$v2Ht>AgQE)DL%`4)tGrn~z`xI%iK|18St5dfHv6G%xKLtiAk97q;f{z6x zW6=e`-2RPx&UrpxacNO_XffIi8C`2^PYT4Z43z_-Pgb%{baV7}CQe4$evij0*yI)j z!8JTWM)lW2aNpIFI-=P6b5Gk}Oc^qhc%EWFQNmh?2w`CtRpN>dQqyRqI}b9wapc;$ z2XLrkM|f|o0t1Va)9T8K93c2roVorF?XsOtYL`)aeQTonYb$H8{??EqRVkRh31J$$uq)Tt{F+XAXq7?s-_G)?tqdrBnpT|OcX>No7!xicu2{BJP}Qm{ z?1*gw$a6B<`|B&3-;P#?uD-KD zBeecA&Sm$^KyCx2qz?)e(f!RvZsz%1Pnz8HG+IgOnIf~~=s)g^>9EEF7F^bV{;D0r|(q?&O@W7-P!wP5x(DdylH92#&6P07M{kf&$o+f0(eol*_ z5VSmf$Dx_@NpSY7LH5`o7ot!HUQ~T3kG7do5AbrEPv)9yG}0RBc3WS0dJ}ciWB@Q% zL089jWm?SS@plB@Jl#XnIAzvy^t_nqqe9KNJYtC>NgZEph=-k1a%sJ2^!P(?1@Rgh zJ1qllVjkCkGkPbm1E~D|boF9eXT7WzJo6V?w;`4iwfFR4FiqsIzKQ%_C81oPbjxHX z*o`Jb)&@(h2%w_~$9xt-X;`OEp$aRQ^#kr}3y@ITA*^I&alYr>q1;2koRxA7%%4*J zwpY>Ho3*u{t1cndAFWJwZk>*B%xPQmK%|JuWhKDGkB(8Z9qXa}c>>@1^EtP5$#(1# zHQb**Omr1jH%LMXu*!J{fnaaOlY5KdPhQFC+-D-3SWgN6onnOz_G?(k?;q7`Mhwja zBMsINn)~L|1QRLMwE{c`&x_}QgB7t zuWX36Tl!fQI*RkX6cy`6k8O|1;mP3qPsy`e>T?qXuhb|_4mnOPG+VVO5|Hobi!hb| zAx;t><2$FrZ>$&)+SkPKvmZfni% z=ytk9U#-@8LU`?TM@ciu?E}GsvOtZe%BvTLN}(Akb-Wqe&uay39hq{0(;U=G5*AOr}T;2HY7h5J49*0 zjsi6?S80J< z5AU~-3Zfaqko<3&9-jjw7g2UV`&&BS+?4oh{me*eeTj6#YF&mH$n(Ex1Uui3&Q6zi zJjQ2ThWhM^!X-h(aH1%1R81)&pe@MOp^;!0($U%nb_Sq!H-%{Nd z^hoc_6R5(t6R3ZE@r**DjwMK_JU*YCPT50Rh?B-Ou|EIjw1tQ=$#wGAzokBPKQJG# zK3|i>PZ4D*OgE%YF;ol%THMdxZ1sq>8j<&gBQ^?LfTM@S4IH&Mlk>|Hkp# zI2u$*T-cMa=-Hdmzwdd!`M-(Q!Lt!#8IguME%RXQ&RFIN4U9mm6V7zUG4Av|c1e6i zZoO7Ua{tF%`*z|44BUFc6J&b!t05H=xgi&R_A`Fw4}6v+^lZ)lZUpk=`XG|yhoKhq zJ~9q`v4Ry>yW7!Fax^}X?gWNnd84BMJM`@>l(q?=x8t%o9Frx=Srw9`gy>aJx;R&jG?6Wr zOQYEA{&y*;uPXdYajE-TDa<3*r1u}Jqj<=(0dA4RvtGCxVHwwr8x&u3D^-H7Xv=Re zuQbSDo$m{%-@AB1D0jNrstoza_*<*C#e%yyqK8B8mzZ<#7i2}<2wg9sYkZ#BQM$H} z4bFFRa79>dMhdot?8jxu3`Fc@VK#h5?4%*x^`E+p`1(!}+0VbHV)`dufOXJ;2Ixga z;hc%<=`?v;E-z@`FP+Rx;7LGG)58JhIuj704J>)KU)Wd&I5M&LYDqE*Ad`!Xk!lfU z^pJ(gH9;&KM*m>V>~2QaA*MHk-rUz(=DWMd)>@u$iu~Tl*WhQmyC~OMm}KU<{W|B9 zA1|Z+pqOrdlM;o@m5Nux^w&lj3VLVXlMI2TVm#YS;$??L1_l#bDE)K{MQDY+9cKyj z(uSF43v~G|v`RVT#0N3S^Yfb(T3t&m2m{v+@+eP;h-?q2Wb`BSD1Rko8+uwQ&_0=$ zZm=2u_o#dzD?u*^bL0hfTshE82m9M3W=e$#uda{W5aK~;euKsZfPROUbAQY*5EokR z8`1{u^Ff_ZY>)#Z(nT99WiISvGCNDjAcqCn#45~Ta~>U8J6S$me&k7HX%DqN8h<|P zF@rwZ^#GXdu3Ztwgln*;hW+FIT=_(uklb zXvjo|uq}{(C=OLqA^$M^Qc94)WBN#hZE`W@;iBJ))5s>x zMXB&yh)at$H}AzsNRmv*{yVJ4Q{j=^pk{Er4lJIkq{|<Xa`7hN|)D+GEIXX3wkXXo#dW&x*reL(U33=oGcf2fr zu3K>Hb^uqqJpzW0#@>g$>^>CVBmq}%S(XCa5BEP2;{G|446_)C;YIJ$$&^t>95x8q z<8n`LWC2&1bmLe(Kp)BD>6J~KoDwn%jm+g9KyHLBZm=9>C-`w@wtH`%HRo>Sz9^#? z2L0QmoY%l2mL>l;LJ9P9Jc0{7WY-jqb|vu|X#U~agGiwEDcZLiG-rxJbiWd+D~zAZ z@eI!-C2}^`FSWj3U&vW?T|`XM)iZpr!pRZpkF_i8cF5NL z!r{))ajvN2>`WXQ3{(2em1x#hj>f7Qc;qSMiL(5{rM1&?x?_L*uy%j-Ls=jFoVuCOL;?;#$m{v_*RGn7|*k_nyL z^b@kjK6?HW`KpL&CtpPr&?VPqg00K!2{**V?<8k4qd{3Wdp;_Q&n+F4n4LCz@07Mv(=T|7D;{h@ohXT0XA-`yDB6Pw)J`PAiEZSrEbiEw3CWj_48n{lj?J_t&>Ar)s3d z?VIMmV`4;VfN|)k077HacI)u26_M7z`=4=GXDlP5SO0~KKJlvTghE|*x9i)FybX5A zzx@8zafB-)eN{aGI}Xlm#xf4u4xJGw9CEfCxr4`{9P<_6nA)+mFSgFzh~({~ z&yQ!Uz{XH|_&Xh%AqW?W!ak_#U*B@093{xrKLOFt?QsRWz%IL@lU*Vr%FE&FapaIQ zA@atL)C?ZiwI6pJ9pltU^{ug44PTiaAP%6)bFzC z+e2V57op!Z%FCnLDXE+p+;-5GPNj*?`|ghAbz((k9};RnF1fNW+dW#qKQ9?~^DsgQ zJKEo^GKjXC`deyu63HU0mSmgcU;MPQ%e7}Rih#mlL~R$QZ6qu=0w#EmWKfRlHbn?X z!g;Rj;@8OP+uIpRqv$_qskizRtaMrC`?{YLvC5r$NW&_88)Ugr8-n*`8wL_N@Js)e zNvfU(R0Gxrhi8lgtbkY5WZF(iP$aRSC%aaiBknE}gtrjM<99cD#=a?3<|IVQ>w8l8 zVUcDu3MKtE(Dc--8`Svjjq{DV+J!hc7Gr=9roEB);DTn2AzLux7&Wwvh7$mOJ4Tb- z*xEwmY<}zh7i{G;cI{77^0tqX>148^!Ituj5~)w59zJ1CyMNA1I)%V02j@Sf3x;!O#(mGY3HzQtk&`e zwHE5sL+;;7d;T?&`hLvEAaAeQ&2-}Oplk-+1Jt}yH=|&k9!e|Ry#e^Bk3{@h&w&$7+_z=7 z8r#S3M-ekI)U&PV4oYb&b#&a8F}E*5^u*G>f|AZ~$cnPQ*%;w=T#T}0eTR%pj4G7vB zBv`KCRKfEfJc+fFUIZZQzu0<<2OoWXrFn?t6X~YIM}O{`>T8%qp@i?u5BR%-wVP{P z^NYzH{Xxn{JjY^gT9mM0IIOaehY4V9fPOjB9`0_|NWMN7Ys()t-`085+Z6=oILC*^ zw@$kwg?Zbd7od7oiNOY`m>S)x9g{hIV$j=P9bic=(}MaNI#d*3p&qeF^>V%%ApZ7&TH@yrEzoG!8G=JVu>$>9vu*Hw%T1KBvSaRS zhDuTPuKt5qBz7ambFHIDvn^_MgaTU6g;DVcXSM+4=^Na%sf-r#V9Da?iSSD7d-hm^}wFw+Chh zrOVpBgNa_W^`~K0l&JuJkKz5cH*KDgl7W?L8J-h$_{aP~oOEQb;d76HsP65D&Y^oz zV_@Y3oZlpp*W_C{0RZRB1tYox?omh^*a|n)+?mC1eu5{TRi!C`QIa1f=%j?T@#)xw z`pscHO~hRC%~7vo(fg8Khn-=;0*T{GRA|VJ+s;s#9Hl#6uP@GAg!;Q0%S_U^7onGvy<_(DjpkX|0_tD(6`S^?X^=HNBEL8F& z*cXGXLOVg2!FK3%SF(8SlPU=?Bk~1?ZKcmTv1hj_^j?v%RvL_&#ACRu=Vd5bscdNH}uWaupx11tc=Gg`h}Shrl=+mzMY&hXD=@9A;a6}Qc|pj(&{x}(#Ed5YiLKU~-` z@IGS={ud`Z-8P5uxRnB5ShPqU#6P8}blnDmkAK7ztK?75Y(I-(Siz+NB18+D&vlvic=hrhKRw{Ri%GB_=eLqSKnGTW5Htj za*(mDYYC;dG3pGVB%;UZrZnbUCAoKPp*@%|s=Of?fV3<_s z_vTqbce##3K{C|scgsBfX=G(em8BuPeG#~m;D?+-yZ9W9KGy}3P`)Wmpx+Tn#rAyj@WE?f`= z%8}>yNc6*4WumCY@RfBPyDVtP$*}$C-2K z1(3?zhsI2ll{OdKJhzctf?VGhQ6N`J14wODcK3>Dq4YBY_mJpovVbcm|o zI|FIGE6LV>>H;^6StF(n^smW6^(u$~*2)uZo!LlfC?yPM?SvqG$`TZ^4L`hSI1|2J zScwvf7{yE;2rd8DIHzKX3-JnFxE6oqZp7PTU*`xCUZ4_7lfs1qb`$ba)l%d5RjIfZ zh{xXpzg5FN?cu?_bHM&wseLvUPB~enwoI0p18)-s(cZs^uw=naVCEq6=X4)^s-eUA z$(9kL)zQtAzr%42c?JK75c8A=)g2Lv-4In4A_q2)9PK-2d{Bpvic9exoi5Xbg&fhO zG>e@}JR#Xlw0>cyf;dpwY?=SkX?4p)_mKlj?&)E9XM$WD`B09am8T$S1k&5Oi}s5e z+l;gNb#CmteP)||u{;9%-@JWiR^8*-cZT2+E#cT@1i0OAYSV~c+-9IdC#qOAKy_%t(wdks z{V17=mKBLe3DR)vEw$RNzb+dzZj6=$jFiKZrbIi0sPL!gx%+&LII{P!}%+V9jjpB@n# zlK6E|`{`zD(w34qCI+s9N51d>bBrF?qvWA7%YKzx-7rA=5|4j^9Js8P~qHW{#Y1u=~?%@^~~$K=7LCuc*r~LA7%kH zi?t-&0C}G5*VNMhsW+WUMPlRsj#9$M7C;m)$G(sYSkMVsMyhBfjz-_%EHIj)(G$TU zo&@5mhpDBS1+T-^5>CY6_g0RUSW84V|8k{T>lMfm6S z?BAeGNMnbjZ=^$sFuu7dM+n z2O^Qr^5N_C=9K7>%GcJmt)J7x=+9zEvgxb3Dk+>9S=R;8Kz^pujaBwcO=Q)!Gw~^i zk5}N}J?SQ=4MVZSN^LemlgyGql9+gi6mJrX9G)fm#~zE$2@T)Is-v*Hnj0Nri4ETd z$qL3klIcIATy+P@+7*;U$H>1M6^3sKUq}PYZDu}gLBr;MwQ58Wvm(+58zK)|fHon^ zX~2rc&rgay9ytpiJ_AK-<&Q-kKC|!@wT-ECar7k2!HQlx1H~XU@z6H(NLuKR)+?GW zZ)j?`rA1VI^Y4-_7&5s{9j73a>!X~;W7awId!q#}+0^)rbgQ;*#jmJhOS~OLtaq-q zR_g-p5nJ=R4Ha1P`W#mCsx7wk<{UPqk&1*0U}Yp=1f&f`MWPUj?mS|j$#}$aMT3w$ zAQEDcQ2*kPHGuf>fQzUOwaHh(0(U`i>8+omFOkUa8azr)+TM?TA9|^=K-ggvP=n<4!&@W{;k56$F*?>kig_{5L2rZaV2|zq4;7VV>JH_%|K-w!aZH>)2 z7J-WgJu5{YK|4Mx`+&gvGr;dd=e~gG0(PkDLSU!Pgk}4+pc=e(iDp+Q6DE zvQ5Nz9buwaK%XR>h~fi8aJMi7^coGg@OEgaf9@qoB{B8ObWl1&Snee(oGWY--@ z-xpZ8O$h~p*sOPBPVOcDgLn|^YGK?K0UG7$f+dOUl0a9`pj2uN^00(}1p_`eCB5)= z!YX>)Dmb~LCo#}*&Ax@K5o(_SeU<wVVzq=4*!Ww(uO%lp z_2gayy#m<^7+?(~>?JQ`V6Jiz@x9^AzzLro1xP6iwU)`Bbey@)xD^I-ET1OZ?q~Fd#&CDL9zbb_^CYp|=Q>g)Z8Z9Nc zqpn6NlcxMbJ3%_p7(uaPu&rJISFKS6N`w(v37jNFR7-exzaYF)3xy;F-SP1s=E9Fq zG{;tex!}X`ZsaCOd1o&4)k~52myp3s0?Y-JY=F7I7e~zZZ{`Awf(YaPz+8wO1DFf* z$^dhrQLH){s7B=!@5}|ua6-IkW3qpk3wA+&dyLpIfVnWd?=3dG&p^88xB_;MS6Vd{f(N#W5+7JU|T!noIz(Kok4dDK4BA!w#-7pWOY`dlccnh=VoBE zNoh`}nz53k#N11V#Ex}-28t!PCpq}N7&{_iTD^#Y*S-*A)X1D14HV6Ib(xE&BS|`9 z-8jcwYjk9K2arzQSUFP??p zs)@MIf-3XQf1K!XB{VFABGUzr|7(N&yV0f3;(iMo)xaV_0&GyyuSmN*7)0jz0Zo-0 zG+E$ZQy;&gpjmla1u&ArDn}-JbzcZulhE=#(yh=isTZzaG z^TwhgPOW!N&NnRn%KQ>F#w&9)j&MD(ZA<7|?CpmB`7HaD=P>&fZ85GhV8%fwtGz|& z^0&;jwN}6aM`y9zzL~=V*1w&7Q_tVF!FBdda+s`vDfvrs*lqww4qRuQz%2lh!>l~l zSr)L%LHhnicIev;0Lek#^S>oI^jZ98l0%=xJIP_Y0U$YKy1aMr@5ShejVk{vlpQp? zK{3Xnbth^1WE%OkO}JRAc02`p?l3w~UD2)D`vcWUfGiJZ{f+)hrI|2mrX zYZ*tSi@cCHktzI|!UknO>L}6wnj*LqSP5$hKgLVkimHDm#8aiw_5XdO$Pbr9g5M;<%Qw+8#!SR_p>sG*U-T zKcLF(fjfGxY{sq{muIbI50wOyxq5;GQ|rf9G8|G}Mw*1eqH4N!w2?)u8zq z%c4L-I2bTJnNX74_Ql7-rWXNcCvE+be~f<$yQXLa7GTC(&1~cExipQH+SFrXVF8ao ztDwEbp3eYSd5=(KMOMIe-|OnWj3ZOpu2+coW4wp-Y>jePp*%N@zA}?i7dgD(Xo}cl zJP%L~%fKy_x(Yb}E1mvm%G`h3vtCoQ{-=h&FM|uzx_y~zBdN!DdWa_azh(9n6|fH{ zTvL1nYoGj!lAdG*c5bI7|6)mMUe7^);#Nix5v01kK_rD(lE;C0}%#)HbD3!2Bs8`erwrxoO^dmmQ>A$R~FmD>x4oiB7)7B#VHEFc)gF_ z>18P+!;~YmPjoa!N_5`#C_d{N@AF?sP*V)tj@DC{6 zj41Ts)`9fp10u8iSJBpYQ;uq(C?)h;Y)-;oevm-?9M&M4(9Y=xO-By^r8C zvx*++jKBlI-IakI&F`?ymE`!R>fJJF9Hehn0Eo#-mZTP*cXOwl10HR?4Z0_b1DaO3 z3LAnfh*z%kYF{^7R$uCT^uypU{D1ou=HJ+VT98VL*pb!n2vfxNA`?--6+9n*Rq*q; zi=7Pe)JR$AxaQGG3bOF+edlg8-1lzn&t)=u)45OO0Q&-zyKm5W9>udZ*j{vq{orx_ z3vn|mxp1{yg097`E$`|Sjz zgIHDeura+-Xw=&dxCmk7#tvquT!xZ!7}4Axay3a@59!GxK{*pl%6ZijgsVmkl}<^` zgVYWmIdi9OlnQ4cY~y9*2zYGJ+%wi$k~;Vs3C*W?ev!*=a1cFcdYyB`pwPs;*bp{u zZJ9Y}uEo|WD)cE_$!HuF6zb8OblhU3H6f+7OmKe9GP`a=6|B)#iiL1_z;NNMVG0v- z`E(NyP`Vy@fowEv*4o;Tb%<9Z@CwC1SFr z?gBb*Mdk5!hz7mhNnlLHG&2OEKH_JKAuKCG7i_>m14QTW)$oz_U@6vLG`~pdQY&K{ z^Z*l+-zP*1!>f+7Mh8UCvnpXx3#rwgKxYKWQE97Q41)n0TcR*gsO?tn8yIhUp=zP3 z3z%PbMM8{-u%F?=$i^71aRDt{e}D6Z@VT%#^ChbE z598SaSdqwLd@%!%+scK-UzV}U!8VQRYL&3(5op~H`}vr2pZ;Po6gW(N7kb*6o1 z-xotxw17so?Eewlr}h8;0oyOC5rJS62mg73+U*+fZN5(BG+~ku4Geb-O=Ei6a4HXB z<%%-13_86Iq?5)uSLo&;V&CrY;Fs9Z=MDSPGyew<_yx0h91E^N|CB>GgYi#_HN=@G zg8jX2i3P7Dbh0E)&{R>r^+3k4)aO%M-)GB}hZd*Flp(T`{ZHp}UJ<@49v;f(jlb`U zw?u!|Sb+#3PWC-;7Tifhz~=T5{Djanr)rcHO(NDm7xdK>hlJA1fR~6dxM;E-+RE;V zmoVMkyrAOs8PieaYOyO~X;y~hiz0XxeS&^H=hLWrSl3$*bZ3H&GG85yN6Z2CRu@>8qu%sxEqjaENdHMBUk+`xxnfkx(9J$E`}089HW6p_Fzacg zdJy5YC+RwhOHa_17e{BluoKj4qK7yk$tETu?2F#v*76ZFI)t85kK$#-~5R*&wG-S5wy9cao*flkDTgzcH3}V}U+jD<1$09v> zu^?5QN@DN#Jo!2`yl5L>KhT@G4eC7hp`L=AB4+|MpQgRQEcKv?dlk;5d$jRy6zDDK9LV$Ufg@8Qq2}|YK@u8 z7W*yvy{KgtI8vNh2uFG1%2`*O_D}0oWcdl-&02+3VCVT1L{~HbVFfaDD70@c-W=(C z{j`>8S<{{J7hi-X?Fp3%X!JbcG*Cj~o%7uh1QgtHUwE2I1FXEdb(T-V7e{2Lgjta& zUb^H;4@^n}R2xoG=x zcE&2-bII63nppCXKeC#00peT$h&2@*UP~h8YsVpmaPETsxu}xw7QBC_Cv}(&Rewt_ z8tl7s-?M~&Dvr7X_raSrpmkf6b!g+<@Zyenk!OldbM6}wWf1DOoNq{KVll`(EIyeb`V8WjUzpklW)G9YuY(-P=z2cd{x`uA62H|4n5ML9R$b%BjAyh!-iNUTm2LvUc^>`NMFl-_{{xZlWt&Eou|5X8D-`DeQ#iEmZDh$LPM*D z6GG2P=@)3@RS#&p327Fck55rcSA1E4<|VVv5gVwx-es@9Cc0Q?0UyIJd=p)n+Cn5B2uYl1VRN^T zntQd_8ZR+;&RO(ZPR${C&lbRAc87 zs`{|}#_pSJRhm4a;h?+uTrv>brhQ3d3sj=KpKKhYBbAq@1^QP8 zWNAByt1Lbf&DV%j^zqT1s)xPS99-$ZI{DJG_FvGSV2qE~uq8E@NUwz@Dm?NM)F-y8 z{17Dy`9W`nO^WGP5oa%_Akn=aoiElJfOF3TL^kWyktCZ%zmjUOypbO=25Dc$=>}uo zic8<<72*dFK_{vHtZ#mj}t)a(_CxOsle{s?LUjXbck{=Hv005f>8D!V6m>o)>tG1yWM%az1 zNox0X3x_q!!llBkkCp7RN3tl`9;$cO2w{knKevD79K``{6d9stTU*07e{rOJe#`#E zv_l{$rIyMl1Vq;%VRZd~=sG+K5G?Zm1^cR+nRotoVhe<8I5;g9Rbr}47Noh?4u2$f zgVm`}Yra^^r9&C3?7aG@8BL+u8(#`KR4&hf-kuCOa?wYBoVYl9RqKV#xx_Q5~m6q7^3#et2K*J1_Ydt*N9mwO!6dn^sS=rDY=MQH$C0@+dy# zQ}Ni@KIWQ%Yx!TKQfgRZF%q@1*pYUNICb7Wwg16d(r|CK+t!+2-v3ftd8G8EnPk|c zZ&S;?=Ru5Jf>Fx{FO3Z$h|aEx_tn}+QLQax~EX`u?lu`_=AZNmL&OF>c6@TbBS z1CyCT_=_C6*-6s$kFuj}1$^$7^Le(|9E3qqhi|?4 zBqUx0Ee^D6jqil=PhTf60paDDWw;Ju-P$@){Jsl%D<7K!$G^42M>cbV?|i0^P}cuK zXVOI=ao%|NpsasLeO=Gz(k<4i06A*C6WZ?;H-l<;okiv@#Dn?ANvna%3{ZmYxRe_ zKpb5R^it%H>z(G~OY8dZNM<|w@^hTecUFVv0xbQkoaumw39+6t=)aJm^piujg#^cL z3;*Uv`hBm^)8-+uYROOh2C1S_{u?xvD)*z`xHt&o{eKXl@(d6CbEiH>UnD`S!R}_R zel|@pdJ5kcyn1HB2PuoFChdEgAhd;q+FdONOVhALYeM_X;~!zKN4I7y{-guYo=330 z`tSFp&3~68Bva=A5BS8Di**{t@MUGNh2a{eYxDYnAw}Zzc_gGef+4_k9<&bfubG1H z>l1D67CkqW%(%1_2fsSTZcrRRmFo=tw3_M;ByY#l60W>8c~?0xAB51=L)S>;Zk{=^ z20m@b{6S~?Y7a;-WWInJ6(e}lWi{54n0Xw{KHA#V z-)v&}$=K>O#Q~<26Qz#jCM?|mcjg&Lt#5FMP&zau3Jp__kanAa?ZTrG9%d^h|*38I`X>;OR&%cY$R zgbv}`e-cDRxIdjbOKo$GylFmtbbnIPiWr{n&PoIO#h*e1I+JZg9U8J<5TO74)2PbS zZ6E*b(0Fy9sTUU_u9R}knrnRk^xb>nLK&eNslVygC8r;+EVy8EQH`x4zT~WJlWJ&T zabm8>n$qX!+<2bI`bF|;B7sPUNk8C>d3GyjQUu(c)$BCb{Ut(Gid$^Hg>is2*j0zW z>!lj(h%TG~F;)Iv|57s(p((e0yCFIaCad9QkK{%vRS$PS7Rm7A$A4?6Fc#UyV?0uY z2Y>{V(y7nJX*fP+y2rU#K}BU9{AxQAgAIr)Gq(#M7*^UPlw|heTMbU}0ShrT}F+h6;)+I^mAr8)1nnU{j$16RS6YJ&cq2|&W^!5^Nk zFTJt}=kbvNKGc*4I*KNqX34<(-xB7v*I-<=cL{T#|5daEGZxH`wr9RnPWQhOW`^;K zW7&G+0rYH~-kEy*y9h9LxC}KRVNLtPi6qhioxla77PW8b$zS2~p}%q7q_!qUxe*M$TYPlkqrh02`m^y5lYjapz4jC*Q<`#PbY~G4AyTvCj%lhV3cwKPS@& zc2Neue@y->TGp*8B1XJ0z=J{ z&g_87VVBXxnJ#Qi`lV$ui*9&^BBas6)4M`%7I-Qr#p12g=kB6$p8fL+7#>dEfa9(=+)Vev(!5N7k7<^O#x0~!sWIRe0i{*->vgvFPnh>X zG4u8tg1lhngYTN15Wa46P&hxGgKu+@18DXEBK{VToE997cjO1D;N(H_QMlBPnYTmf z1aan!#-NEW#n0ZTLiazD_9HeQI}2{iPS4>dRZv;Wf1Yf1Pl|Cw2~(nP_tEIK zmr+p0+MAn=;#E~~oj7bU$A6w&GB~u%t#6nPru85=;trtz06OUyd%u|2cX*DM-ytWg zHN?924-hNyoDAJJ9wtg#PDe)@tC-nylEjya<)75DS=BVeVA=(TG7n8RlNf)f>77+m zcG6}Jjszz!Uf};l_MNVEZ2e$cyN9n` zLsj#5$lR(X^JSQ~?NwgiuEEpy+&UWulm9)is}_r`m$LG;jli(@>qH`IELX#sSf1$a z*w*xy`O>>}uV!wjl}jdC0!ysrZh)=}v+i`PkE*I-gry&D{WRh+y@r95%NRbj7)zBz z9irdu1vAKWdE0_@J`@vX&{s2xH2ZTPmK)w1P<@5Hb-8Aqi2Ua4uqkCxf}Y>J?ja?X zTuQCNHDYQ)u{~-T5XhHWHxhxuQNqk7GS9{0v+&1tq;L;h#tP}#J7!V>j+CK@2OARL}b!XWVk+1AHhD* z&^ce-Ypc(Efg__1(-kN5NDsry%Uc{q<@nlQcWpj-J5A=rUneD8S5vL(Aa?hKMA_{o zV437}=pOpxUj5n{uik!O3=jymW`fKx5|#%W=zfs=h%VnjG4(R^(_>DD=nR2~x!Q0v zLH`OzQxsH|eg77i!9VMs5hu#jl3e@*ieMM_eSb#OPLUV)Oo zf}RyC6Wy8ZoXd9R`T?9tc(dPz*48cIGf>Q zhdVuuSB_I&hE2>blM;Y~lv$r6?=~)HM{225Vl(i>c(jYl|H!L!f?-~c@n~)l^a*jE zT$xO{z%a+W2QQ5BF;(((HH?ykKwlq~4ottCV?;Zz_JS5nEyCSynmi`1)ZDM)!Db|& zhEYbmhHmpWQ_lrQ`d*{R!*8e^8_9$aCWh?YF7$Gte~!}}U$+k;))4%!Bnw#PykHJK z*1Qd0{;HG!cQohR`x~rs%O3_ds0Z+qUt+n*RozEHPN5Zt4wNH%=6M#F(1mXFD5h} z1-mVt@(265OPAc8l~InKXYAge*94uY*=_2ro)s5jjPK@N#d3-R3x^ft^lC<3t{rn1 zTEQILnX5-=ecz-xS;R8#?b6)s&2HnhMsqQ`8#n7n?rJG8AZWwSPt&mSv>!bS%?-PIpBsvOw$_*#oZyqI^c8 z9pFS;ldI}MzDEmKb5z;zZx5Bacx~EVq&ziO_&w14bk`BPJ(3PvMqd0pAD&*ibz$jI zt#07$^+ENytBgTcDY23J{Y`a9n8OFO1k*iM%He zay_#Y|F2QsC*@xE8hDtZj+XCB4j=UAyZu(9^0dks1J;a!qT$nPEqc6QUb@yOgLm#h zwzi58FmXgsxs89=GEs#!icvee0?{Df2lpTeqfvzJFWXpoI#T_+eg3?)gB-8IrATe!iE6Npi!4GVv_EHm>N%KMv=>}l_N9pbp$`L=koEg z^c@By@vd8)ot05Hp(AIluh#nvM8E`_P*i_~ZGe;p@#a)PE=`SWnx1$Ho?}^{?MG0N z+6H3$u9*ftlOyB${572-e5Xxx{%qEu%0r#%L{Z!0+m|%93TRfa2()c&cY3qdakoQH zP4jie`svl_nn^P45>7nxtS|D7a%tNu_;eEp3SC@!s=Ra+E#BMot;hp1#WV_gYX}D^ zbUtKzI-$Gf80{Sxou9;`U%{-G%XXR%=NnU2)4>rhj53LlkMfX|Ce+4tH4rX6xsE7} z{lQQw>=2wXjlmzeD4AlB4RoE(Sm*<|#A?)S*{e0bi1MnoyQ;Swh>kXJYtYY996C)4 zu1!Q|IaD$%5=~rSntAxGPrZcD8G1C6+CmY~3G6r-I~WrXt$LM8F=!krK(j8ziGBU-2uL~rslR}$pYl3H3Vfk zAeC#OO=J4r#m)Er;V?t9h%Cv@Y^#3LN2SD{v$vYH8`Z@2n%P7ZQ5L;YCMz}c2a@|z zt~|R>mUZ9T4-0U{mJ+EFB0cBK_S1AWq32`9!V8c&Oy}#x_0nmNs8{F}9W?7lO01|r z%BBuVes}v~tW>0(CBe+s5!W5_efed6#w@N|KUlw@1a)PM1xKv(h?#%P5UQK?yj?k zBF~bU5l)Vs;*Mt7Nd#7cQw>P3y|+J0&kF~`Hdeh}+4}y+vsb?Fnmc`*GIg zr_-h6?mC+Kc8uv_u4JU3P$1f~;WwMj_8^zjasdW1xG~0Cf&7;7(A9xAgWQyeq0n!- zuYK~DbleXvDtmR8<=7Jbu9BW@U+J4Q%xgPuE%?=LW`1Fq4WQ-l)RJq)cPQP5V+UpF z>UX{Fx$J_9(8Pu3Zed#x^XH?LQ3xM+Gwk%{u>UHkKN*8c6v)c|bFEXq$$(?8fV|)p zsw{^RjuXu^&Yk%;4q~&0N2;fw3;qhZMdSpQ8Dl<~RZ-7((hH zVA@x8ib5H`ja}=dDWqtUzCUdQ-#3U^Mk#vn6UsU=ttNQB6r-Scbt`dL9k*|IvNY!P z{?%0g?GQRz_8~=qr8h!h%!G93!VryS-0A0;0f5vPtv-YCD*Mu&{G5iDTF!*2 z?{(^R^84lZvzJIp0(N!dgXVY8=t%D{AO8b({)(WwWbkZ+Rc45 z*zb0Efq@Sgg5G7vxP|=CaCg7;vh#GXGrzn(@JP}&s{>wML{?OjZZ6MCIt{KSGrDC~ zZWFVPr^GUEoO3pN}*MMpjW=G!%h! zgs-+UxBWbjcDUr!5C5DQx6NzE-L&yUwe)zGlp&DeY~`$BcRr=hcs_M@zqn{;d(PMv zfB5j+K$%ByH;3*$hg+c6pgoKDlx&V`*N3t>yxdAcCKs z1ePc@pIGYPnmt6o2&)*Sp+i))GEA*le|M*wcq#~J8pNf zk>f|xrb-P;QiQG3N3}+qNf0w9+ixaG?qRx z0Diu|#SjX2pXd_T<<{R6NZ1T9^7#F}03}CX(WoQ$@mJIRsJ~NN0%cRKdqYZ3Wes+^ zC?aA2Hy&6Ylzp#?sx+CYibX$1)C&(t1I=oa921Q~VX`&4GPS#P?XMPzZ{f${Z(VOA zFJR>@6w@5qvCj;P#C>{7HMtD zG$6SINlVEtd???w=rr+IrNc-q_D9RSJChhb&Pf{S6fEU|u|qU_TOiWG2cd!Z_`S5Zv@Iyk=3qW?mxF7`79YUD-_+9PJTz-;*N(><||6w=ZdqoF60D zG!cdz+!Uh#a_!Ymq!_)7OED${8N z9EHp{76d;%tW^zCWoz=&QS>0tSc)7vF!q#XYTIT1WKzqrE_os%akOFV4M(AIs24y^ z?O66?#nMOE`Jst^<=spab!;cMmD4)73BG8|(-rji=58n3RQw8WUF)g*;D!UvWW2Rs&2(Ak zy%1W!#Ji-l-tm^o4TGG8G}44=eJ-m@&hO|C`HVJUpk<1ifi^+D6v%s~ALwt*M`4yd zZ5>^@Nbiiq^fL@1b{-*v4D*XbVL@7_AKV*tjsvEshn{6rYh_!v4zu2?*Htw6zGAG1 zJ$-)`VwTKU6pXO}XFrHak#{Z?<+Bb})p6tOa0q7nXC-cZJmVm3xodfJa1;^CA42?4 zc#8<%a>-?4rYcm!Xo-nO;+>>WIPjpntEf5E%_m@1u9=&(t7yP#KFr`RV5k>B!N%Du zyBm9+m@b!}cfsXo2?;=z#nL;iZ-eJW7R5`3$&X-6g>U`H`Tm_yUOp@y#w-ob16}YN zEZJfM76C+(Z;jY(DT}YQk?!Hb*JnOmGTJmkLjUeuRS)0W4l^q;Oq~lzC{njp=5kRM zUW0QPr$sR^g8?n)FYpa!SWeY&APi1oKl^&p_dipNA(hMEu?WLr2Mh-U+Dv>sz&CsE>vNa!gPN|P=7>?a#Iq%#n4wd!hNkvWm2hdB$dA$$AG z`88)d?!efk^oUEBaScvotYSatp|dps0WtKojpxBRkfcD+`K1D!5H+_VHRWg&iF*^9 z+q52O%;C}uFb$!sdJUCEPon_SN;C`@hmAhU@i}9R z%eVwpwaol!cato_YM$VZ)6nV7QMqjlU}c6oas`EG_*kjSF+KjL(|Q|+_4xB`9cPj^ zw|I(=rggpl@Cgh=lGg8oJ_f;57m)LoKycA98CWg;U28CwC_?S>ZY80zhNax0#UG&u z%#ul@EI$$JJ;T~otLI|{>Xy4sJ|rHShiee4t27-U1f1BZFA3CL@iKP7S?dN9+bhUL z8^RB3jbe$(l0=V1&wf5*$&AG)%2kdsFo5y;21Zwx3p*PASt!cB4&UiXLPKQrswadB zs%rINMR%9hRc)$ivOg zjWf9DfT`P8-Wp`IRA_iX2z=EqdUF-6X_4e;_ORYVLZPf^HA$sn-_eSPtzDEf{pV91 zg#VZQ+*wo0!*@)j47+~x9mfY zhC~|4ncq|4tDsDm;4HebN?K@6>#Ktf`01F;>{UG{V~{TjOu=X;B))8#sKr|XXry%M zrI!38dqK3jXZKlsitHvg4aknkN*KQe^Pd_tCe_*|4IT5@vE4A4FMfX8L=Nv;-g8sX zNc-Z!`OV7Flf_>^3c~6FKXA}S-!$Z^!8!mbv_aFD>GcW0wv20~A_1e^*T_c4Iqe-j1sb(qVzX z(gl<~HAzSluryPXNWj*1i^E=}+>HeLBWibzG?92u$zUid&ZhWglqh)l*KCy?zU4YN zlY4x*K}^%YNIb{tw=40@`vlle5Ir8L3mwa?#M<7MVWK1)I^=QvG)Ucr|qOC zNR`}WWl894VqqzyC=4}Wc0)0=DqkP0}?jUj&F zsWAc-UwJ3=qd&e(;h#lqVzfjn9nBsrB-i~;l*7^J5l>*zjfb>9x!f$~uYVo>i6qyC zY*rRXfe%_aTe`R%LSzQV9R0L~EK!cwUcQMn)K<)|UN>(d_`o^#LXn(YL@aniVad z05RCSqZWnVl+MOi-qdmxNmA5u1=qEKD1W_idHpo(sCG;vFKvm1K00KcP3#U2+m$ds z4xtGls$ep}mLX&Bd1dR0L*jPntWknq?t4>3G%wf*TRl5N3@<^4jg|J;6Bn-O&<9WY zSOrcUtKd_)kPEBVgZ342PTZqtO1_2+9Ay3j>r5m4Sv(myZ{DSqq>) zdM|KWxkXo6cD%j&@mptO;#_}1e49(!6`8H|wcLh_-sv9v#E}YDhRJL^Y$xK7+$IrP z5TbdsZ4srjJ-(pXGmb-@8`cxDClK<)N8idelk?F?G5qd)#N)y|Vdk4(tLw;Jl!8a( zceOftvt`_~-uljuCWSKoAIh;#&54oUa=)kF%ak@rY_Uya+T!PBXt)oNOtq0zs$Xr} zD{tK^UJYyYNK0@#VP$z3eB)^bbtU_yuDw>Fs}fKwO(7ER})LW+}(-T>d0ydadGMKBEPk`0EhFlUkIv|G^{?|vyxRGgJs z-C{A2hJ{#ROK1>Dp%s#8f<_zq$+_C$$y(DTer~4Un%KhY(pdKYULWqPc z11^vi53AJIAusu^1FA1%Nkr?XYXsv~7zb2Y&ad?W%|Rj&_r6kA7732bD6MXN0kgS& z*1f2eFyfc_;wW6qR-7A&fes~wL{2yXHr3@Ep;7pHc}C21AvoZ7ygASsNPDbav#2x- z|C(}Q{V|>@ad3wu%C$dL@MFaBW=dG!UQ!lpvF7THYfKi5nn~77;bRK*(Q_0sApIGm zou#;}1!sUV!Hr`>cVTk@nQL-3JT0Kx5j%y{MOBad0DW!$iMj6DCpET_K>$(c0<9_< z3^E;bDyapXc=)BPH~bGD2&Yhxf6@1#5A4qKMl#M;yD*6?r;94 zFrGYA$1u>xAD#!Fhmof*enr8O=5|&?pmy4h_Wbbv>RA|h-9L%G?I7i|1xp5E=K7Vv z=ctt^dpzj@-}VOxcK(?ir|PYl|I!x%Pu3F%e&zT>L?5 z@*E}_cNxqp3_nhs9qohk1YZ4Ijc)o_wOX}gYB%Qya@o~#uo1QolG>Gekd>cQutR`( zQR;?#kB)iakR?9g*&;r$+ED5yIk38!|Ie{MyfhmM`mq*V5=}+!p(0+_<%8ghQSJG9 z;J2GVzz8?i0$74F?jePb}iMS6WH}d*ZSIopB%e(`$WY5r5o};WkHpX-h%n7VB6yJrH zc^g^g+(~|HR44#U)PUtNE`#AfGWs#jCh{?^0Ck|jT+9Jz+!BrEV&M{r=3-Z_IR9$f z-~QdmftG$lHuN$KJX!&`$oT!y%dAnUM6Cq_FT+IEK6~n7PImDoe?-_?9>d5-^inDP zukGXaHnu(U?Dl;L<7k%QTav`xRf|oSmUtqsOJzsE>449J#{5h?gmEXdcbS zXQl8o7?d5U#A2n$02X8y40MixAh}frN^3ZakA^B5k+2y?eZ{FYWy^mzG!-$aH8hmg zD`)$uG~A}r5+79@RXhH=Ki4OJhrg;Gs0GcXZW&nb_2F6jU&nl@26#=SqtoJzi}y?; z|87!g+&{$LUsV*QwV9aFFk&3fxn-1~>B4sb=pTJLTCfErYW9^fju86j?Hx@zdJy6; zQkZCRWagfJ@(nktewCWwCVW1Y{id2j2fwb@ubX5nJOf#2cb%EoYSj|LlO|r`A z>J&F|+_FIjJ1vJkX@y@a;RJDqkeuol>38w!Oq$;h=E5%m>0Yxi^{kl9C0Hh~I6M|u zu4z2fx?>Fn-8jK0ico^etSj%w$O)hVbtg2)A#1S$yuLYr(kqzr3KaB>f7H8f_%f{!8QqNakn8ZlH)y5t)g?-$!#6oS#_H$v%+{{^YtIbgHO zIP0y_i&MHlM^Byo1!5VyV+ur{HWA2$n>PU}M;Jn$u4MF>M9IUr?>)pywv@D^bstqAZeKdtgCT} z7^B%oM@|jVYJ!m@h)i(dmcFrjgMj6lDg5rGDYdZoQRCA+SL}l8AsU_>reJ4K!yrR@ zO=weep~pzlCZ0hLjP!Hiy3J}VJVJsjut+l^;R4FTl0bzKV^gymO27p$2-fJ%Q*=(| zxXhH)E4{Zj-G9;p`<38>Y4%4Q+FOXuhn?>uRr}WCJA4ot+*@je+&bNyG8&XuWsEyF z;cQM9uW|7$S>KR(h_R%l9vD-E^)tc^4$V~z$Pl%Atm}D%+qtdASm(Ib*I>w@4xQ09 z{SZFbHN;>S%U+W)+ViWX=rxBcTXP-`X{l5pUmhRdmop+5QAAEDKTdffj}y)kQYd+> zHQf~@562H&+*7ugJW#cq7+G5$gT3ka_wc{qZtvclzj=wy($p3sDkYhhnXSe#MYy1E ziI9}DBXmz$8t%|6Y5GOj75^Rfl^4b>^sIY(3zocfi;7m~Da>wc8dVbT-Ki3m?T=cV z8Rr=Z3QHO1RSfkgj&g(m_Uu5xf=0YolR4vivZt@$=}RQbqTnKcy&*99D4b%2r~1eo zwf_Xe?GgH)>PN7g${+Xt^zFr8{=EOw|Ad`{`g`Cd#zfNq0_Nf=<0;XEBn&2eVr9Iu zB;h4f@G-b}N;zF}sV=XpKMS5-UI#*Md?BYHr*|yNsOibG9$niekn(Zp`BY z+4Ut_nZ0p(5?@5vfqIR=b1P#5zs$u$c5f`DCT+pbXr}tzG30Ksu(WDBmfF-D9w7KB< z6oDB&80L(Cr8lFggLhAYGX+OuOf<$o`^Ahgw+3gq7);;PY`-B(OyH|w_*BcQQ@((M9+ zmITdtmhlJ57Im!a0Hn&aGDR2fNYaS#h6I0!3tUt9e!#&MF5e6Wcepl^u)i{J-Hk%q z4az73>Dgok3=!2RlP-9%LIdNZwyYVYR6vmK+Ia>8pt|uu>?-F99qb?PA3CA45mJce zG$ST2Vc2!(dahI=N%JCG!)*7{BSe*RFN%`cnFRpFNG?g19U;k)64+gvF~4dsN|cF- z4?NiadH)Czm4sMH9yr@qu#8i5$F)FGceUmvV#HjvC+~`kCRAl194vvN@ue~$TUZ%@ z8l$PQHfVi9P5?6m39N{YB@n6OCBd0m8WR!YZ1N8xxQ0|R`(${Ne%bK)K(4KcXer3u zQV_Z1*}(Z6aW-F5M)NY)C@vv6=Zd(_WaU{0Dmx^8a1*=_NDLMzOf!-qJXb`ZC0+sL zE0ctf6e2*ZePS5wC(~+_l}rBAzpvq0bwiCrnrD4Y1`-pu>;&K3-Cci8)CSeoaGWs{ zBnTq(V4sS7FS&gBg=z#Z(l(a=rDjsIyoQ$B7j1ST=!c5tJgtm23j_>vOwcP zhL%4<7N{9$s*k}ha>-Al%u@*Glu<=-c1|+9zBL!Io=iU9yQ;9<-tn>$bvqh-iHG>1 zv(3!NoC{K!cq}uuY3KDkl$Oqe&FJsZmV=%}urI(4_SD<<4Szs{H#K)C&2q zzc9+5t~riuVy>e6xzXOg{AI4~L%8+V0w?79Sy;L|ekd)??R!*n_Ub4xLIw-#>62$i zOwd9PcwT1N8kGfS4WC&lh{?7CuM8bIn6mS(bd9i<8VkVI zMMsh@^ui2Xcem50IYAG$xKceBfIa6Tp|fm_mN=`5v|)5VR1*u?AxzONv2}ioT$FLP zfN5jX9eG!nL?uZ^Fe`^LGQwCjb6@jPxUt&2d{rM*B1W^L;P50by4IH^rIttDs3j2( zR1V%2XpD!ih!8Zj250kIVRC-h{KjT8;cCGE*thU?Gc_S23sZ~9l4FCTrWfOVVJS_p z8bmLtc!6l1lT_;**&3~=iQ3n@?NI7~am0bumr%z{@gbF8EP`%IZ#H$s`$2up2Vs=bt`}jA$~Eyf@Xh z&KhE%e7%wnoQnjLRT4{b1O9<4fv>1P~-D3Pnj6aF- zCo%pc#-GIalNf&z<4;1qi18;e{v^hq#Q2jKe-h(QV*JTgi}5G__WErA2d#3}Jvwsa z#zMMj)_|<7|JLtcl!}BTNNbf&?|m;!C^y+L{d>Jj{nJ1hcB}+DN`C!dQwBatiX1~n zzBBn$+nAQ)cW~-)&P!$s83FDMNj+7XR#*RSZ0a0SS-^^5$EL2nR=kX~Bqu zQbb1V{&&Uh8TAbJ^_$O{v7Q ztXr|)D2-yGy+jGSX1@ck5x1I?t-RMeg1)?e3sEHJSm6tn7M!w9GgE6UUyC9^#J+9P z$1zj*$5&CWX90EZp*?r5e%EL;dBd5h!Z@j`FrtGB)%*4`&xu@4U+WKVY&;-US^8IfOcA*AF6zlR6>BT9spp zu+$PJ=*mo{6ILnlg1Ev;qw$RKw5l)NHP&!;I&dNf*JSUiF%+ZCO81vhl$>@B=gk-L zs+E4l(VVKfvhft%c0hyj#P*GSX$l#4YhaZ(hF55oEJ<2sBsF0USlNCaB}HK=>4HtP zYNerdQd}=-6GZbKyjv;ES9UBW?6{6Qa6p}j?3@%CU&HBL5Jp6AFe_MLwsHJ&-e8R8 zjkYmI>zCI=+;|ReYu$S75PpfxX7>MvWW{hjWABQYQ5Ynt$^O2qnE`RVp(S+J3GToU zt)k2_A`a1|5hob1BUCad!Pby29H;7lHKZ^4m>dd7OY23#%4-EA@+;8w2Qd=C%hobr zyo<=((?Rqo4c5?zl1Mq59tD$m0ft$Ed z@~1UE^u3MMgk0yiS9-C7)(irpLXea?4%b3!T&+BMWr{uT<@j%0?D;eY^U5@*jEg-j z1T=q`7MiGU52k1k0SM>x! zi&9w21#tAu6Nn1vE$)uBfDFh1vWVq>O3)%B=uh`#eFUuSh|K3CQGaffe1-S>kGSTn*=u?G+PIkY5IdTv1pm?a4lBghNy}umebSWq|%$ z376RgS-_b!XYmmyc4twrU;LcZ*80tL>g~K_;;tDe*E!gpPhd4`KKqpJNfwJ^UweDcj)Blr@P%s zsj&Fn$)o$)oZPRZy_ifUFB%np5iTfsrw9Ygo!fvvaGblfd zrnW$IDV)e}*6jP6?_M^({uZF~}fa@vfaWgx0OkdJVcm*3Aq{btf>B z)X{anN6d3&ReA=Dryx*wcBmbR;v3FrQr?B - matches that of any node on which a pod of the set of - pods is running - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - podAntiAffinity: - description: - Describes pod anti-affinity scheduling rules (e.g. - avoid putting this pod in the same node, zone, etc. as some - other pod(s)). - properties: - preferredDuringSchedulingIgnoredDuringExecution: - description: - The scheduler will prefer to schedule pods to - nodes that satisfy the anti-affinity expressions specified - by this field, but it may choose a node that violates one - or more of the expressions. The node that is most preferred - is the one with the greatest sum of weights, i.e. for each - node that meets all of the scheduling requirements (resource - request, requiredDuringScheduling anti-affinity expressions, - etc.), compute a sum by iterating through the elements of - this field and adding "weight" to the sum if the node has - pods which matches the corresponding podAffinityTerm; the - node(s) with the highest sum are the most preferred. - items: - description: - The weights of all of the matched WeightedPodAffinityTerm - fields are added per-node to find the most preferred node(s) - properties: - podAffinityTerm: - description: - Required. A pod affinity term, associated - with the corresponding weight. - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: - A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: - key is the label key that - the selector applies to. - type: string - operator: - description: - operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied - to the union of the namespaces selected by this - field and the ones listed in the namespaces field. - null selector and null or empty namespaces list - means "this pod's namespace". An empty selector - ({}) matches all namespaces. This field is beta-level - and is only honored when PodAffinityNamespaceSelector - feature is enabled. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are - ANDed. - items: - description: - A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. - properties: - key: - description: - key is the label key that - the selector applies to. - type: string - operator: - description: - operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies a static list - of namespace names that the term applies to. The - term is applied to the union of the namespaces - listed in this field and the ones selected by - namespaceSelector. null or empty namespaces list - and null namespaceSelector means "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods - matching the labelSelector in the specified namespaces, - where co-located is defined as running on a node - whose value of the label with key topologyKey - matches that of any node on which any of the selected - pods is running. Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - weight: - description: - weight associated with matching the corresponding - podAffinityTerm, in the range 1-100. - format: int32 - type: integer - required: - - podAffinityTerm - - weight - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - description: - If the anti-affinity requirements specified by - this field are not met at scheduling time, the pod will - not be scheduled onto the node. If the anti-affinity requirements - specified by this field cease to be met at some point during - pod execution (e.g. due to a pod label update), the system - may or may not try to eventually evict the pod from its - node. When there are multiple elements, the lists of nodes - corresponding to each podAffinityTerm are intersected, i.e. - all terms must be satisfied. - items: - description: - Defines a set of pods (namely those matching - the labelSelector relative to the given namespace(s)) - that this pod should be co-located (affinity) or not co-located - (anti-affinity) with, where co-located is defined as running - on a node whose value of the label with key - matches that of any node on which a pod of the set of - pods is running - properties: - labelSelector: - description: - A label query over a set of resources, - in this case pods. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaceSelector: - description: - A label query over the set of namespaces - that the term applies to. The term is applied to the - union of the namespaces selected by this field and - the ones listed in the namespaces field. null selector - and null or empty namespaces list means "this pod's - namespace". An empty selector ({}) matches all namespaces. - This field is beta-level and is only honored when - PodAffinityNamespaceSelector feature is enabled. - properties: - matchExpressions: - description: - matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: - A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. - properties: - key: - description: - key is the label key that the - selector applies to. - type: string - operator: - description: - operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. - type: string - values: - description: - values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: - matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. - type: object - type: object - namespaces: - description: - namespaces specifies a static list of namespace - names that the term applies to. The term is applied - to the union of the namespaces listed in this field - and the ones selected by namespaceSelector. null or - empty namespaces list and null namespaceSelector means - "this pod's namespace" - items: - type: string - type: array - topologyKey: - description: - This pod should be co-located (affinity) - or not co-located (anti-affinity) with the pods matching - the labelSelector in the specified namespaces, where - co-located is defined as running on a node whose value - of the label with key topologyKey matches that of - any node on which any of the selected pods is running. - Empty topologyKey is not allowed. - type: string - required: - - topologyKey - type: object - type: array - type: object - type: object - builtInAdapter: - description: Provide the details about built-in runtime adapter - properties: - memBufferBytes: - description: - Fixed memory overhead to subtract from runtime container's - memory allocation to determine model capacity - type: integer - modelLoadingTimeoutMillis: - description: Timeout for model loading operations in milliseconds - type: integer - runtimeManagementPort: - description: - Port which the runtime server listens for model management - requests - type: integer - serverType: - description: - ServerType can be one of triton/mlserver and the - runtime's container must have the same name - enum: - - triton - - mlserver - type: string - type: object - containers: - description: - List of containers belonging to the pod. Containers cannot - currently be added or removed. There must be at least one container - in a Pod. Cannot be updated. - items: - properties: - args: - items: - type: string - type: array - command: - items: - type: string - type: array - env: - items: - description: - EnvVar represents an environment variable present - in a Container. - properties: - name: - description: - Name of the environment variable. Must be - a C_IDENTIFIER. - type: string - value: - description: - 'Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in - the container and any service environment variables. - If a variable cannot be resolved, the reference in the - input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) - syntax: i.e. "$$(VAR_NAME)" will produce the string - literal "$(VAR_NAME)". Escaped references will never - be expanded, regardless of whether the variable exists - or not. Defaults to "".' - type: string - valueFrom: - description: - Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - description: - "Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?" - type: string - optional: - description: - Specify whether the ConfigMap or - its key must be defined - type: boolean - required: - - key - type: object - fieldRef: - description: - "Selects a field of the pod: supports - metadata.name, metadata.namespace, `metadata.labels['']`, - `metadata.annotations['']`, spec.nodeName, - spec.serviceAccountName, status.hostIP, status.podIP, - status.podIPs." - properties: - apiVersion: - description: - Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: - Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - resourceFieldRef: - description: - "Selects a resource of the container: - only resources limits and requests (limits.cpu, - limits.memory, limits.ephemeral-storage, requests.cpu, - requests.memory and requests.ephemeral-storage) - are currently supported." - properties: - containerName: - description: - "Container name: required for volumes, - optional for env vars" - type: string - divisor: - anyOf: - - type: integer - - type: string - description: - Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: "Required: resource to select" - type: string - required: - - resource - type: object - secretKeyRef: - description: - Selects a key of a secret in the pod's - namespace - properties: - key: - description: - The key of the secret to select from. Must - be a valid secret key. - type: string - name: - description: - "Name of the referent. More info: - https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?" - type: string - optional: - description: - Specify whether the Secret or its - key must be defined - type: boolean - required: - - key - type: object - type: object - required: - - name - type: object - type: array - image: - type: string - imagePullPolicy: - description: - PullPolicy describes a policy for if/when to pull - a container image - type: string - livenessProbe: - description: - "Periodic probe of container liveness. Container - will be restarted if the probe fails. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" - properties: - exec: - description: - One and only one of the following should be - specified. Exec specifies the action to take. - properties: - command: - description: - Command is the command line to execute - inside the container, the working directory for the - command is root ('/') in the container's filesystem. - The command is simply exec'd, it is not run inside - a shell, so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is treated - as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: - Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: - Host name to connect to, defaults to the - pod IP. You probably want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: - Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: - HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: - Name or number of the port to access on - the container. Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: - "Number of seconds after the container has - started before liveness probes are initiated. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" - format: int32 - type: integer - periodSeconds: - description: - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: - Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum value - is 1. - format: int32 - type: integer - tcpSocket: - description: - "TCPSocket specifies an action involving a - TCP port. TCP hooks not yet supported TODO: implement - a realistic TCP lifecycle hook" - properties: - host: - description: - "Optional: Host name to connect to, defaults - to the pod IP." - type: string - port: - anyOf: - - type: integer - - type: string - description: - Number or name of the port to access on - the container. Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: - Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and the - time when the processes are forcibly halted with a kill - signal. Set this value longer than the expected cleanup - time for your process. If this value is nil, the pod's - terminationGracePeriodSeconds will be used. Otherwise, - this value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity to - shut down). This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. Minimum value - is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: - "Number of seconds after which the probe times - out. Defaults to 1 second. Minimum value is 1. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" - format: int32 - type: integer - type: object - name: - type: string - readinessProbe: - description: - Probe describes a health check to be performed - against a container to determine whether it is alive or ready - to receive traffic. - properties: - exec: - description: - One and only one of the following should be - specified. Exec specifies the action to take. - properties: - command: - description: - Command is the command line to execute - inside the container, the working directory for the - command is root ('/') in the container's filesystem. - The command is simply exec'd, it is not run inside - a shell, so traditional shell instructions ('|', etc) - won't work. To use a shell, you need to explicitly - call out to that shell. Exit status of 0 is treated - as live/healthy and non-zero is unhealthy. - items: - type: string - type: array - type: object - failureThreshold: - description: - Minimum consecutive failures for the probe - to be considered failed after having succeeded. Defaults - to 3. Minimum value is 1. - format: int32 - type: integer - httpGet: - description: HTTPGet specifies the http request to perform. - properties: - host: - description: - Host name to connect to, defaults to the - pod IP. You probably want to set "Host" in httpHeaders - instead. - type: string - httpHeaders: - description: - Custom headers to set in the request. HTTP - allows repeated headers. - items: - description: - HTTPHeader describes a custom header - to be used in HTTP probes - properties: - name: - description: The header field name - type: string - value: - description: The header field value - type: string - required: - - name - - value - type: object - type: array - path: - description: Path to access on the HTTP server. - type: string - port: - anyOf: - - type: integer - - type: string - description: - Name or number of the port to access on - the container. Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - scheme: - description: - Scheme to use for connecting to the host. - Defaults to HTTP. - type: string - required: - - port - type: object - initialDelaySeconds: - description: - "Number of seconds after the container has - started before liveness probes are initiated. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" - format: int32 - type: integer - periodSeconds: - description: - How often (in seconds) to perform the probe. - Default to 10 seconds. Minimum value is 1. - format: int32 - type: integer - successThreshold: - description: - Minimum consecutive successes for the probe - to be considered successful after having failed. Defaults - to 1. Must be 1 for liveness and startup. Minimum value - is 1. - format: int32 - type: integer - tcpSocket: - description: - "TCPSocket specifies an action involving a - TCP port. TCP hooks not yet supported TODO: implement - a realistic TCP lifecycle hook" - properties: - host: - description: - "Optional: Host name to connect to, defaults - to the pod IP." - type: string - port: - anyOf: - - type: integer - - type: string - description: - Number or name of the port to access on - the container. Number must be in the range 1 to 65535. - Name must be an IANA_SVC_NAME. - x-kubernetes-int-or-string: true - required: - - port - type: object - terminationGracePeriodSeconds: - description: - Optional duration in seconds the pod needs - to terminate gracefully upon probe failure. The grace - period is the duration in seconds after the processes - running in the pod are sent a termination signal and the - time when the processes are forcibly halted with a kill - signal. Set this value longer than the expected cleanup - time for your process. If this value is nil, the pod's - terminationGracePeriodSeconds will be used. Otherwise, - this value overrides the value provided by the pod spec. - Value must be non-negative integer. The value zero indicates - stop immediately via the kill signal (no opportunity to - shut down). This is a beta field and requires enabling - ProbeTerminationGracePeriod feature gate. Minimum value - is 1. spec.terminationGracePeriodSeconds is used if unset. - format: int64 - type: integer - timeoutSeconds: - description: - "Number of seconds after which the probe times - out. Defaults to 1 second. Minimum value is 1. More info: - https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes" - format: int32 - type: integer - type: object - resources: - description: - ResourceRequirements describes the compute resource - requirements. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: - "Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. More info: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/" - type: object - type: object - workingDir: - type: string - type: object - type: array - disabled: - description: Set to true to disable use of this runtime - type: boolean - grpcDataEndpoint: - description: Grpc endpoint for inferencing - type: string - grpcEndpoint: - description: - Grpc endpoint for internal model-management (implementing - mmesh.ModelRuntime gRPC service) Assumed to be single-model runtime - if omitted - type: string - multiModel: - description: - Whether this ServingRuntime is intended for multi-model - usage or not. - type: boolean - nodeSelector: - additionalProperties: - type: string - description: - "NodeSelector is a selector which must be true for the - pod to fit on a node. Selector which must match a node's labels - for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/" - type: object - replicas: - description: - Configure the number of replicas in the Deployment generated - by this ServingRuntime If specified, this overrides the podsPerRuntime - configuration value - type: integer - storageHelper: - description: - Configuration for this runtime's use of the storage helper - (model puller) It is enabled unless explicitly disabled - properties: - disabled: - type: boolean - type: object - supportedModelFormats: - description: Model formats and version supported by this runtime - items: - properties: - autoSelect: - description: - Set to true to allow the ServingRuntime to be used - for automatic model placement if this model format is specified - with no explicit runtime. - type: boolean - name: - description: Name of the model format. - type: string - version: - description: - Version of the model format. Used in validating - that a predictor is supported by a runtime. Can be "major", - "major.minor" or "major.minor.patch". - type: string - required: - - name - type: object - type: array - tolerations: - description: If specified, the pod's tolerations. - items: - description: - The pod this Toleration is attached to tolerates any - taint that matches the triple using the matching - operator . - properties: - effect: - description: - Effect indicates the taint effect to match. Empty - means match all taint effects. When specified, allowed values - are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: - Key is the taint key that the toleration applies - to. Empty means match all taint keys. If the key is empty, - operator must be Exists; this combination means to match all - values and all keys. - type: string - operator: - description: - Operator represents a key's relationship to the - value. Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod - can tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: - TolerationSeconds represents the period of time - the toleration (which must be of effect NoExecute, otherwise - this field is ignored) tolerates the taint. By default, it - is not set, which means tolerate the taint forever (do not - evict). Zero and negative values will be treated as 0 (evict - immediately) by the system. - format: int64 - type: integer - value: - description: - Value is the taint value the toleration matches - to. If the operator is Exists, the value should be empty, - otherwise just a regular string. - type: string - type: object - type: array - required: - - containers - type: object - status: - description: ServingRuntimeStatus defines the observed state of ServingRuntime - type: object - type: object - served: true - storage: true - subresources: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kserve/helm/kserve/crds/serving.kserve.io_servingruntimes.yaml b/kserve/helm/kserve/crds/serving.kserve.io_servingruntimes.yaml new file mode 100644 index 000000000..41e71bd24 --- /dev/null +++ b/kserve/helm/kserve/crds/serving.kserve.io_servingruntimes.yaml @@ -0,0 +1,1880 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.0 + name: servingruntimes.serving.kserve.io +spec: + group: serving.kserve.io + names: + kind: ServingRuntime + listKind: ServingRuntimeList + plural: servingruntimes + singular: servingruntime + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.disabled + name: Disabled + type: boolean + - jsonPath: .spec.supportedModelFormats[*].name + name: ModelType + type: string + - jsonPath: .spec.containers[*].name + name: Containers + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + affinity: + properties: + nodeAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + preference: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + properties: + nodeSelectorTerms: + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + properties: + preferredDuringSchedulingIgnoredDuringExecution: + items: + properties: + podAffinityTerm: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + weight: + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + items: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + items: + type: string + type: array + topologyKey: + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + annotations: + additionalProperties: + type: string + type: object + builtInAdapter: + properties: + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + memBufferBytes: + type: integer + modelLoadingTimeoutMillis: + type: integer + runtimeManagementPort: + type: integer + serverType: + type: string + type: object + containers: + items: + properties: + args: + items: + type: string + type: array + command: + items: + type: string + type: array + env: + items: + properties: + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + secretKeyRef: + properties: + key: + type: string + name: + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + required: + - name + type: object + type: array + envFrom: + items: + properties: + configMapRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + prefix: + type: string + secretRef: + properties: + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + type: object + type: array + image: + type: string + imagePullPolicy: + type: string + lifecycle: + properties: + postStart: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + preStop: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: object + type: object + livenessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + name: + type: string + ports: + items: + properties: + containerPort: + format: int32 + type: integer + hostIP: + type: string + hostPort: + format: int32 + type: integer + name: + type: string + protocol: + default: TCP + type: string + required: + - containerPort + type: object + type: array + x-kubernetes-list-map-keys: + - containerPort + - protocol + x-kubernetes-list-type: map + readinessProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + securityContext: + properties: + allowPrivilegeEscalation: + type: boolean + capabilities: + properties: + add: + items: + type: string + type: array + drop: + items: + type: string + type: array + type: object + privileged: + type: boolean + procMount: + type: string + readOnlyRootFilesystem: + type: boolean + runAsGroup: + format: int64 + type: integer + runAsNonRoot: + type: boolean + runAsUser: + format: int64 + type: integer + seLinuxOptions: + properties: + level: + type: string + role: + type: string + type: + type: string + user: + type: string + type: object + seccompProfile: + properties: + localhostProfile: + type: string + type: + type: string + required: + - type + type: object + windowsOptions: + properties: + gmsaCredentialSpec: + type: string + gmsaCredentialSpecName: + type: string + hostProcess: + type: boolean + runAsUserName: + type: string + type: object + type: object + startupProbe: + properties: + exec: + properties: + command: + items: + type: string + type: array + type: object + failureThreshold: + format: int32 + type: integer + grpc: + properties: + port: + format: int32 + type: integer + service: + type: string + required: + - port + type: object + httpGet: + properties: + host: + type: string + httpHeaders: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + path: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + scheme: + type: string + required: + - port + type: object + initialDelaySeconds: + format: int32 + type: integer + periodSeconds: + format: int32 + type: integer + successThreshold: + format: int32 + type: integer + tcpSocket: + properties: + host: + type: string + port: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + terminationGracePeriodSeconds: + format: int64 + type: integer + timeoutSeconds: + format: int32 + type: integer + type: object + stdin: + type: boolean + stdinOnce: + type: boolean + terminationMessagePath: + type: string + terminationMessagePolicy: + type: string + tty: + type: boolean + volumeDevices: + items: + properties: + devicePath: + type: string + name: + type: string + required: + - devicePath + - name + type: object + type: array + volumeMounts: + items: + properties: + mountPath: + type: string + mountPropagation: + type: string + name: + type: string + readOnly: + type: boolean + subPath: + type: string + subPathExpr: + type: string + required: + - mountPath + - name + type: object + type: array + workingDir: + type: string + required: + - name + type: object + type: array + disabled: + type: boolean + grpcDataEndpoint: + type: string + grpcEndpoint: + type: string + httpDataEndpoint: + type: string + imagePullSecrets: + items: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + type: array + labels: + additionalProperties: + type: string + type: object + multiModel: + type: boolean + nodeSelector: + additionalProperties: + type: string + type: object + protocolVersions: + items: + type: string + type: array + replicas: + type: integer + storageHelper: + properties: + disabled: + type: boolean + type: object + supportedModelFormats: + items: + properties: + autoSelect: + type: boolean + name: + type: string + priority: + format: int32 + minimum: 1 + type: integer + version: + type: string + required: + - name + type: object + type: array + tolerations: + items: + properties: + effect: + type: string + key: + type: string + operator: + type: string + tolerationSeconds: + format: int64 + type: integer + value: + type: string + type: object + type: array + volumes: + items: + properties: + awsElasticBlockStore: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + azureDisk: + properties: + cachingMode: + type: string + diskName: + type: string + diskURI: + type: string + fsType: + type: string + kind: + type: string + readOnly: + type: boolean + required: + - diskName + - diskURI + type: object + azureFile: + properties: + readOnly: + type: boolean + secretName: + type: string + shareName: + type: string + required: + - secretName + - shareName + type: object + cephfs: + properties: + monitors: + items: + type: string + type: array + path: + type: string + readOnly: + type: boolean + secretFile: + type: string + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - monitors + type: object + cinder: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + volumeID: + type: string + required: + - volumeID + type: object + configMap: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + csi: + properties: + driver: + type: string + fsType: + type: string + nodePublishSecretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + readOnly: + type: boolean + volumeAttributes: + additionalProperties: + type: string + type: object + required: + - driver + type: object + downwardAPI: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + emptyDir: + properties: + medium: + type: string + sizeLimit: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + ephemeral: + properties: + volumeClaimTemplate: + properties: + metadata: + type: object + spec: + properties: + accessModes: + items: + type: string + type: array + dataSource: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + dataSourceRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + namespace: + type: string + required: + - kind + - name + type: object + resources: + properties: + claims: + items: + properties: + name: + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + selector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + storageClassName: + type: string + volumeMode: + type: string + volumeName: + type: string + type: object + required: + - spec + type: object + type: object + fc: + properties: + fsType: + type: string + lun: + format: int32 + type: integer + readOnly: + type: boolean + targetWWNs: + items: + type: string + type: array + wwids: + items: + type: string + type: array + type: object + flexVolume: + properties: + driver: + type: string + fsType: + type: string + options: + additionalProperties: + type: string + type: object + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + required: + - driver + type: object + flocker: + properties: + datasetName: + type: string + datasetUUID: + type: string + type: object + gcePersistentDisk: + properties: + fsType: + type: string + partition: + format: int32 + type: integer + pdName: + type: string + readOnly: + type: boolean + required: + - pdName + type: object + gitRepo: + properties: + directory: + type: string + repository: + type: string + revision: + type: string + required: + - repository + type: object + glusterfs: + properties: + endpoints: + type: string + path: + type: string + readOnly: + type: boolean + required: + - endpoints + - path + type: object + hostPath: + properties: + path: + type: string + type: + type: string + required: + - path + type: object + iscsi: + properties: + chapAuthDiscovery: + type: boolean + chapAuthSession: + type: boolean + fsType: + type: string + initiatorName: + type: string + iqn: + type: string + iscsiInterface: + type: string + lun: + format: int32 + type: integer + portals: + items: + type: string + type: array + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + targetPortal: + type: string + required: + - iqn + - lun + - targetPortal + type: object + name: + type: string + nfs: + properties: + path: + type: string + readOnly: + type: boolean + server: + type: string + required: + - path + - server + type: object + persistentVolumeClaim: + properties: + claimName: + type: string + readOnly: + type: boolean + required: + - claimName + type: object + photonPersistentDisk: + properties: + fsType: + type: string + pdID: + type: string + required: + - pdID + type: object + portworxVolume: + properties: + fsType: + type: string + readOnly: + type: boolean + volumeID: + type: string + required: + - volumeID + type: object + projected: + properties: + defaultMode: + format: int32 + type: integer + sources: + items: + properties: + configMap: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + downwardAPI: + properties: + items: + items: + properties: + fieldRef: + properties: + apiVersion: + type: string + fieldPath: + type: string + required: + - fieldPath + type: object + x-kubernetes-map-type: atomic + mode: + format: int32 + type: integer + path: + type: string + resourceFieldRef: + properties: + containerName: + type: string + divisor: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + resource: + type: string + required: + - resource + type: object + x-kubernetes-map-type: atomic + required: + - path + type: object + type: array + type: object + secret: + properties: + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + name: + type: string + optional: + type: boolean + type: object + x-kubernetes-map-type: atomic + serviceAccountToken: + properties: + audience: + type: string + expirationSeconds: + format: int64 + type: integer + path: + type: string + required: + - path + type: object + type: object + type: array + type: object + quobyte: + properties: + group: + type: string + readOnly: + type: boolean + registry: + type: string + tenant: + type: string + user: + type: string + volume: + type: string + required: + - registry + - volume + type: object + rbd: + properties: + fsType: + type: string + image: + type: string + keyring: + type: string + monitors: + items: + type: string + type: array + pool: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + user: + type: string + required: + - image + - monitors + type: object + scaleIO: + properties: + fsType: + type: string + gateway: + type: string + protectionDomain: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + sslEnabled: + type: boolean + storageMode: + type: string + storagePool: + type: string + system: + type: string + volumeName: + type: string + required: + - gateway + - secretRef + - system + type: object + secret: + properties: + defaultMode: + format: int32 + type: integer + items: + items: + properties: + key: + type: string + mode: + format: int32 + type: integer + path: + type: string + required: + - key + - path + type: object + type: array + optional: + type: boolean + secretName: + type: string + type: object + storageos: + properties: + fsType: + type: string + readOnly: + type: boolean + secretRef: + properties: + name: + type: string + type: object + x-kubernetes-map-type: atomic + volumeName: + type: string + volumeNamespace: + type: string + type: object + vsphereVolume: + properties: + fsType: + type: string + storagePolicyID: + type: string + storagePolicyName: + type: string + volumePath: + type: string + required: + - volumePath + type: object + required: + - name + type: object + type: array + required: + - containers + type: object + status: + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/kserve/helm/kserve/crds/serving.kserve.io_trainedmodels.yaml b/kserve/helm/kserve/crds/serving.kserve.io_trainedmodels.yaml index 9d88ba3eb..7c60f17b6 100644 --- a/kserve/helm/kserve/crds/serving.kserve.io_trainedmodels.yaml +++ b/kserve/helm/kserve/crds/serving.kserve.io_trainedmodels.yaml @@ -1,11 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.12.0 name: trainedmodels.serving.kserve.io spec: group: serving.kserve.io @@ -67,6 +65,10 @@ spec: properties: address: properties: + CACerts: + type: string + name: + type: string url: type: string type: object @@ -105,9 +107,3 @@ spec: storage: true subresources: status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/kserve/helm/kserve/templates/_helpers.tpl b/kserve/helm/kserve/templates/_helpers.tpl index 7381ebc21..4d15d4046 100644 --- a/kserve/helm/kserve/templates/_helpers.tpl +++ b/kserve/helm/kserve/templates/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Expand the name of the chart. */}} -{{- define "kserve.name" -}} +{{- define "kserve-plural.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} @@ -10,7 +10,7 @@ Create a default fully qualified app name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). If release name contains chart name it will be used as a full name. */}} -{{- define "kserve.fullname" -}} +{{- define "kserve-plural.fullname" -}} {{- if .Values.fullnameOverride }} {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} {{- else }} @@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "kserve.chart" -}} +{{- define "kserve-plural.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "kserve.labels" -}} -helm.sh/chart: {{ include "kserve.chart" . }} -{{ include "kserve.selectorLabels" . }} +{{- define "kserve-plural.labels" -}} +helm.sh/chart: {{ include "kserve-plural.chart" . }} +{{ include "kserve-plural.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} @@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{/* Selector labels */}} -{{- define "kserve.selectorLabels" -}} -app.kubernetes.io/name: {{ include "kserve.name" . }} +{{- define "kserve-plural.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kserve-plural.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Create the name of the service account to use */}} -{{- define "kserve.serviceAccountName" -}} +{{- define "kserve-plural.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} -{{- default (include "kserve.fullname" .) .Values.serviceAccount.name }} +{{- default (include "kserve-plural.fullname" .) .Values.serviceAccount.name }} {{- else }} {{- default "default" .Values.serviceAccount.name }} {{- end }} diff --git a/kserve/helm/kserve/values.yaml.tpl b/kserve/helm/kserve/values.yaml.tpl index 1fd08b6b8..c5bbe456f 100644 --- a/kserve/helm/kserve/values.yaml.tpl +++ b/kserve/helm/kserve/values.yaml.tpl @@ -10,11 +10,15 @@ kserve: {{- end }} localGateway: gateway: {{ $knativeNamespace }}/knative-local-gateway + {{- if .Configuration.kubeflow }} + gatewayService: knative-local-gateway.{{ $kubeflowNamespace }}.svc.cluster.local + {{- else }} gatewayService: knative-local-gateway.{{ $istioNamespace }}.svc.cluster.local + {{- end }} {{- if .Configuration.kubeflow }} ingressGateway: gateway: {{ $kubeflowNamespace }}/kubeflow-gateway - gatewayService: istio-ingressgateway.{{ $istioNamespace }}.svc.cluster.local + gatewayService: kubeflow-gateway.{{ $kubeflowNamespace }}.svc.cluster.local {{- else }} ingressGateway: gateway: {{ $knativeNamespace }}/knative-ingress-gateway diff --git a/kubeflow/helm/central-dashboard/templates/configmap.yaml b/kubeflow/helm/central-dashboard/templates/configmap.yaml index ba388d7c3..4cab46ae9 100644 --- a/kubeflow/helm/central-dashboard/templates/configmap.yaml +++ b/kubeflow/helm/central-dashboard/templates/configmap.yaml @@ -30,7 +30,7 @@ data: }, { "type": "item", - "link": "/models/", + "link": "/kserve-endpoints/", "text": "Endpoints", "icon": "kubeflow:models" {{ end }} diff --git a/kubeflow/helm/serving/Chart.yaml b/kubeflow/helm/serving/Chart.yaml index 05532bfa5..165abf3b9 100644 --- a/kubeflow/helm/serving/Chart.yaml +++ b/kubeflow/helm/serving/Chart.yaml @@ -3,4 +3,4 @@ name: serving description: A Helm chart for Kubernetes type: application version: 0.1.28 -appVersion: "v0.8.0" +appVersion: v0.10.0 diff --git a/kubeflow/helm/serving/templates/web-app/configmap.yaml b/kubeflow/helm/serving/templates/web-app/configmap.yaml index 3b9c09566..e229c7f2c 100644 --- a/kubeflow/helm/serving/templates/web-app/configmap.yaml +++ b/kubeflow/helm/serving/templates/web-app/configmap.yaml @@ -1,6 +1,7 @@ apiVersion: v1 data: USERID_HEADER: {{ .Values.global.userIDHeader }} + APP_PREFIX: {{ .Values.webApp.virtualService.prefix }} kind: ConfigMap metadata: labels: {{- include "serving.labels" . | nindent 4 }} diff --git a/kubeflow/helm/serving/values.yaml b/kubeflow/helm/serving/values.yaml index 273ec0bed..f928ba0be 100644 --- a/kubeflow/helm/serving/values.yaml +++ b/kubeflow/helm/serving/values.yaml @@ -30,10 +30,10 @@ serviceAccount: webApp: replicaCount: 1 image: - repository: davidspek/models-web-app + repository: kserve/models-web-app pullPolicy: IfNotPresent # Overrides the image tag whose default is the chart appVersion. - tag: v0.8.0 + tag: v0.10.0 podAnnotations: sidecar.istio.io/inject: "true" @@ -55,7 +55,7 @@ webApp: virtualService: annotations: {} - prefix: /models + prefix: /kserve-endpoints gateways: - kubeflow-gateway # hosts to add additional to the value of global.domain From bba1eb6cceb37e24ddaca6fe98c17496faf388ca Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 2 Jan 2024 12:34:00 +0100 Subject: [PATCH 29/32] init working knative Signed-off-by: David van der Spek --- knative/helm/knative-serving/Chart.lock | 6 ++-- knative/helm/knative-serving/Chart.yaml | 2 +- .../charts/knative-serving-0.1.12.tgz | Bin 67405 -> 0 bytes .../charts/knative-serving-0.1.17.tgz | Bin 0 -> 67443 bytes knative/helm/knative-serving/values.yaml | 22 ++++++++++++-- kserve/helm/kserve/values.yaml | 6 +++- .../envoy-filter-ingressgateway-settings.yaml | 28 ------------------ .../envoy-filter-proxy-protocol.yaml | 24 --------------- .../templates/oauth2-envoy-filter.yaml | 8 +++-- kubeflow/helm/gateway/values.yaml | 2 ++ kubeflow/helm/gateway/values.yaml.tpl | 2 -- 11 files changed, 37 insertions(+), 63 deletions(-) delete mode 100644 knative/helm/knative-serving/charts/knative-serving-0.1.12.tgz create mode 100644 knative/helm/knative-serving/charts/knative-serving-0.1.17.tgz delete mode 100644 kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml delete mode 100644 kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml diff --git a/knative/helm/knative-serving/Chart.lock b/knative/helm/knative-serving/Chart.lock index 1fd494dbe..641c4fbc9 100644 --- a/knative/helm/knative-serving/Chart.lock +++ b/knative/helm/knative-serving/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: knative-serving repository: oci://ghcr.io/davidspek/charts - version: 0.1.12 -digest: sha256:f2da0576ad6b394e030b8ea87de7a269abdf63db395460998a4110aaa2a39366 -generated: "2023-12-19T16:37:22.233074+01:00" + version: 0.1.17 +digest: sha256:7305a706142cd119f96f3a77ea47d426712c97a579172498ff672447a16d07f0 +generated: "2023-12-20T17:18:44.037453+01:00" diff --git a/knative/helm/knative-serving/Chart.yaml b/knative/helm/knative-serving/Chart.yaml index ff9c45a46..fcec908bb 100644 --- a/knative/helm/knative-serving/Chart.yaml +++ b/knative/helm/knative-serving/Chart.yaml @@ -7,4 +7,4 @@ appVersion: "1.12.2" dependencies: - name: knative-serving repository: oci://ghcr.io/davidspek/charts - version: 0.1.12 + version: 0.1.17 diff --git a/knative/helm/knative-serving/charts/knative-serving-0.1.12.tgz b/knative/helm/knative-serving/charts/knative-serving-0.1.12.tgz deleted file mode 100644 index 08aae4304879d0cb26729ef1af14ebaa105e1b61..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 67405 zcmV)hK%>7OiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwQdLucqAPCoO>nZRv>UXf zr|YW(-9Zv5C*TFZB{3soZs&d;ah_y87#4>w+_W$hnZ!kAh>pczunh)-;hJGZZ%8DG zxS?#cb27$4wWoNJ{^`+5r_<>i?Crt-JDpDT|DA)~-9L5r_V+rwyL-L;gFkh;d%NBJ zKcUX!fiSz|Qep9@&V$FQPVO5iIHNxjAt`5lbkp0yS?2%jw!6J{Zz~}gVF_U|C9=O2 zp_sFTDyYGTil|hSw+X|8lq6dSF+3r`mo0<@$+)D7i)kP6nD%#eM&nqtDc?!(4NYW5 zu6JThc5(}$8#j8V-EAM%hl`0&6U^|4h{i#K?++S!Zz~}(7Bn+MAEO^gIzdnu4Y@#n z&j&;>qKMoYb3OQ2sZ92Fb}U1+6LPbY@L29_8Q?06wxy;S=_8zFDUGonWUDlOx3{&H z^>60?l*iYPH^w6V-#h5k_`lQL@c%kWmAfCCeV>Fg>4-?xM{2V+ z2&_obN3C9`w;OePQTNSNcfY@T*zfMQ4-Sud-Glx8-T&2E4^ytORQdk~r#X?2YXHpU z|L(!w;eNNu|N94r8~$HM8Kr!H)BYCHigrjx`dgRr)llSYp?lF(p)Mc+=#LH zQ!7uLZf*T5CpkG6{BEjo3IiJChN5p|WS-+fK~jPxktHj_v1U9;cA!(}Md1;EqyJqI zh{^uJo8fK;50c$(JRsf9{s8ax2K(I}-tBdh|d~|fUJ52VIZj$UB zb#SjY=p79@2i?Pi&QWjwptBeE-s~Rj_Mp!!Pt$Xr(srUJ0kvnC&#A(WJ z&jr1qDH)Md8RHZiD{_caX;v@BnW0@!y9i1mc;@~cq2qV&EXr~6k)_iM&eeA`C2}ei zne>qomJmeFj^zi=bcNt&N#dAKvU9ONKa40VRS+o{QK4lhO%Q z954z**_;_0t9f->Aa^F#((8RRvPSfI+I$9_Y|<23{2Hn5UfZ5^@OtH8%$Ge z*!R&<=ihX7oGY%eNSR$UYxtMjT@Wy(Wgm6TPx!9*sn@YoCq_h_oPYYHXi9&DWjQAz zCQNA>N8L`xiYrs|JpewV@=-?v2P7Vo<2dFyQ%-zdW+bLVN+h}+6E!9RVOJAjQx(ZE z&(j1Ah($xvjFJ~9pg^QJ!bzh4rv+)HOGADYdNqAqjY&xaSAkI+<&v~*?Xw|bTp>vm z!Yr{cAu0i?ZG=r%R3dLWpzmN1s56i;Z3QE zHyy_zu<+;QpGzHNz*0`Lxh{@6ouh^>{Lf(*m4=PYy1iPnUb$Vjx!rE9U3sp1d%H~y zyLLb$A*^aUJKx%J+($qeh=9u;Q8)N87Ac3_csEG~9kSm!+&$Vga1S4L z4tJCIFxh*94~GYx-Mwyacz6_dk8q6R&VIL>9CY{bLgmmb@vC}aqXG0XcRTY{K)0>} zx*e+nR+Rykr;}r*=yB;sgfc;fL`wn%XmzZTyyBzh;je(=^cr4SO$+`-Jk92 ziinB(00_VXl6nAx4_dRRc>GR(m*o!#;Vf$x2BPKxy#$;QruwKt<#s)+Q2RTX_EEX% zm`kO(*w?-#bTn2*P5qAL;S7mrf1V?te#o$%;0r{Jk{f3@Kzg8X6OyHTN)p6{R&-l+ zlj5o6Tr|$`B3XBcag2MzqfTeIJLv884hPBp;XdAbbGSd~zDeS}z1_V7(%nDm9ljav z9ULBZ56GL|-cfh&=%5>S1{+y-Z&}x1yzVVBck2x{lCGfhKen{12`$Z3f~VH1dL;2u zbh=2iklxRo*=_ zk-T+F24l{z`;Tbb*)A7uVBhTT9d-7OdcDJ=-K4w!=BV3EI%F??(>>_E8FUVNZw3cP zZw?1TynA@GdqBuRynk?Xa6tAC*OiG<9$ zHVyJkh{kFcGAiS0t`kxJyk(A8j!SMs^V@rzHS$b?6*eFKN$&6@(|q$=WCwV$ptx#i zZYfne{rBVd=kHF@$;S`hoqhl5;`r+9b;Zlw148JTqp6*76CD^9j+mz?e)B zWeB5NJVk1Zl?DsPF_DrEQsP@1qd`bh=V#3qu}Tq1sQMWxJt=#7JHc6dtBUHYF_8pG zSkW?g9;^wTf_=m@N)p6#h4`=-T@PR>!eUQPBWIK)ged}6(tzlhXjEu2GSx!(J)+|= zW+Q{N5-jZyUUWfjsMHXiI2C!qS)2<&SUg2TO40;LZ~N)aCisp{@(E)3WZ;d`7upPS zN(HL<{!ok=8e^8E1Yw0Zi%C2DS`1fA1DFhDUUci_8uME;$>Xsx_^|STm_;+|D-{mc zQ!1=T8=baCZA6C%7t<}~)HrcIMBUD|o(Kz;hoFMZ(Jf6=q{LK@Khg3JQ-%(U`6&HQ zMq;z@84+6M7wBRL-w=UEq*#v+9E60X0?_AXhygKSb7uMDCd3)LRv~gjM1jSW+>jK# zI&rdSyO_PU<`EZxA^y4m<2x=;N=7)I0{IPae0_^WqG^AUVMT2mgCJOPCbtd15J-b? zDmm~~rljw0D6r#r6KQ!eOb^n1NRN)4v=oM{~HtMtw(f|8@|3B!k^KY+1I?bgv z7w811AyJqyC%IG_Nh1)lLemCA-F9bNPq08@v5aPKg0Mu`!xk*U$E(x6A+TU#2`5&L z4TmIl;>_}Zrj}sY9UD|+t0o^UT!JOk(m;@y&>ON1Vvnogj?H; zC(=yXcJ1co$BhEgi43nrSzso$4m+)qkZ2}4%cY4iN;Qk#I$$bn65zhfF1KUCN`2bh zmR=m#)EN`f2D?Bcsu~wd>FHV1sS2f8!QMFoULr|2PO;oSX$U;-$ep%6sY<6o4~?_m zHkb$M@SQn+byL880v1<#0)?}%0)-iIs;f5wy=^FC25QG#&|fvATJ}Q)Q@x0|MFXti z;>-}X1*s7$pugRM-Vzk!G(|1RhssE%me)a6#TpfkfQhN0W8ax!85z(rkf_nnWwwG{ z_-vA=ETK0v(VUm@1Z9G24NhcPrIp13MzF`FH@;`7m5ApXS36Y{glu7kOqb;thztm& zPp94KE|Mr-wkN-6(>T%Ng^Lx~1uL*KDsTQ^O| zky*F;YWJ$EZQ&i{LMm|3#M&+?TdR`(3NAuZi3ZxHV2r?SwIpE~gl9xx#f8=jAi}E5 zQ_-+5X4!|C;L6E2+kPnc1VMbGM#*5RO(DUPJT7*xFVL|IB6RZBf{HS%#_rhHajML) zAO#+bU$iiVt$$P-mqbdlkRXpFQHrurF^RKb>4R=!ZQ%eQC%>8iD~W%giCLoxC06Z=OkJDQ`l{4m0KoxaSLKs&iMztdYRYe}< z8q&r=3Z=4Ou#ezcXJiCUS7$Hlb*1bEr_{^YMgTOEbi1vxSz(A6@LBAT(1a(XW>A=_ zL>kFZ(2mm#p{2%eKpGI&;Voqezb$5R8UF0GF^Ex~5-Xg&<~E%~rgk5-4mz?r4Tyl& zQnvw^1l()@PKFtc-LQh-cuWfP!^cRC1(9Q(CL!ghLZHmCxqMH0KQ5#lO(V12fbHVz z%zofchw%A`F3s$AOyhA#?q+J{Yd9}=JQ5HVQZ=@y3FljewTYaJx(eZakMFE9&NBq=EaS5`!a)CBfH%j?r!3YRZvqA| zoOHF(8Q3$SZw5R)8Yc;nRFK42+&4tXyr3A*QTk)C)+cb@rk4`*gw}rl(iXSkC@^Zz z+61s;tyw-qy>_Q!zr&!~5WosexKwDw(Ffg6??VBErfx~uC@mRc84;8x=v7a?HalZa zDIdbs`|w}8+gc3#-LEk!8`doFMY**@AEHHTrg2|iHT|nww_dntm&U~9=vN{* z8WOB>LC`S8-lQ>yPqrV$BVDnNT1w<(RyQMoW8$V{mrcyI6ayrrNPYu!piTPwgv-EwhF z+30nBKMy{rOmB{igHanSRBH3|hH9a$DN1of*pQ3ZOqlD19I8NNm25ewc$SgGTEZF> zZ%u2nzhoSk36_Mf)JtVSMuKF5j|84fK*?~Fpv zK&2acLPz7^RAfN3iA{&WboCSmB=A2sS=urm4rxpYQ|T0?yk^A{0Tw?aaMYou&V`0j zO-@=kDULM2nj|>LVEJWmHsg>Cc%H4Yu-BvrYM zUAYDP0#Wir)4EW3rt97iF@;Sdlk_IAqph1#39Oe**8~H8ieBkerC`L$2~LeZ(L7_u z9Rl-%r}}mIpe(~G9#6{-uvD8n!k9#E0($75XRpuC25kh~aP)=*`!~-;Z~{|D^%(0d zJ(zvXbkIaLebfrcL01WaDB~1MS=q=t&y5~8(7I4H;9DGqA%XXS4iV!F*ueFev^96| z2~~=SfI6ul|01{MtKy3g?=)1REyMN3H7&w*${dI|!z!c-VtoJ9cWe zkOd0M>+%}^oHME*I!Vv1?yu7_{f-(~!BBC172WusiVduHntHpu!VJcWaCp$9X?6w9 zXK5U29&VWrBvIgm33i6WI;7GO7gUWWNVAbSe(&$>45(_S)1BR;f2Sw^Yd0AG26W z8yy0l43pMTAacKErH^4u=Zo20*ciGZUXW1uUk$b8W?EPk9BJ{qGA_2A|4~z4sETKS z+ea;k^(rPdp=@P(m{8WV_{Dr?t@`X4PAHqX(jG)DO#{fC$-D~We&h3akmI{KGRkL;@l~L1~zLOvG94g;)szahAh` zY?y`?zEaW=3&pYPMTTw&RN`#L3)b|&*St{8ykE$Qzmb&Rf?8uWUG~2 z2h|l=9rJ~Va4WDR<`+-IB+4>q*{`CdI-3#^o2}3S)`m*8_8^O&3Ca1XJOW?4-A%XS z*t%Qrv;J`zhHk)XBRfBT)P@s!9A0(^?m3d}-Jg>i@VqP^o2DzH{3+PjVdQY%V&rgt z0TUNtW(-eAX=#f7Tej%}XPZX{O`wX9x-IG=-tm=HyAXP0oVa?0)uA(}G!eHj0xzF33?UyNBrxlNnqWzJIT=qR6D%^toM&*XxhjChJt%C2Xf zsT*$ePN}k-)4f<3_YV3nBGsPtp7Z1~Bk{J0n>6fU^}9PE(r751{sylHlrEmb`vH1h zBvW$70xqK>qG`w8sEmT0x^y$#d12kJY!s=npLnz5gMzjZG=dwVCPV`0HRHyC>m)ZH zqE{NPzX9?5=6w7OJ~4&}yP<-!31Lc_-V8q%k#=rQE+Q-+jfhl%nW?y;*224{IQkjJ z{<(aD?oc?QYMc++F`u|p9X?G5l`8zoeKIlIA?zAmgv^_$b&6{6IXr+ocQDW zm@_Stz%tW~FinfWA>5Qm86^ZKDP_bQ4}@`w?lc=@1q4-1UrKOX)Esf)&K6g6>nj_c zl}=Hsw?ApU-mdOr%ks1A3Dqr@0jc6mSQa4Tk|{s}UG97N8ODKO+AiymyOk$@4$kI( zJ~cUhex5z0vJ+_0l&ov#-iU@2mQOyfnk&@|yX55VxnxJ{oSIv;qopQRa}>>Az(%** zlD?lZv~&Hq-QK-GpR+tq33$OLy}dfz{F-RZDJ737q_O~8)4~uVoF|m9*y@O2hA8sk ztN-WuN2BR#%JI8O#1bUu8x!=ivl;Jx_9OH|v!pyH05bBR^ij*VFQ#*xO749#2&2?0 zI^S#?rr@owdkwek{xxkiuA`psBvVsZQHNVm&SAKCxXKy{&eh4W*HKF@!fd!~f7%*K zg4=Z?o?%saqI-K1@?9wxyv|&qFB%483U8CjsAn@;LI}jRM3>? z0`XgB()R_vCzHo7JmS==R)$P*(;j95;qbu!Q#*ttWshQc2!v3p@R5{aaBrxz>6-rP zf`BU)Jgmi-k{h!I5>JS|1>!vDa?Ec{_AQ8Cy@o5k1-|QmA)IA@mGID%xijTaXoMC( z;Gd7O?Q6@?N55@3&Xx_y5OJ3Ekr|~z+FE!!`m}CO@Z(g;#@1=ad{WNb0~?q$wevK$ z)~LU{2^S+GuWd!Hhv6tVZ!B($mF}P*4qidK@{r20a83un6f-YiM*g2r>UF>L>;*s2W0RR?97!KK$pZf(G=gqcwk=SSIeSR}8&Nm{)6B0Q{ZLh)c zN5&JaQljD!u;ms#K*P+uyw4gh4(dn(*qRO;+_SOd8ksh6n1Xm^w2iq`$0@~I^OX_t z9VKaUL59zoCg5CJkl}13xElAsfX%>vl42=8=uOgd#)L4yM&af726WhJP|H4Tu_{{L zez-IbGdyd2Bur)ibP%|WHLL%eg(F?;kgY`q!UtH`T+>JFpDRz=@ zW5(@TjDt$}%#sr#$Ipk{rNs(tEDE$VP`#^ZE6x`Hi5CEJjEkg$CKEBlqsk1&1l>@K zF2`7qbMxtg{{pFEG6LCOY8Q*cyW|9XOt9-U*UC*sB|9walVLsJpk1Pb3can@xK+1A zGm%-*`Vr4^s4Z=;=OJ3pGO`$mJO<|ATQ{)vef4{Y-E%=X(ET@|lQRpgQOZ&9z)Ay( zT;+$TX8RTm5zihq(m}caE56=rjMQallb*s!Qqoi5<4$w6Roxr3lDaC5W4vCa<2)~W z3*3GO*`(dUsEXvf*irg$Fya(pTt|gi9YgO+E?vUDE5;4^_bI?yiCa4z(p&$4yxgla3#VLhgP_2Ir zu+Y(fjPVWS0N*QRWGn zz?fVHZ>Edl1)Ji&wNhk~K{^+TQJ#$iPJ-lKB`h{~;!ehjo*;G{)RTLH(Mi;CFZLv= z=VPW5LB~rX~baL<6F6eL3te0!vWaIgU zcDW;HxFi;C1y#fz_5n@T;E*e0Vu?N%VPp9&mcj^hw*Vvd6@)OvD&xr+8y2~M3q)-D zC}l3ZSv!9xUXz`k9@$zHn*3zg18gbCnuB4d z4W=Qybz>SpXT?2AhF%7b=DtKjniBNN+h7@(wnYu&r+HoOIq1L~&BA5Ml-OKW#*lI5 zN?6(6RyJWc6y8CDtcTWovEG7GOeLVfCyxpGvO8fzPbO$CL<;c;Mp&U8qGE06P&VW{ zm=)dB*0`gCz>TLxjxfC4vIvxIPQ03pS=Xz1YLC`){b zcaBD!C+_N(7GIDKJ%+PE3b**%bx>*%)+KO^8|C}>j~qc$lB=5lnr9k7<7!9C6<_~* zECzT)&l~VVII;h zb#~TtHQO%61dHo17eFBt%iPhjTfCA$WIP(ht-iUEYu6_uVuG2uz_9?Xr|(aKC|H+bdj`4;qQHnqtkEwyKIn1Q_mmsnHx9SUd5Wkj&=0FS6k)Vvf=(*pOvD zS{3@$!AA?Q+3hSdQ`;>BL659-x2s-V;%6|YRn`y|PmtJ1VRLoVYzC_XV^4ZOplH)G^3OL^iiEjXFM(_|I}%|rLz z(YQ6Ias#Tn`_&e6IJQ@u&gn3KQsb9Tbw)?^q4rf;4b~g3dflBut7p}D7uXo_E zJ`JSAX1}x9?>ztg4n*fiiGz`v%T6h0BVef%$l5-sZk~VQ?p;?L|0}2F3811o9$)`A z)ZH(h>5}f`( zcQ-Oga`WuJp>F5FpqGJzJMksZm6%4w8(bc63!Mg?STW+3NiSTQJ zV!g|;V+#v89LU-(ugO#v)7D!|7NoESL1OxJc(xFj=VYt~;iHk=d~Q_7Ms+-Y)p5cn z6V57-y6dAZPBP{R8DRga-mf@|Qa&1)9BvS7TU^Ziyj9RlDYZ4)OCID@k%g1Xa^&9fo~B27lEGF+7}StC&Bk zRVGAAJaXOGzp9m_!tu2dICk}lA8K$@MoyVSP2;Ri4R)HoYjgykspLlooo=<3vjFCF zWF{L{2)=*Ws{ZQ*ddEiypmQ%e1xLHzS^CvVgENR#v6Zh*jkD=iTy zP(^v$;ifq!N)RBRWiA~;1pVAqJ}K(0bEWmL(R-s4LKv1_^cvj1n}x5foHqD0x~vLq z2Nf36fxm zuNBOsUBW>*bSg~q1etwMCP>t6cY;{|p@|jrz06A5WY_X1izCg&;HM{dX6^+<{TjAl z?9;nU3&8T}QG~9EHgi`PG*~*9?!J#&AGkVW;Wra5rT2~y?eGu#X({R|SO>Bq6^}xc zC9%zO2Uj_ZDoWUw_QNOZK^B{g5P9sQ4&7edMjyU}OS=GKJA4q;_u?}w=x0@%0M;@z%6-iQl3lC>txZqGqVd-C8)Y_pwvy(!_6fYCP!+ZmR7|~`U z7E`kh#oZg&FKGS^3_9X+VL{aYh%ilK1YE+I;DeM*u%fZable~>E6={ewE`Ce?%zlm7+0Q{<->ql=t1tLsQLDFe)jmoWP+gxCR2Net$jNIBq0dnB^Xsm{L8Ukka)DSI%Q}^(|Fr~4Q zC@Mc$Y(t#k9Ru@dLxtVqF%~#hCf*+&IYB>1KU*@V{&FzPk`>eq|11RR=g;kcroVjA zwLgDu8=C*}rS@zlW>XaBQt=7>)t=h0(qfKyz+ywh2uZ>li$8(%;B1sm!I?do5SBo2 zfJS0*i#NlfU?kU{vsWsz%aE3~M#kYSb24h9mvblq>HW(c3g?enG9R?cbn>#$V=MtO zG?oMlgLOYc!+vYXdFuEfN2vL za;J!3IE@^5shhm(ppRN_m$-9s_3pAHe@*mYt~khP*jERptA-=kOiP8+v`~OfA-f&4 z7RL6aSYih9x5kR40#RjCd%9U!q)YTFrPrj7aF(@$WQwl?1E_rC#Zp~mQe^|t-z1(h za1c0KyAt!*V>B$~qO~LV`K_JF0NSu{Uh=l(P2B$fPr+wt6PKFm|NZe7w3He3DOa^| z`o%yWK3<*n?cJl)7-bahbKo=^V`N^cu}_svxK!yBGQ|eFFUl<0C?Zw)riU&=xCM6G zhW$&JOvG=iLrg5BF*jO7SS+TQ3!a!GiOilV@(l|~)X-P)ER7$rp?&b`Qb6fth`iYl z(4`9{D4C-kf5Fj5;i(AsQUU4vGl1sLCL1>#G6WTTqZw6v)$_`GL`G#e62YPb)rKD) zmmeDFZGpHg-|jbt;}2I?=ZLT*mob1$%nVSZ$^-j)gn~b$>dVG)Jy&#xnfnXQN)ZngkflX98 zagJVv{>bf8zIL4G<$x0{F2X1L?344<`566`(x&;kX^i}>(@E$E44kqz6uW(DM&e@o zVs6B?Z31-r!eb>HSK!Kk47Q3e%v9wOIO7E-#@k>QtLhtu-K}PXBKivAsNy`uqO`e$ zQ#zkN99CjJ#=#-CZ8z{>@mWdW9}fv0p9FyXriK>!%)eS^(N(4eC)&d_4fANWL9c6& zMNYO+;haQSnvbZx0u1?j5_8=Kr--s47ZZO!)kX0aTob$w=#$o)WzKjKWXdWIIRi>K zJD2ADN;-s;W+556>+~ixFLzxfWtsI#~Sb+StBbsMn+nHXyx$te~bg<*>4^AVd?Mmt)^;6%? z&+~Ee^R{t8Y}=G7!4>~=yswj=ZrD4PwKnm!!YJD(8 zN=!B78Uz7xXiC&S0W~Tf;=${ib_tByJ$>DG*bHJBOc;epDB}RI>r(D6xWXUw=aw+& zOheiPCTH-7Tp;jfkXhfNuyi3E&IaKaG#-;l;L-Fu{!bV0;I4V-+|lsVY`-v7pzmga zL3lcWB8c&Zr?y`#Q47qiR@u!f7MrV-3MB-m zR)Offfb$7Jw#vYt;Cf6rk?f^H*Noq4I@QJ!IPx`1-csoiY)LTk-VcMkK5A*>&xII$ z9B4h|q`@CJ(5OTpn>eFq8fWBcrzYmTZ6)~))*J6pR9v@oGv`RJded*zxH08N+VoWko0$U{EQ0+ z^3MNoZ9bj7{p+7UU!4AUc6s*k!#_Wrz5P;pQBIpv_Qf_sMAiut<{!Bg6r?Jo+_gDK zG;k(;G6ZRF+k<{Ef(0Lh`z({QByf@Zt&i|fYo<=Sd*ogksV?w80rsB1#+fQ^do-8jW!l+#v}j4|by}9;G)a7R@Q% zo!arIouQLNlfgu*H*8*hg{!@Qcr1hSU&=@uz1JJG%>HS^l(EoC6KlgL!ywuSQ;_1a z5Q0;i0H$C@Jc5m#2G}@5vXrX&gn%w5ZdAQN7Dm2#cp^m~yNR z_H1YV&su+}tzYRf@J1EA*Mp=kYS|YW5DbALzSx6R4OU?-+B?ue8eZ4Xcq*1@SPor4 zJ_XgxVO{?4%BW>8TSL3Da<8;L=SeW%pf&tjTr7a+U)&rSF_Zv8TQK;=*s+3>dRKrznMO?$~zvJ3riK)KDkd0 zvaVy=!kJqfHB+Vs9TA_G#A)OC8cU@#6gg~ z&09?+(;%15;?T_Qr>5J7hL^N%vU&KJF+Bid{v;gs8kiG0}4`IOz4x2;0d&*MGNO0s@N)3t8uS9T&9s_^=4Jl$XGc3)^ ztVO7PZA5qc`^wyEm#^DpM>(V+7Ict1(pTYQ-jx^FU1u2)evTHCplKTlgMB;?zXh#KLgi2mt`4 zJ_0AWf6m_0w0B1KXHxa{9GYHYdJAa0+&QlY8TRk1xE}ieYGaVS&yoBt;LkKCiXDQ&} zRQ8Y_oVQ1v&QaOp;|}m4Qc`fPoMyBgnkyd+?IdK7k9Gk19oIz_&4uDJ_Ov!kHaQqJ z4%BbOfm&WI3t8(|nq5<79%5mfk>DW9Hn7^EZ@>F)z|F{!>A-n@;HDRxW(tTKz(Q|Z znW~(|IR8~)LBJuNQ~y+Yz-&A7SLA|&3P+^*&^C9xjb+%bKau`suiM?h8Qr<*?Z^y= zIV(*VjGG1s0yv$sF%9-X8VnvR%v^wxB+N&w7|9s;!n7uWI0(J8LFfT=UblbGiHHeP zctp^vPSkyEvSAi>JD}3mHq;ggdk6b}>hA6Db#{06diw`| z>U0kdd)+^w&clXXuH;f-@u$v%$Er^58!4YZ@BC%!^e%I`l~~{nipN-}_SRo^zI@sG z{5i5$wot1=GxmOARMY~atbGE_!M)V}5zJVq`O)UrK)-3)WidL~g@4k?Wj-9zJJgC= z$o8d$#FsByTL9$=sM}xMK2ho{K~S660J8b3P%Z zXMW+5g!MKHn+Mk2h@uj`vUZQXPytMzk@$6c>ul%`8O(JT7fJ`nvr$UL0aR{X?AY9S zFwibUu&!H1G97xHx{n^Ow#v-!%iukgzMntC9QuD!vnJR!Ak41k zF2cUE!?XiRvQt0KGB^7#U$$_Twaa&&?ScS2^(Mcef8|_}3M%To7%iGagQ@ArQI+%D zH=)wsfL|7w)!9akpqQ8a=3&hUhIaEz;HnCXNqHV2`;{hf?4$5ko{kUTzg%iw-n-Qg z?hDl6@u`CD0g!LIIz+zdT#$Y^KYj>UKVmk#5i+0bGKj z)u&P(*sO9q@@uMCTOc5#->ubM^fcn-%VLAAY#xdg*QyJOSr z!z_JXuGThA22?SwUd=hS%?u*Aj(kz8g zUw=u|1`60WZ7qrM*NaD89r??3wc0Wi40!K#2-$zBg(w;1?77GcY8z-K_->WvMQz*M94dKy zELu!+E$`&~( zEhCJ4IOoY*Dn$;5p?}Mh5mAq%?KQ!bH2(c{{!?iEV|QvjL#}HahSjV9cKQAQDo9ZH zE|}l~KncqW`QGC9vFCyy-c9zm{!4hCTc3ytfBp?A{vUXf2EFta z%k5?OKk@eeJ&eC4;y(`eI~D%#?(Obv_34aaar zbV(n_fINCk1G3T?q(Nw~k$Dnkdi70;EUvQfsOWyIl$$e>cXc4-)>#)Dj6#I(P*=Sv zdXFq|fB*6O6aS-4=M5xpq6g}8FoBru5g)~&cgFR1{_*WUKODb5t@iny;FEsvBQhaK z-YZl2{T!=tACPD{gvyf)3p{m;Z5jb^0D=b$Nb#@&r>0Z%r2Cnpo$5 zzWez7_h%ozZ^UZDN|{?YZkb9?>$y;f83TR%+vVxSkH>#Idv|vA9}gL>l#FB6pzlww zF3wIa|M~Xg`{T0@E01J7!6q41Q~!Ve^taQC52shBm;XF@_v!NL^kVs;isSQAhOuy% zIb04o&rjJ+wfcN!uCcQ&bb?2-Ogs1n*D@qkTujlIFa0?c6&|7As&Q?l5Tlvy5z|3J zM?@<0<;(w^Gm5V?Ycl6~nx2DCW$v^xUoGq*r8k5TDbEETkdV1-Ql6`^Aacypq>sA2 z;PY6i?EBDL?S3@3GG+OLqoC_Z(?Lp96lP+m&`vc0s43b??W3bk2@1-nqBwm^QartM zmtea4K@D?5ruf$J-zqzjt#BY2N_8*z&jExtoj09e0O!aLFLX7uI_h+eYOVa;k$LS( z6E^KMp1X6~?AF`#V*i^UIH60f`u?+9^vaU%2h%b~7H|$$2!|R!_3a$L-Igy*5iWa+t+jBU)n{# zLAt5$1&+yi8SMw1&SL9~@r3v|EZ=kZ>jR9lxg+D@Pz#4Z*12DvYDC3TBC2L+@Z-~s zoAH#7rk9y!>k~-gk111+3dOAb-!l9EN}a$x@A6rS0gh+;1{TGCboLG_`~QQ(y^a5G zEhXIl!z$ujjk&PL$?fYS6ISh<0@n7s;AxY0a0RcxLYk^L7F{=Clxyj6O~~weZ^wej zQzH9Y5yBb$Uhq7FVI%Y2SD}{RH<$f&%WNRcO*Q@34G{xdXG9eIUyFSB$1PUzxZZ!m zwCV%8{3%P05k*_~U)8@+c)WL=i~E&bL4v2m?n~X`%t6|g3yKIi;Ym;=b9hS*sIugi zxB7mmQJ1k5{BFB`Nx&pI+8qAT$z6P!t_vteU*KZRfFA4IIx@jQowAPy}t5y}i#MVR|ivr1NgYIPIg>1~7Gflct} z#=yo1*p#O&_tF0#fmR3wSQP)WThsr$`<;#cUrU)0|D$zDgPfnGi$cX6yr=9QxF{>} z;HmPQCVf=x43&S0VkOc(q{WFKGv2+`!`H_3b1cj7f1_>knEZcG=l|a3{?}T{YWzRT zN?j}eM;3~W9C(DX4F6k)r@bG%dJNzq{y#XZ#{czt2b=i6wUia_%2%&~R6~Z{wq&&} z;xZeQXBA~U_dKtHIb4lyt3|fWILHe|db%sBrE|1a)yuZJaPCh=Jz^56II)kFW6pUsTe|N2xO68yg`{~HHr6pX%-4X}v+_v`!r zPH%U^|LZ9A6fHwKDzY}Teahp77Ql(C*&sG*1oZ5rM@^sCFaddazkJzpGn=8cd*4>t zn5Fptffs-l@c+SHx61$B{lm@ve=TJV_kWt1{%KBlRyP+!W9pTH?L{fs%2&QGwAAzf zw?Ih0p5=w1r68YsW2jh?XLx03bH!(K#pjQC#iwA)r@iA-jI-#HPqpUiw|uHSG+*mMKGlvMe9`A%O;SlFeuHrZ5K>#yem)}ycA z3#>=|T8>~d_8NS_e-sDE?ESxu*|SWy%6+eDS?K@mRrmj$-R{9=|G$pX82|a!t@)!y ze>zH9k2iSsp`l2NO`v@<+6nQe^~PWW#s>EP5vJoZtnlD zrOc53e$5|Q0|XDreZxAyW9LCyV2NHfdSFwYwk($a;4gfD^}mGt?^fi0_iz*cv8K{2 z|IL~|uIz_CziGK|u<{U@zo>_eyx)}dmWA?vNU+KUS-1bEw~_yADUI^~JGbVKssS7& zeakw)W99)`V2M69dSFx5Qx?kq(Gm%s7nB9^zjJt4v;Vu@P5y_qlt%ggef+qRe-wYq zGXMMdA<}+s>#r~87xI4!H`gM-C*}8Y1T3`wYWZKf`X!UbWkH3W zzGcBsLDK_-#L_)|eSxtlzpJuX{+meHhZun?`+s|#?&kgP^^|7$Z`b^B1b-0Jw^XQg zs1ILW{<4^SMd2z!f@he-K_U2MerrmVLtl>auJ_fyLM-Rl0o z*XeaP@gHj`jq?A4UGqmZ{4F7^BH)Wu^7p<3xPpXtvwnbtU);sA5?=p!=XysiMpQ(l zqP&G#_Eu)g)TeADh?G&BVk!Hm1-07t*LIMMKghw~nmwQ3r&g)!a1xKIf$SftBu}K` zHu`Q(St$Q`cs1>QT41sNr(5;^>>h05zt>V4<$viq;(B%gGj2dGttv`nx}F_D8A}h) z8q0RH*&S@kW0!^UUkMyPt^cQUSo8mPy89dZe=Vg^{$JTOe^mS564EL{y=bxqaqcGl z071UEi)Sao=kmWjGYS5=w)bBSHs}9qDJ$l6D=6XF9o)@K=vMUcwX?acFq`I7ZVgj; zviDyC{(s{4A9~%|{_kKD|FfR*^m)C$0g>@_b95~S@N-PiwH)O0vU3Fj?T?+BYm+kT zTS}SrwO(5Y*yTynas}fo$jMc!xpG3TS`UrcxMtUyHK7@)xN03e{c8)eQ(8S*UZ@7^ zycprzN*Ojg?^Yf4yU!yl*ZjO&0mVH|(ygGwSsAwisJ~k7ttU#p70iC!nYV(W*OhiF z7;?Qiw@L$V9$)yqmZkRpl}f>uF2YG7h?IDcl1NLp^oEE?3~+dBXwms^_n;F0v)et~ z+r)parG)!`ST>xiF&Fe#VCMGq5%}Z_Kff_mFL+A+Mp>ej{ezqXD^k|8^B@SG61xY( z8U0@HJez~ZEre=ld2kkXYM+5o&y{e;F8-(%62ZY3zv$k`gRQ z`-A&=Bk7-6dAR(aP*xTAm9kL&cdPIJ92{=)Kdz@dXZb&QhWTQiiNFWkY{dGeJhUt& z|LyJ`8_Ia>_kTJEht>F>-roM^{_k4KY-eoQrL!;ss3Lk+(+W!oq35Lt=DSQP$ivlx zt=gg13}4CKQ-@^E=Ks3RS-jJ4E(`g;_WsxYUZ=O=|8y=M|J*UpBNaWwr2I!w;f9ET z?PdgTOh@2jhkx8+6_20Ruv&%x7w`0%%Od{Y@6_M_+vNXTPkBE4U)}B9kB^-zjB<97 zr*M227ce`mZW*o?>4Td1J+Oqmm@(o4u{=$`?Tyb0{6F8xI7c!pNAoo)Li}-(ce}BKK|9id7{(mjyx$wWHu8O_Cq$+-F zi@(*X8~7PdjQ#E%q0XF#_?Rsl>NKRI3C_%)ge4iLOf_r*$PKCdZar&@_5;QT1OLpk z#QifNDY5^|V8c*s9hRD$hjd2}sRWG`Ny>oOahK|?z|hW+GMv(1iKxuW!d~kRXMnp( zhsEUsS^azF2v2}HZJ^=&kX&X_a6DdqA`k)j=&SR!m3>25-v0A~Jz3Qiw7~xBc6tXD`)_Y=e-r<;mhxQe zzbbWAY{A)}`Hf?wxM})zeZfWq24X}1Q0r>3WL;83uO`-Nznkh_*c;6>l%Fx-u>XbCt%SEYZjK^*IWPD{Qs|<h3ogg@y;8BwZ2&iV2OpoPe_v2xg;-{X@ z1bROQN?wr8q*im~bSAYP8q=A~uC?YX@w55g9!uIhuxB2m+&oDKm*6@Fe!BXUr_@0KspIF2wnSH7*O$cbKNDVTHp5zsq`hy3@N%5GjlM zBN4hL(|&`H4YG~#j0mjzL1)bV1j(s_G-wrk&+ppH@8$b1j^X`JwWLK+>0zhx7R&!s z&-bo>EfNMxnvm1s5Uxj}51eTnC^{iLS3ZGHx3lqMEtdZeO#Zn<{?GlrYW!cf+u6kb zuBAME{?9^iK2*jpXm?8noL_$q9z$4MJ{J{~;b)=U*B`Sh^mK8}cgAI^Rf~hHeW(v&9;0r|f;`A*^@zfjA zz0T|`ncYf`(kcwkEJ0}*52l?)zKp7X&(2f&yjO7M`pnN_>L~tkQkc5lX5}wMzlE#t zb@G=!O8Qbo#KeYze=l%M&db=}?Q|AdOY2T@>c(AHhEq4*defU0qyDjTn=an}XM~6d z=W0xtqOtJ_uI30>82?d=|LYxW?*Fc*toGb&=q+$!zHMKe(qDThNSP6+g_X9fRg|dp6G4k>BalA%geJLPZv8B?lG}P-j+8>q{aO2Z)g&s zWE3lrMlpWW_rLafwfDa|oBO}(DKm0;X|w5JZofvdsT>I}2%Xx|ZRt=;4-(}x>7!Do z;U(c3=_I^0k*`ZDle4yNjxv-S-T5(fRK|x9a~t*gf2w|E{I1;rw?w z0{SDK0WXai8=hwGZ5IJ*OU9Ni7p6Kp-VJiyhA1ooP~E9-_~qo{^!V!3{_*MjZSlw3 z(|4!#k5UYs{ucUlAmc*$$~HJ_3Vq;yqHH9Hl>To$0U}Z&We|eb7^J6v6y%1=@NbvM ztrEirH#NYMI>A{+*{J!);@UexGUgfSTP!`_)9A(W-~Qid*r#~^v9sIlRL_4m_kY(^ zRpBWdHtUygQwB|-Og_H{$ID-+4z6gQfA0Yz1TBee8|9)QTT(- zdGeM@k!M;Q{Vh*M5A_@e1ovDu{_zc_skwOAAl)_c!b(;QKj?U9sfg3Zi8BLB}}w<`a8ozCX|=UU3Vw|tg7uYWFb*;v61^4L+XuFxcl?=5&Abs9bt z^1tZbX3YWWKmZ%W9ujE-7Dszam8$%2k4ZYABgO@Jv@sUhfBUb=1es6ap|JPAopmVIW zn2<FxF-cQ2O8LO-XDJ(PBSBIi zDU@L~4t~ch*?NJPeS!tO$^;qGJCc~V?El~EHu}iYDdG%TYLHMy1WG9*?XC9P%YR-f zF38pkbiyYS&d`r1mnfk^ZnZ~L?ZAHx_*?D4uVM%O>wXxIcJzPTpYn$76det4e4S@# zNK+!W{?eAW+16j$1AM*pm$sVde{(@cTYve#wqBqgv7kJc=VF zBt($<3m$uLhYWB1V-HOkKLTamUTl!e&k|&BM>Qm-n43|kk~5-S_r^`T)opis?Vh>l zSqeWDNko}cI8A+mF}K+qnU}v8Pwu8-PT9yWmrcpom0;Q=eWb^5KPfKY5@q;XKB(AM zrlz(``slO2%oLBw1Q!)}M%eNB*^j%Il@ACdM8<+<=Ai1NST;nZHsdnRBpsv#4Y@#> z;KroVN&%zG%Xi^ILlre9Xhd%aLt`$LY@;)!d&21N1}6v)^u7X~ZGZ+hR-jfpD~%<2 znwxt;uVfyN5tdLlnqY=UL?ABohJF}HI$|WL_Vv0Q%-8q`Oj?!jPMpxzt)irIH!t9h z%6+^N;$CX(+B>Q63JQ^c3cL0su}gyZ5UDYsHWNe=W^TLdpE0vgwZZ#Bgx0P+PZMq3 z-VmXXATb{?`m65^G`1cF_Uj5c0yK98LE)kao+3eXzbI!x4<;{58@<=+p0Xjgw;cOB zJ0q$b@5g*H$r)8s^X?KI04#&WYEP0Eo?2g4 z&}Y^`DiPksMD74`F0TJhSz?IFG&gf8P^y2@Sh+a8yz*NSgLZ@AqN*&Atr11pkO)(A zDEI_=agQUxA7;;}*>FOYUd4aqL@K=wZFBED9^||P&;nUvu82`pkjd+0(I%D zI>7WQIbcjjfqdei@dw9;eRZtj2^gGcXcnq|yA9 zBw*d*6j@Y3wiW5koQrVf@C`wdPe`>H(YDI1-Xv?AMNfH(CJvLD0k!tGT0ECTw9N)v zTL?TKjngT@*A!}m;Bkg9o1*I@>FH-1{gO+gq_mc2F-?iEBWi^xXgnsOG%U~6Ef&cf z9%#fj;MLFad=B>K(kL?7c}zcxSLei64J{t*PuOibIE$Yl!X7g(WtqAkRd|(o$^+?* zKwM;rC}s;JRG7pLP;HBl5_gUBffl|y#l9tAv_Z-TI}*^=~INjTKz!vgp=`e{s<`A8+w zn-Z;E>5!6S8&Ty_p#ZI(3ca~xr;===PwblU z+lQeZsw_zmHALQTU@gEq-IFm+Q^H0|nDswgU7d#w%I3ZKisIt48e@eRA&FkV0YSq& z9nv%EQdl8ban ztbMw8=dh*!2^^>Ys9}dnMD8*YD+`bs>7~QLrK4)SZnxN)Cz;?ekYER@*3rcCiio&;Rl2e?pYrU;p~QThQVEZoU48tyfRPc>(6z z(~N0M!ERwQOo?=n@1Yh(&MqJRQ)a%ZT?>|&dvgDWx zRdN_c=voi3r*t{)t3BPl8&BjZo86!>kt=T)-`;*unPrf&i z#3+}BNvLdCj+e3~HOnaRgj6?6Yn_#?)4EQs8mYA!PhzXaNnBW}7U*vwQu6m%n(hBE zp#I?zpmXj2UhlAbP>ugSJlNgb|6WUZ8vDO=A!FgypNE?J_cP(qvTw>(Z2jih)Wvb> zUQ|gE*RQJtLb%qfN&ezAt;%BmcZjP-`3oZye-1~Dj)U1-mM7V)EbnM~2L|^EDA!~a z=a2LKq+tga_L|U#rl)$$P%C@3$^$|3xx+lN>+B`;_i~Mnvtq=;ZH6AO1ASRyo?y!W zR#$77a&waW!|CzcmN`^PDI-{*F_rMD3?Cwga@j_oq~2v%dyJ9W;u{)F&6dG!TuLLq zd?}6p82r;MyVW!OBrSi%?4`BZ!2a_gDLG4su!O#iu#dHJ-3X1ddM6MDf^aHl*yD!V zT~=;qic_|e@L29>Xm|LH{zz`Mon4YAFE^X<&1QVF8DGn0yd+3qV?O3-GH-8Ql6kK@ z-VLg2K|J>ii7Y=SI0ybKTQLCJa+i%Ji3{hSiH9_D%myV$g(n$F5YN>;0t^?O+s|6A zCA(i{2(&nUbcNB-N>P*Lju)IA4=KYb{k8V4R8v>8LOfiV6Y8-NOyy@OXLs|paK`3_ zd#upOg4m0tdMX|MXU4HkqTED3MJDWcP8dLwByy$1(T+ox5k{Vy7s{dXMCUH(qWI9# zdu+3!M3>^*+CxFrjr^|YJC$PM>!a(^Hx zz}$1iCp>4W{4m)Szb11+BdcMYb2@RMoJ6AAF@dO4?89!bsfZNRw07Ho7^twKF;3Gd zg07qIk(3cO;5;Rm&8+9C<%Ba6 zL&sJ^swHKkv`h^JtPm13-{4Z6t?4n_;~q0zxwg` z0$vJ!jj({gGt4xhxTBe1I6V+yH&k#2PvE1oA;NHN8G4O9edzsFdZRhhT*9%Vxi~e- zvRt`++AU2}peYuQF&k+(-|}4d_vb$YM1mxFY)+A|TmC<9TX6xx$XrAsGRB#MIh>Z9 zGKKH@h_*=^wf-D@YMIe9!SxU}I2WKwsUiZWs1??3qfmkxx zNz9T6Tk4AZvhKVPIb)QKBJ68X7U2j|nl#^ksk6-@RySn{h7UVkV0D^eVP2KZPCZu{ z*xTp>SBTt^I9E0k3y2NC!c4|H{cv^hALk#>K3r}1Z^M6oNd6=2W<}m}CQU%hepRFi zwN{Q;J(^ZDK*DJ}GHyz9Ib}CLViEe~F>9O{vK5R)<&Cw)b6CMJF=g@IGA!mGWQnTF zTRo;Max8?U7F*&r3{9A9qxa5cMJN9}dwcrf>g>C-(~D(LiB_X+Q_O?o_nFGed&>Mw zkQ>T#nNID|K{A6`s$2qlAgPbM^7<$38kv5__XP zmt>fyHv2|9IEUVb6Vh#z)8v0FD|{Y|PoA06hzH^H5`2u)l9ct#rsXSD66nRbsjND@ z*CZFYQ0t}Sgr49mvIeE%6B;kw4=mV2B+|ot@-Vz0!>1QrkKnUk(CNL`z@7Pjw^@s? zz82;R>f>u^djZzksu@pg98psk{JgSJ+@>@t?sC#Duf`!brj3HF8NBH1>RpqitwmQh zivIVm=uKLsCM7h{)U2a&Loin$=uA~QVCm|tM8%sNP@)-vJLE7{BZQf}HX8$)kE3zD$Z z3hM)cHDJP8hjTl_S7L^JP?8p?az!MyypPAKK(qklg!7tzuiFww-2h|)cf86gWO4e9 zDOp?E5+v>xgnWUhlTL0%%$SQ0ZiL1ifffcK}pawl5$ZBhi3ECVXu78Iw#SKR~b;0Wh#e`W%av z&A0HWc)H+80X(CH*-X+jO5LPM#&1|ugIj}r3(^UXitLIR-N4w=0uo_17e$u2f@Lkw z;2d^7FS5*)1|E=in9cDtyQOp8BX8M^sUA5Wy_MzyIlZd+2tOozL|(WU14GBaahHiJ zrK)s*H~5z8r7Z59LEsA?6xPSTce>#jpE1F-zEE=58ssmS;xgrlMb|@Cagq!jM}Co! zoCD&E_tjyp{fP2R?_vu*Bx{JFwg1!4_=qL*Bx7HMDfVI1#@pGDezl`q?89n@`87NL z>H|w^?!m5*iIE_7HRB{&6Xy10xv_JYe`;>g&^n}scYkJFxGcrsEJnD{JY`iO86{pv zhe^s6R6LzW33jnBOmHp@IoLniKU@&=_ca#d0?%geg%&2I`83bwFpqsqXzR?gst|rw z&V#K-v?NB+kdqw?mT{qtDiTZ>HT=fLu$+-5ffa%Od1lWgo2A z%}q8Z38Y>w47#mS<2~nIec&cadU_1IiE*QZYPhIJ6Gk&LnFDqgQuP19lmv%5;eKhZ zJZvMe`=_zwULB+{bK^13CU(fF&&mc9b?#E zSCpB&#os))?GT!xV$8^i1+nK}e);svw)eRWSdlG2i!2ts-TYKGX3r-kU7rXUGv2#h zft~vfFx=UMB{!ECJVOpNW6L7m?FGR9iPKJ{GI0pBpV(fw7!RiD;eh-s$oXhh_H&GP zL)LuAELM=9*^M-;c6x)omM7I1DcbdY%NoMrLU!$MnW=Fgwm%D(npHnm0 zmdT+8>WrX|50N4yhMZ#kd`$1Kq^{%xiuG`J(6Zhe$$f_z7RI604 z-$`j(J%N4$$WoCaI2ZY2*0Go*zmmz#R&v?(*#)-UsBO7EySPtf%YzDM`|rHbvbCJn z+@AWtY=lG5s-nf{*ocq7Mi@S2vM~2RZCy3J67O*+91$zj{3&uV^x0_^ z_Qto(U*cU`p{+9!Nz1^75lK2jo=D@yC#TKI7UjVLx(+$}2nfjtB66dxWN`vY0Gb%8~_BaTMhd7T^-QTi{RK z%t6Nr+9LEv)kaan#ylZYrpC<5qR9l(NhVUMBFD^;DK&IJzL9FN5c1V>1#nb?Ao?fQ zx?uX~Fr%<%l@|un-6&2 z6KZ$!WE>B3e&NC1>8Yl*fQ`H~@bt(r`A_nJ{3j6Z=k44B+Y#CJ_L{BJ3!IOtW{`Lf zYP<+A?GE=k@A{B#3(z*!+A9Hf4c>NaPmnd>j4Vz|s6eNb5mU-lG7a(jjaAmI`IB5p zBNN%!)vl@_bB$p+z{m%&=lhozJ9yBH?$39)_3kx<;|F3gyqgvkX{bSWtoKn6DI4<FTz%>!cS(ip zX1jhSr+Hx*@nzX{5TMC$jyk!u#U!>!lu;HbJ;IzP{V@A}lt<&E8XS|1@}^3Xs(SSd zT7n~0sbB?*Qdng#C@(E*le1*tf5OH+v`bm85mYEk4&rA~rqmULX8D9VsnybNcZ8ZS zL5G>I5%6*@=#(e^q))R<`Vy=z1Mip`R`wn8*YN4IFjzz496c|j!18FC8PD;%V{52~ zZL7CxrL(FPt&FxdE@U8uD-vc;;Xw{#v$_r&``rsNiU8BGNS3vgIGx82`>BAuGDB6V3aebFhgeeHo3#Pe>hFr?k7 zZtvVeAZO5&H*rfP3nbz-w2ZX9mBN-#iW5Cvkdg#6=Zju`R2o6Hxt{Hd2A5AxjbTc> zApiH^=l}Ru|L{)-2R|M6|M<&)9Q-_hfBg5uKOO$d|M4G(hX)5g{pHQK*B7sT;fMeF zNfgr?{Oex_Ke1Q8H0(^krCUulpDiRAd@uqyWyrHZn;|qo?a9jWFnuHIE|T4TLvPIAbgrBX;Cf4%zk^yQoLx8$uf3@Jgx2bUG+>?~mn zV5OxV0Iv<^T#?G#CJ8>t7CBlIn$scAcyqkFU}BBC01}p_N2!uIF2@!1j0MVymM8WG za;e=b9gYm9n_o(4z6s9hTcE8ULt5-u z2?t1;>--m%VEvn(2o{KFyK3D#WS&R>`6vbS|LuZ_i&^+-xaZwetRA zKyM(V-)k#0AyN()osUQ%G_!0JofDdA>37Ac=<3{-W9976Lun=pJRBA2l6G-jl`_JZ zi-qO}bWL$Flm|S(ElmZ_pEW)5w^G=vvBjaEixjHHXulQl5rY!YaXA#CB;aBcnkitt zEt`ZV@Rwr9GP`4z^@2D`YLMN=WbD)g2r-f{p$p|U-^$LCl`$k#lkd-8l4EjU$2x>_ zA5jh&*TI-w=fy_83z!lB9gzyJX^#j=bdgN_oGgFm*+b`j09vib38VLiBfi&6ZHXej z-vUL%e4mA$>OLTdOqro6HPoRF|G}d@oX-V;XqF^$nqMes3Eq}K;W{ZLcXT0JV(x-d zs(wsC7?d-fveaS|AazivcSCp}FQ5g0cag=E0+Z#1bRkm~X?f62bdBBu@SS(yu(!}FT+&KwBV7bx zS>VS`kcrfaqB%8_9#PB+`ZMN*&>N&(`~lkJXZ59b=r1${DZtjs7!3(F2^K=M2TWc&lDc&k>3d?#gNOO8b9QZ+C#RGf{- zh(nAoMBVm~>B2IKRBMZjr0~(BeqICeqnnsfg-B?m?EwhkBQl1lU4;t5XUBhhPKI;C zG@=C~4b8$LGbYA%uM#CS7%U^rQ`iA8o#Mn#p4<$poXJtjW=GNf^)oqM<|wn%0x(Me zW}DJGo{uLJc?&zZ3=YaW;EQdh1M*F{=ayo7P=M4lmZ4h;&y{+eH7z}cUHc)Wl)09ED0iU}*#>KZj94Q=-B)GR*vFJ@ z31(_MQ9t|{4nv43y5bGA;X zRHl(C9j1H|JP&5~HfygM-D>7<92Zb(KDpQGz$;7hS>&g109qA`_#z4Yu!`nTKiX=! zZ7K`uVz@JabdU#`dX}+MdJSw=ayspi1N?FyQ>z@_!*RRBE-!fl#m(}}bNhNRI}8Zq zOXBnw81H=@Snm)ns_oafaZ^5?7#GFjWvGQ~4~m}qBY~;VSmJfv2JOIpmdg|@XQ|M* z+BL&9q!SgV3^22(8S59~M#x*yM?ZxP?is1jn>okbt{!VVZe0C_V*}4-=5krQ=Hg~8 zajFVRuNK-?L|ZiW#Cav@P!=X6my0eo7xsv}M3l?a%0Wv@(f1I|dtYol7lwYYxc;R~ zZlLm_xX}Yr%5Z-XsBb8J#O%fgRJl%^XoerHZFOXTOQlYrx|@ z_{>`{cssbdJk8j3y{U8ZBW3U<*g7$5Nl@^hgRir)%!$mIu&6y_ zXqjON;}}UN=1%+x`CtnTv<37kUQ2dfQR4RqB`7g05D~BVT}K0&D#4qnzC(>$tc%0x|oen6gYFKf1}U@NEzZj7G+8Wh$P8rQVF)si!Ae7>})BnI&dX+#0NMmB=TgM zg~7u1Qmye=Enb}Qw4fOb1mrmOHw{6lQ#Yp_RL(7P8)NNUJFuH!Uy45MTRi*V2n4j1 z@8D)%`jhfpipBY|7*8rh!$^`b16k-m56oQt7uPm*Xd=$aS3TwR3{GQI(_DPpB5n8Q zQh~iOOTAr%axSJBr7v9N?`t171pe}(KC)Cq*c+DB9S$H74WtdGQ)$s*MU}g_BU3sD8U<5*?PEJ# z47l!*OP{UP<#6bc*VUvBn5h>7<=rcsz4wQ|MD5MgD@7Lev!G{S~4noP>DC<~fBufPQm`|377?Tp)y;M3$frD`7FhHIseA1!XG~2BWswG&#%P*a%&2@q z+%S{xesns7w7aSP`K0bogy>V3Mlrk7TPY$vRnPi%ksfHl56DQcM(ZezIV&&J0`OM z*Ruia^n@yQfxen=y~z4daAU{Lm4wDYUcR$NbSLoBJP}THL+(zZxX^|Q%*P^l(e8yih53==Wkbz|hpysDaZ^bA2;%CvRwjxU}3)8U_pc-h8#?!c2bsOoo^WW?mE9@|JvonS+Ig)<7FZgxX{|^tQ~qnLki5vLSE=2)Lpfo`#@>8OJO5=6^BP=3b!@jcx=apYOJurDOEQt z4On3S&TD0*#t_6}C+#gD-b>OBvOgH?1x~^pu-RQK5p+p_W-;uxa^YjLV@@hQ2z8z{6(|W(S&vD6~0}$EW4RZSE=m zS$ddkv15U`Z@+87yUaOL1-I4;XJIjuy>Gy_cqYLGV76FLQ&0TuY@_%VYrSewX zQk9a^i}O!cGZS-C;Mg@`za^c_C#`{bBnp_uB^*c{`1~DnjAd3)v->N$(MaT-_>13=6myPJ zjAa_VnEtZd3FjzgQQjxT1}`iD62wLBS+&S$RC<-@-Jxk8pqR@P5y+>+GJgct7xw6q zwW=;#K8wY#VDSW__)zAJgy&qQFEEEGgk(||DVxzD%XANgV$1cEX$q)frNZV;e9o2! zO73{51P&H

bZd`g6Avwogeyx9y?sj*7kcgN5?{6#n^*Un-0Ont8M5m(v(BUVao@m!{UtXNkHec$CMx5hf&sQb+h*^iRx2>C1Or6C;m zQJR!9myN=eyoN%T2l#T3k`gx zQy}g7r(Uz($H9QMq^wwPv9pWu>6Jn|Bt{W4GNYb{obwoFar+3JsYA$P+$qg&I~dNORjLPh3&{0(Wxc5CCujElc@13&IUXWei1 zbk_Yf?K_D8DAEhRM1m88jp>1Z@$pj;u-5G#@uWA4gbLmNx5p}4*A4jU^5ypB49=C1Iz zn!D^xQ5QHXK8pX)L}sb4+W7UcWm*#lj~40rGT@nIAf#H?_{lRek%iKOI8)3CyhEAQ zGrfjnjA}zpj>(jZ!qUpEKxjKYt!>Ta^4W$rTgjEdzw6~~v5;S-Lbqqs9HNeQUl@6h zcdx02t;#4l-B~3=lzX=+J=9(Ei+zFPG!18cgu#sUG*c}F%+DjFu}d@6sKvvknX2b4 z?Nr0RG1YLFU~1FTC77x{U4p4jG211W`UDlOA0b^*3l-o)WK8nHPjm07WkS%ZLIlD0 zz`OVF@9TvkgAXPQk##4o4K>9A(WzG~hFS-xNrCT4BB#?rxXP~JCN%_AQ3@S~ji@vw z2cbr#g?1&gjH!j%%xft5IwBcGPAogm%7RYIZy{bNO}T?ow>nh9`wEQYGIp+^Ge)$W zvU)RMXm44T+5aX|%-Ebv{Q*Y-I>wdg9E2oDN*3cuHYfCk!x!=Nq<{p~H(%@E;?pC4 zv)2RBkOdB&G37?I$UyO=US?Mo=9a2-sS;)b=TxrpVgrk^7O5msU_YBr=PZ1Rti1&> zL+Fh1j1DsoX?}l3kzeb+_AaIfg{zmlipyQY(=K>Q;v^l8Libu<*)FWsRWb4Sa`%JJ}it>`Y2^HmK|w6?o*XaxM7JY z6g#3h?*lvt*rdTU{ld(1p3tn1*S%lfq~+*iBRjo`dG0&Jvhrs;!qOi%bHW+b=2}sq zVT-T%It*T|G`i3*7B7gxJkRRbvlOLqz3$O;T zMgMt5QCB}@hR#j~*G|{UJ|tO@I^7ub3z{8!ec9g&nsGB9T(Kz?h9@NDqfo&1fM%Iv zx~!Zu)?{MoD%3EbVqK;C1~h-lw5H>xyLn0`#gqyFd$^dcxi9$*h3%Q4Jkyb-s@%~# zO;s_f*F|mBvduBqAfWVc#QWME{%+=_*^DV})(B=*S7Y}%a&)Lrur$H~1JwB}tds!6 z)I#b!2Ve@5ACMm>%t<#+4-p9q+*E8luauH&EICaUx0F{{wKTjWWvBs8xd%5$j>xqt zSdV-|GtGMBdrYf$r`f?L4FO_dBexqEY10`hWiQ!`TY+;GOIbrjD_T}Cl5#(wly++w z3$Fl1PKxU)i!~tU#)*DT;;^@KPUg(?9PCpAmo6X3tJkT}g*Y8jhVTY*cRP)#N@1<_&;M%#dEg;o_+c3`03MU zPriKqyW^9uo}WDX9Xa0VN>@CEHdOuY_|9Y17x#%gQE)n;IcFaX6QIx>+#Y-5`Re>KpaIiISur^59?Dxba9zbM9^L$WM zN?=Dd=v?vb%r9W?WN`9i@C3u6qR}i=_o2RCmc1Z*#vSL_>22$Z`pua ziu)K5S#Uq%9wtZFD|c^C=1iPkod59js{YeLQWOitZxD(x<%y(>VxR|YgdW5NFsdJFDcj%5Ns72d?q3-&|j99D>^2ed*g)k}`K@o1;iOKho& z2zRZndsxYB0h(L8*MH$6ML=*WaWvM1E%o_tE?-?;N5OJ-+i`~@f0lBy?M87iLSb8z zpuS`xMGqcezcTRd)5Q>CrbE26kxOgrp9^wErz|_8D^$R{+-k_-+qc`-e6wSsvDjdV zPROI{)u(fnv&1vHDbo;AT+tI(F7&Ehxo;gAt`;ZR7s)Jn#E|>sxEAt(tRG)u_E1Rdb%lb&Whe@Vzdw4aP;bB#L>UW~!P)8XrM>p{bS8xuOlkams-v&M zqlSLo$`jJ56}SYQ(z>0GluXEEE=8GkNscY5*ch;zRX|k9#yd#7*{2KvwkW7u&GIVe z%x5H<5lk9tQR4q<7(IE{2YUw1)y;a|F?BCCwK1HjZMsIhlSXIA$Pn$(R76B zo1*oX{C*cF3TmCXMELne`Sc`*wlQMG|CIl&26*3FJbcYmv#XV>9|^w)l8@d(pgand zTlMz_#e<0Sn7nWVi)!RDWGc!M(>@P8Eu@R<@$DYlXmw~zoxM5qf^F)Q_%#KpFg7Hm zjUN1<5EOIORM7l*jGl^$@ZeKB8Cw_^h}wK+0kn3_z_eD`JIgYXWNc5=h*I=J=q23P z+BlqAm8-UDlk&F>tCem~cmLk4XTp9!IRndK|DEuYRN=`;fhIn3Kd(KkG&R=eANm8^ z0=8nY0kk5MMkbNTi~1?Af|jM7+WjGO36pMeU+6Ch3Y+|lt-|l z3I03I&mqNBj&NGR_xQyZRp|Xj)W6=K#&#f6jq^+;s_3J&ocKF`zD_RjQx5w`ve8V5 z`n28bT|LDUZ;0oEp&f6}V&ss8e+ySER4;=5{dR%;F^RlVZ3&hHi!b6aNbdkW9>h3^q5c`cU|NPJ^FKLCMv|>iKQ>%ILNrgSTUu<6MHku-U2KK3 zu@x>)H^M*W|2vzt-3;dy6H9!nrNU?!E9ma=zEnd*nbKYsu1;ox&V*hA#(}xqPlns^ z$w7@Yb#Y?>SO zeG_m?EstvOM;*N)>WjO(HVeVIh0MH#Vc%%&V2ELo6 z-Qi2127?yp=g$q=2FGcK)#mrf0kiR|X1!c|=8qlI#)qRCSE+mr-Zrux6y}dq{Dlp2 zRZoRp*8JHGDKzJ@K5MiOvUG9t8o~sj^c&F_YA((!F4+M#*#qWO5Jtf|c#g8rGN$K1 ztiO?+Ne9Z9IV;G$p#Go67RPb3uSU*a81VaXz*iW>ORnW&5JX|*hVZVWPJW0%CAJ3^%%QRZ!O~f?OBfm5H6Ya%z zjxgpDSLf8(2(si40SN`+7eFe(i=TQR_I+rY(<^TSN%KoXpC2<`hP8=ZZ~l6-MH17S zVZI#DzJ%ETdlP-K_?$PdZ;$Yv;II%-PS zF`HP;XDIdfSoe_Wv_k++Z8Y}R42Y|C^P`@2e2>GRDtWA-=0CsWo0jeVxGS;+csxB= zm;pS(k9{xre)37fgE7f=*aKAa^fBE9#tg3K4Vye1a^tg2uW{gEA5S9&Pb2<_mk}B9 zMi`}xYV{Awqor}E?U?bOpcdW7xE!vTEjNM%B@)Wmrip)NClL5@qI4iDAmpQ>t7i&) zvXVk1J33Z7;e~+apFa<+Hi^@VC@|-uBZEEcF7Xml>_lXy;x!#v_Qz0|gXDE+hj{v> z6^9%g#wX@5r;o0jC`R_dhr>%i7UJMTFtwP>dK!%`Hw5Gfh2XCO z!Z?`#uusPE>PGJTs|Y!SzCtE8OKDydUObul%JFB^^Dh&5*<6a+I)#aTbbcf$^L)(F zVn!>n;E2%VxZ+54QQk?W9Q*g#sM zi9JzqDO*5R>p+!qO!yT|V0FuH*xl%WFs5Wn80ZPZ=2p0>aq%BI&eGL4LhiVQ z!9fAn`<*{{!m@U_%yc3VBt77Cf3DQ&VUJNWQ&jm6BC4i?WGo5!^Dg_lmSS4+=|)2kQYrxd06W(@Y{M@XDOqF;{fd11Vlb>hMe8 z%5gN+w&$;;`P_{129jfhr=XsU9cHvLPm5P*Rm_3kHBsRDLbMFw@Y}ep=W0p^C69+#`~_2#WW5l$H^i=|NV*j%wE;pNIn9sruRFODZ^lZ5cjW z54B8H)AFoG@Wh&vc&2fY`3a;=M1a0so*Vf7&nsOvh)(4RJ|}96{qeeA$Q9;>K(O|g zFE&W;lpLEtlOs9V-V|E;EmbOalEqc%Xkg$49ez!G>ScXsj9R{fJw{lQ)Q(}C?c#HDJMz5@rXb>Qi+x4jl2ZDs;SjjGgrciPjcgJZ0 z+Sa!vXROUMC}3oqs4E(Udpdr93S1RFE@=xiMuM602rc0N zWu*A5w+!WR1@aN=_XlqN5F#T=85g1%Nt;e1=b;vX+Pf?iXtFh=x;wPC28A29!PXUb z(QEBu$&8w|OIRH=tHe58zh}SAtA@I2Gn`(>J5?c>{I$cjO@iBqmoJPmPpH(~;7&F? z3~D%vNiVm9|3hZ~EuF^^yJAHE*J8b7*FZBq0GawYkhqDr&$alt0K4-rR+UYeS`=EC zyvIZ04-HUZY_uyVp`i#wtGh}y{OTAZZEE7P7xSU`+6(7H3VS`;;NE)%Y zQw$z4vzbJgrJ!zBtFaFyl_m=7dh@|U3d^)J44RYs8i;5n^?`y+e7Txb+9;c~g@M2l ztLELfKKu?~+H0tOTfk^nsrvrm+q|QeDRUH6R-55@F)~Xmner2_4u-@#5urP{jW#}! zd4Bkk;gdOwZV``dVucCeGu9;GPUet$Kf@8DnM1b zFvb86;=B&qp>pJf>T1o`L648oX9#Ut0uEK#aE#f8TMeFSrAArf=?XLxxUCxmz96SL zH9P$^KX~in;H`tBhd!+4)y~cfaQ^RXdGMCztDBd?sOBXa>q&F&VOn-(t#u@7kah8b zg(00b;4hSu58dRZP@-EYrg@TcCz2efqIHtOa3uzj(Zb%xXmexxYBoCWv`-dNQIc}g zCX6v0OQlN>Z_g{|u5*yN=ArrCfa7-*sP*VcI|sA6rj_#=z3*(r@KaftYxN|ht*>=% zVkE?Nkj5KK=a#xgz`ki*vk{T^L6YI_?lRfQj>jHGgO#k5?>m-tKG4i$QD!zMlHF04 z%?cM!M@92VsQ@U^X5>!=ugv{Uwba$f3o=Ng)kv&NCcW|$w25Q1nFO0^(w2a0Gno%U z^ny#2LBQBa6eJJ#DYBb*&W-dr?jPN;Y=4P53!VkNJjGuz~jobC_l~d@9o%QQ5%q(43()DDGk!^OK>qZ&lD9Z z;wGP!DT@_zQZ6c#<0_UPX(;fHD{e)N{&85|l@af`Y?SR?CkJ(Vu&Kn^Xr@LQcRb(z zoBfV%HFwF^Zf5b7O2HIK#zh5GM+gA?{=I+v_(3O^!+U+#!~NHZ?o|)L_rV`c^eosk zR~FG9f=Rbm#7@5%Rr!E5FEqU5Fs%AUp1FKj34Vu7Hem!;@sgl-q2G=e+JQv?STF{j zA{mPLQ-?5!)3Gzv%jEQvR0KMter( zpENFf@ee>;|jfP3IYi_6az2q~+ zKW?;oRI;T`uV>oboT;@_hn4>h*CuM5Ue_YVmxq@OU8h^76+iuGm1>=g&#p}UVc!79 zdOjM<0KdnNQ?=|b0AY^TEI@7N_>Un(Yy7E&y7M5G{AO&1Lf+lJjtwYPbP@+FAk@#- zku*59%&DUxvnlUY_m`p+%DctFK*8V+GXwbK)eH{}m%3%#2@CFg-J8Q<4!huzooebio%hbQBK9blSGE^0aT!j7(Va9M644B+DX zjUw4UZzk3Lh*2LV_eW*Nlrk=|$GVYdSVVT56f z*~1U<@eQxGD)P4oVD@AVJyCqI($n9&;^2}bT;5@?NN?Ei@)wM(?Q{ZBit0hS8 ze-vQGq_);*zl+fe%6#Ikd0y)0%lWt=D4)-;o(BJG%JIlfjO zy4q!b;%&VthdCO*vPhvzW;P7px)o{2t{<%HvDTe58bqSD@&EfI5E5ZXje;jC-0sO*`buR#T zz7M?ti~B84bh!tC0ozpRyUBkp!-@+YdD0$LK5iMKcqb)^yRq3naBDr%1@!vB*41zQ z^a?uS40`y2!dVrS%9-mVy;iUYMn0OZTaJ!%KP^5#nDCsk#=HTkBAM>d73$Fv<6m;JQd^8k(f&B(eQQId&Jz&8 zh=!dhW?G?6X27nG15*{70O}FcfoQUE6}F#qVmXKon%K1Rh_(u@@_~gBxMcNz>K?OG zg^mwrJUBMOQiFP4WIAy{Xxr(;!u(UtH0PRCGZ5>lGi^4u+WjqZdV{%)k)gAaqA{9} zg+(!OwXUiU#GTR&9X;8ky@CV=VSe~mnO5oL1(wF8B%_Adm>V1@qxG}19y3c^=q=xc z+N5mAEi*q+j*bk;jc0hg5Hj4DD0B9?ipPwfg6Y&oo#`YeT_ZbiX`H(ud1Sg5;k9|Y zFBaa*2u#48?jNnyQAlWjMB>W>4EY^5@|SIsd1E`46O+_z_Lq8G!S%*SjYk+Mh7?Y7 zv`d2SqM0QS+ET#T!u0WsDH0;dS(BNf>}m-OHx`*m7UH87xKi{P!iau;$AkbNL)~mn zOXamuD7ls#WHXSHCIYq;rT`^yG~mKv?bC>CQfPema+L4 zdF2)L0q^e_SzR8GERuO}(`5zXZf|4G{JwdST&d~3%3r%XVe{j9+d17HE>N8BUk8y|Ve^mAz05@fzcwiqz$5r#)~(&tp(u#`e2NS9%( zdvqs-TwcTb`D0R~ph2qoLYmZm%{VP%#Y0f0q|2IL9plhRO^4*;>mu;#gEl;eos{z6 z@Tkqf?K;ZzS9u%kcD86Ae!!*38V zKg?;4tui~wFeq=I5Ytk7KhfmQ#`OYzVjgyzc$bO4F9@jd;hfK+S0DsNIpl`cww}y) z=hRWJC&Ax;QBk&Wuypa(_S^Ke!H#HI{Cw|C>`y)I2ZM2Sp`u%;{Ii_u*X8c^_0-;> zw%PSYeT|CTSn>rCn;h=Xe8DPDG15;_A-@@ab8SDF%+Z6?h+kGw^n@gZzGK86Zv;6p z(>{?G!wAe)%@`9|#gfZhebqSyKgX9$6S+y4dO6|WdCQH*@&5R6`2C>c?W~^m4dtdL zgCn&-tPoYDt!<>`qsYltYG+n>lebh*C)`K@h&)5QWD~u)DxuX5k=1&bKY#v^l0CBm zJ;x-@tMa>rRM60E(**hZ#Q3Pi=NMth+a0w+uue|SiH8k7GE=f{l{|1&q;JoB&{=o) z1N(jQ)XRMWtr=&a(G=M$xa<38sOa0cIU;k{e zr5BDmS9Wzch9ntTqtONp8f}=f`_+;<7?&;@s+RAeh~ zb>YV-4C6Zg!REB;`m@D&C-Y}mhRdpJSpCe+O?fgI&Xrq}cHT!P1?KAKrlX)*^$X4j zUfK)9FC-FE=KXTORjAED=*K+bkX$moVe^e#5G5mn799cgVl?}G2l%`8Q9My$zCXte zy7-ULCS`?!9R?lRkl*vv#M(P9fpDEbI?g{&I4}_6!b%hcM zz%FQ|^y@2~=tgy<19s1raI#5k$p+!^sYl4}W^j zl8X+U3I?#pfeBLdK;p0aOsqtk#QL@a)s$1Ao*E+1U|a1<-#Yg>!f^i%>H7AgP^ojj z_SvF4jXg+@mCRx!88&>CjnyVjVnWE41yQ1X6^vIyCSDwSs!Y6m;JC8THAEfF*$J-c zEB=2NX?BGt-oK2L9iaZrNHtP`vlLZ0d$HZd9~D)vro=wMAB^qzzI;k!CSRf7#{2{bm_FD zqj~Pk0q&>oN)qX{%7hN?NOqP@RB@VDo`c;{2YmB6Q@bM_jz>}~FL0=il;sk8l9D%YXh@4x` zh_DR`y@yUrqgaoBmn1;RG{)2sK|GK|XIdHctIv}k^#S0FAPVI=^_%pMee)0NrjO?O ztwSbN4{YkY%kOkvut?dBcyLtug!ZZK3wf$#&}I#Tq(#NSII{xSc6K-4@XR@q>v-}$4V zNXXRgyZEVYkw)YEy1Z`&vzVwW&o*uCO0%IeP{{9i(Zkx>h&NgnuN$CrDSS7n+kobQL{+>AHbtP< zI7mC9p@Xqcfn2PDUqTLGlM}ObMEe_^)O!V-(ZYs2+`(38NSr%pnmPN>syW3}YC4y4 zq6GSyF*EEh-nnNF+gr7*&$TXH$Dw$W~o3;wZ!RO=kcK+Q% zeCM*&<5GEIo5hj)lV6ArgWEZd6lB=*op7_TfD|VsWh5tnDUs(I`u8=AMFNeOR(p^ELxG& zyx5A(y2=`uU&@NFc?Q786yM7ci?y|KfRD3B|IUKZBD@{jYZ{=3{|Axc;(jAityb#l z5MeLk%%R_2=q%>@%I9;8mJW_?ehER57P0Q=HN3&^J>Jh}k)1wnu=&dRh#|&lPi`j` zBLt^(57}_v>uLLOKeM%eM_Ua9e~u6$)ON0M;q?M85i?504Ab-t#L=XU6VRR2{q-SW zq3n#$OyM}0W+?OY(pe+1SdSpn8CgtKMI}k&qe&AaQ8|vX190@D#>EAOiXJU$3jG|b zp-bXqV|#q>4pZ@0b!gNv1?sWGgx-7xoCL#!qA8?!1rdyqrk!x{*EYawE^2kuje8q& zZrZSkjr?xzq2X&}a~Y~R*pG{ey2N5f{Sx61_yQ1k?T%;{qTN}RqyE6b^Wdv2PTpc! zHDRYIguQ1yTZ+?xn9sxIi2Aoc*m1HF-ptrTpe+YSvefLv9##rzABn0M8NFRmeKoC7 z=^_6tfsMA*U+?krm~H%^Y8BAV*3nz&$F7~GeR5^>*sG_cU#8-#zM(^72qK$?&8+QG zo}{zT_^22}u}@ISs5M6(L%NtiAINkOoF30+B)Ei4%w&YZm`^^PQZjn&cFV!aE)_j4 zuRlBGX34OTIWAZ5;gpM+QYyS(FmKBH_o&_-Jf#Gh`#rujb#oAqdT-7|Z;FS^ zYWvKJyEt4^@JnVefnR5-H*2l7egAQg)SX4_gh-Flyilh@U7+lwIoo#h0E3gUm~2)w zPy-6?74A1$V8iEJOWfuzlGd;nArIKo?p&^nje${nLeUaZY7|F)NW$b7<1)DNvvrS5 zi}ei_O+H3YS+ch5${VF2(T#j3EMED(7WqEr`}*XDKl#4y@PF{Z@8APIZ{)%NcYYtk zySv|K{5?i0B_5EauG}29J*s(In{YQU`TFs3)&~xnD7g^e z>aGGW%+mzxF#I0dN~Wpm+!KFEQqAy@h7{S<-SXR^7cT@YQcxl@U(-=Sebk9vRj=n& znl*|)O0MTjROVdb&g3JeQr81Bi_-<>$xAjG-0FG7#T&sao&mZyn3HMr3Q^GV&Vw;) zsBX8*{*TrA$|<(DQh{n0K^_=r_+|ScdrUd?3|_^^8P!!!J!g5cY7e`O3WLd@Istw= zg~LhE&R$bKMmq^$2iBA24cOOM>>V@mV-v3|Cie|~$B1MHwSk*omR|E|d25+L1PrD; z=oTlQhakNcW%|K}L*>P<(t7c~g@BkUBuyta}1%QoXu19Lo4JN^ZM( zLAc)2bEi6^e-NNw*GvK2V2h4C?yZj}vwkN}XyNr0JM~;X&9w3NAg_KXO5V%ZL)iqd z`of$N8Iiydh(UEd3*>@amDMko3*kJ`Mw^%5AKlrB=2Re*zG;y}!OA!LbN2A~ou2!t zQd!eN1cUcKbhY#Y6ZQCWyoRF)GL5^=a4aZ4SGrN=aJucO14Te zM9c3R=C=WFie^#21H)AmOS((wtgj_>C-(=sM+x!3ha_w&?h}I*C+np%ixwz%dj%WA&Y3D$z#%iQd3nAQ{ z8hK->)sBw`y}hw9=|c=Zp9MZ`EZ7*aP%>Me_%^$gDfW0HkP+gRAQAfG1g70P>Of- zF|!493ga9;wuLzwS~>$mi&rvvc^^Hhg=9aRzXc4L@7;l^`XNlLA}d$q zQ*G|(E#q(y7YTtL2!@Sfr&o8H^a0JqLc=|+!5TW9}^7{I-dq)ife70@{R15)kvR zDjO=6hDU6HnHt!P2i&+Q!SO<^QvddD?U4HjDT8s5lK=dLIA`C~hyL1lvy+kdiT=(t zZZpFfAd;R^=uCbq;m56hVeP8RvTPY@hoeHn^4+M3cqh3ypSl4V-=DRYC{28iyQ%-v)JH{4fJkDQ!h!7L&a9vQPMa7*1pq`E4_}2kkoLuM`ztLrKv=p<2)#a$! zPXc+`2!OUe|Fes}fKXaei{3tj%&WU$7F&BNCRz;%IgzUvr(%Bn!eT?rih<0UvbpwR zq5?YEH? zShzAvOs`HnJ`KoQ=6z+l(jYEwX)dI}1l1`=RI$d;RF67LR(<0u`(pQu`tumwI~5P( z{D`={=d15ho08wf%8^z|=%IMXk!BKREas1ekEGQX(is+d8-pF9#Sxu`Q^LF*LLfF^ z?>d&-v(%DWc?2OHTcO3*s31~zS7an-9xJBh2cXYeSz14jo6)9zaG|h`YoGOufMW^{ zYz`N|48kr}@9*?}XOVhBWYw-JvQ)hLx`^)u`{_$GFsQ9_ldpDHsB<#@t3Iip{Gj_Z z{#Bn4R8H82HuV3aK0Dp)&~clzu6Iav-;i$?Huf~XV^pZdHor#G0<5|6@QrD6wwq-( zn`0Z{RpgvFi0cqZtkIY>i&j4tsJLv63D;GG4+1lL1z216d3{Quvkn2|U2R!4mjAAd z{-i6~r(9Xm!UgYP#*{-SIY;XsQBwwK?*TwF~q9%Xp43vr& ze1|I;X^=QBjD`?FhpCJz@2P#vUIM+|v^Kk9-U*+q%siiqko6FysXKvGTwPO}I!Q(u zBLZjkm|<>ClX?B?^&BrdE$jL_>fUJQ((>Nh{!8}Td1gsn*>Jb&@RQE93w{+GlP%@Up!ae(16wEZyc&pI!NM~}laERf) zpe5oMd$#5988)uYf1~OZl`AtuKOufvic){}`Es4mmN3UTXkWr=dnmF`s${pxdVz4%)E$ zq=&6>Pth6E&%SaK9yrX)L15@1WxxF0WU;2$&P6mOW7ot*hA&27z5Egj?iI_>PW&q% zr&zJhNPEXhopn=$`iixDTNHDKYCSrHHV@Y7hBOQszYxmru-i#(3mdq0-_IbDYjxTk z>P$uO#5Xci*vg(=k-AS$Cb8379MrbrG6a%5>M~_6GYQ#bx33!7kECVVmQIYQ#rN*Y zf|O#xL6>z73Mj*+VJ5Q@%|<3@i~@1+@$rL9PhKi(yNL*dim7+!2jO=s>EylxTeYQj zx}Xz>qJ;poCu_bk<|UrHo|>&Ln)x1OKk#%K>RQVKzVEF4s(+_5gbSR7@OUKA&Q{sX zh>#dDvxcWsu<4LwcsD^5TfUQgYV1Ga^Hi|Q9HRja>_}_%`D3V6_L7URQUlfa z{`b-v7G&(d*Co7SnxAVLf-c}8-rZ@690Npv_Md!yiwC@m`#*#pJ*6o`2hxDW^2BWf zmaS*UC0(C{+Q7kF4g|A#FOgEs!LFa+ik@km?o8{!6Y~ULGgBY}=l01MTa7+EmBw0j zS&21k???^tQZP1eG>_}tr$rCr>BMDY4d%^p!y08$!pk7*EbBwhgam#1Lm}#q5JB<;|lcE+B2LqGEiBDt^}qA(T+`$m*I(5qCSa16e}ewl40qhR!lDf9Ftm5b(nhpN&~w zW6aMHenj_|P%nhr4}xWX0R+lSfvpk7#!RQjGmfslq$61@@x$uYVoH+l?btXqB?Kpo z9d^cV=!x4$R*mScAJRLtFb3UwcpYxk+7Q{ks8^pX`FSRJB~;S+lc|iHf4oDEiDKy1 z;*4mTWWnD)s_yrC5?5JB=c?#~Ro=CB{gvWi+sV*%fxyOfd~^W{0(N6*%sF8*jpzb< zBhu-EQns(<xpRdC{yE+&WbvR10RGLL45_iYw)W2KKQTkWKK$9ZNQ1Klk1 zUDYccUQ7Lpsf)i7adT~$oo2DJ3w9p%I$6l@n|1oehxNQgH$FHV?^DX}3=hX0i>Gb} z3-ZK9;b^5%k@kgc$(zG@lv|R_7xTsN-G7gx&^;I#R%@CduwKH-Wr(fmEo3#ZoUL;ehQo^+C{m{fiSiOt?iGxz*YQ&rV z*0>q5TKbE}Mr&zvqb^mxh9|v_BE-*kKNYMT&gYIE_%)L`q0o||yK7Y<2*v%;ObXH8 zz11cW(&ScSA_i%N7P_$)V1_ZQrSwx>kbVHyt9NiKMmS|!hosboq(oP{t?qXkXGHmI zW8`1=q$Xj{NSZ|5U@S&ETg;@>I%;yy-SR4hur~%O;7hNBv0;Wx1%Oq*Fp*Mjq4VEl z*4~jMBnj@+a(t?#dV%eA92Kjo-5Bfb3;)hkVV=JX%StRc-}8WZRZ+Uj41-0-*m8qe@3 zD%TY2nbD(*#&6@Px~S=mwTxK9cXAkXfCL9c8V$=6AbNJb`e`062)e=dOOA2S>5gkIR0_EIQ zquZ#2e%eqQ1n=b!VfU)RxZ}D&OzH>-v$(Bt7SP(OdZPgHBPJB}4v)``#y?2luBaIw z4l$Xe%8LIN?F8-nhjvad#r<#ES)rOY7rSktNnGo_cEe89hW+B!<&B9JSgtJn023#a zcY6gz?B*WEYT;P{6E?rA%oyD2mN^%+!9q8I&OQ~S9I-8vk&ptic#J5xP>iYZwqci% z;OW~U3;v3&Am9oq%IdR7g0afnB@6tLP7c%oMvTwUH=;9V-Xt%uDMkuQ2WI_5t3e7= zCCQIt-M6LV?x#nG(%0se?_b3wK%J(k=SVZ~7OfTS7SgPO%#n@Oj|u>ZOC&UBQ9Pll z+WbTGBcCWSMCD)C8R=T|Yf^Mz*Ab z_VFVY!A-F^iS+k{2BcwPN)@oC5^Rz1(8S5SlB>}sVi|Go$|T6P>V{B*vF20nK=2@} z7W6Vb^!Hh0%;&^4XQ@98IHuMGrZjLY4yRp%i}`F#3z;e=n+pU7(Dd$yA|iC@m|-NC z%eoZuVuXL4$4&>=YDAix7U_2jwj>*a*=vB_5o=rC1vO1TqD?h2Q%#do4wX*Ktd8!i zQE;z@{i0GVT?zCRuraEod-oDxvONl-VlD2!2`=(Rsp!X@p?1p3M$H+@kfxpu`#Ymt zMb)_G59}cF2m9)X;=6@BCD6sL;akRLO$~{%mPzQHw3um*qu4dG%3zr;`ktax*I(@* z|G5FgYb&>xj`UPhrjk|*&4I)s_XjYVpwS~79rMWmnKmVL_Hxvt3zKP)J(g^ zN8XSYq_y6*)otB1KD#N|Tc?PC_XtJ8B=d)l*j~Lg8bklI&9!vQZpQe6v2p(1zg|=v zRH|mZdU+pT4w&w(#$oD1NyBC02$jSO8N+EDWEm}I>i}3{h3rl{kkcLOviSSTKi;0(kSoaC57vkZp1=q zmleJ2_)IC*bDs0V+g3i~nv2^lsZ1H4LIYz-PMI@p-oo{mAvP{9?z<)m1b~N^x90PC z^!_*5w4dAE#kkq9TrRKI-QoQUhvNsAW9M&FTX!g%vbW9K?BNQ!D`bxX6zJfi zEFXGle-11AdzO<7GqRqZT_PWWDJYwRg-Uq62E>KXl)YyqQ*%k!=Ca{IIZ1mJM|u`} z`u}Lu;sJhck$*I*jnNO5vVSzHocDhteJ&<242!b##>AI&$q*3-4l5^S2WWoucWD2X-jZ6wDK)dX^8P4r%2cZ1b&y_k zpzZpF(y3d`&Yee$U+|P0RS>=0jKy6)ewp7U0}D;7-}nV@1x7Wk3-_Y;cThb9#>G3e z(h4ttdNNZtr+-sh;VNc6YYWGpYUmxm8>Ko4Or0c|m^p`d zc&2K>zBatOzGv9EP6Sf3suN9ku65rz*EpsK?=`EPDa)++I}>@aUYylfufm1dqMX#= z*3g8kM07T@RS1u$cxw;eR0toQ6sQvovWPBmr6LVd=qRz64qY;XLr^sKS}KR*-=MC* zKDuutWYI`TvsNRYKIwNsi|gV$GLBR`)y=^)8Og_Lz6#wH?{y^v zC-4l5>$CN;yBAo8ZE5X|Yi5fRSo-Q~VsI3PlJRqwdRLi)aRE;_4W1V{)@p|c9R_Y9 zQLOmqnE|!m+slA85|qtCL&!Slab4Ait-ADfQJF>9jj^PomH2Z6lq=k0E~yjVdR`mb z-g<>^vb6LL#c*ft^Q1L+lzmt~|6N7Y&~Rz*w+zJbXRc z_Z{j8Gaf4=5PbXcJop^Fz4da31s}3X^*p51hsp~Bo1Tvl3Dh99i=bpIsn*Y$)QjhB zPeY9_AAh=1JILbQmG2{vlZ}m&z@K)B*eA<9!hEhm1zPu7Ui9KZ?O^>8=z1%^V}VzC*dbus8V@Ip zVI0{VZ(l|{sHB53S3^0-nX`&w-Tii1wnx1tOONsMnodtkmUQ|Ahpxg0SQ=<42gyjS zu00aw5s3F-jZJj0qm&s%<2uPo?_|3`BagEMa|88SQc6ME;J_bt2-NO{Bbb*wUEJmZ z%+pvsEkquI@@QvGFm14Cr7zwxN8OO?w9of=;VUZL*nY)V3j4*Xxsky^#PFQE% zbXxSoHY7ocK7~{Bgask(2O^FWf~EqFiE8^wzm`36uDh$}(83)N0NTo7+fym(bASj- zd(6Us6p7mmZb}wj0?F5St^Z=Ml8u)KTL!6I5xwRtq;`FMJphZuC&iI?k-y?L0gL1b z(Bt{^ajvrLyic-;GOWW>sk!mgai3~tLhh`uzA~uk36E}jzwDEgp zY-%zrNV%cH3eGfI{&g#KG}Wr-@4q`30odlX}8VA<+&+cFF)Zz^(igT z^Igl1>{gm}qkNMU*)Bg>m+MiQy%rbgF=aw;sW+A*bO(Cjk$P5pbtI^NX0Gb)IvxUN zQjgD&zeM<*(GT}oxg=HGWXCzoGj=m^qOxSY04#X3@WQOg^- zXt$e+EyorihPtinM@6N4$CH^E6ILG!d>pc;oK%p;Ej<;}8J|s0>fnD#ClN=zkAGZ@ z$LS+W=>Zf_=9S{|*|a9NhxEJz^KHn4Cc^MP&lcsV*S}-bwaryYJ#B@zf&$n1v=}akWwdx8Ji<1x{ zs`a-8>naBwDHVo(!epnQf?vlllPdv%NaJ-38J_U;2CaAAk&UhFV+xAurQ-f);PJeV zCt9aTdu7A?zgSKBAHr!9A@kSv*>37ErOS7SOD6NA(QfB|>wQ-qE&ut>U+OXB*-g!# zCnS3h|5K@eq~FB$Cq;-;x+fE&^wJDAL=9W)mB~lw_m@Z>HbvMMS@?t3!H#P`3b7Xm zH5|RZKDOa~4iFfS7KN}}c>FQVVd6RwOjF3|@f2habXxGWwik)DLC>{+^l5$u|pr{^u&7W3= z`mu|}zS}yqml*z>1;AMn0R6*6Wg|J+qP}n_Qaal zwr$&X`sDr2`Kr#JwQKKMwf=RlUb~;?zLHa*&DjJ$84=7l>OjjDiZkax?~r2BR#%m7 z3Se2cEJX5At-7hDFW!Ny8V^p3s?&}ol(8l2{8TLWsj7)XxaV)724pNE|HMbWbp_RL z@!z&c9s8UF0!``~mRGSpe=T#V-iBhlemtZhf^LHEyf-&f)u1)jWo^;sPa+kMHPF5P zbdjO8|Bh!{4!G0M2|aV$FYOyO-30H4>*_ZDj`Gt6}DMGweDZinn~qp^f9>GyT69Zzh>MhnWw zi0jKH@526?SLW@Fejj+sz$CBn!s8A5#St7ysieqpf(7z7Ft~CnzpLF` zQ#`(m3I583GUxNZD&nI|ag{vtj+${5Z|j_UI(ISWU1fJA!=t}4Q)Tu1zAu~y(~!8L zLf7B}UFX_sObl>zK&TJ**ebu(;2_l~6{mC25FJ*`^-7`4(f<8^>3{uCGE$jr{i5 zxOa%&I>RyI{PDXV&-w+G73^0J1Z3D((179hN>HD|1)wS7+4x&;_vtCc%)i=Oo(T@= zVL6`C6;CBsC<;SicZ4Lm%ZY1*?z)T58bKp^lw+WOq0$+v6}J@_&MDM#GRhf4Eai(K z9rqpzam0p-KweIw>ZjH>81Gty=`}g@Cjjj@y`VrZ{FBinsVsrwp9IZ{5uyznn)oVt zY`5XE*-o&Mpfv)nB%0F9*}@_(%Qj?r>)8!f7tDjgP>`?hD*`MJmc(CXx(HO_Cw?PQ z5MIOWN!Z`YfkVb|%OL_U6v!e(NcM;m%2c9d8IL4*g6I>_aSb6ryS>!41sKRkUMQty zhz-b+a}uYG>_A8C{<5hC+CWc*;~cY)tj zQF#IMap@k0oF)Y`pR{i`zZMlt-?pG`YSOJNPc%I_`Xqk#x*ztguz)(z*7K*TZmLjf z9`d>TO@OzYv>;2Gb!eF2A#~E1kyJ(l!Of@yS7KNJ`w-AGKUOrzd(1Y`j1^@x^4lW) z2_`5B4C3#Yj3UNxNX35P8x!WP^FqJLL;&SIS}v}zz%?K|h79L`{qk>Itr+h!L_F9} z{~d_O2!RQCKZrs6cA0@+iZ*U@Nym;eNEFGT5^X&qVSYNyDvDS$a&L3-PW|Fv2ky_9 zQbK6-rZY3St)YGKtER|e(3>c+Ox%F&MtkwHd-|7gTNZ!NoH+4;d-nn9(|8|jJRnQO zi|M2z(`>BSCP1WPE?Zl|LxD{X#x#n`ndQ{Dz({8**U?s*KjFY@Sz>l{N#HycMd+bA z@^C{{2hb@S`5IYqvZS&90ISnlFtG{rk0iBihxd3hmVd0Vw??z!tx#qW%-710&lm+k zVU<|)DMeNk7&j?);My%lw8SXPi@Ti<8BPBx0$ILqZnLN?w+zsZ=4KrL-kFT<n4^VuKsF*^}G6P>Pw*s z9~+d|(F|p4nEQG=QyXN;R@`+h&6}XdQ=APuyw?dwv&D(rJ?nYF@tl{gJ;kGO0ZB&V z0H_f%*Z$x9Ir|xkOyTi(z-**I=uz*P8=%Ce%9~cH0Q5i@Yjms%@m>N7l~V|0{>Of_ zM?GXLR)-OEZZqj)N(^k6_1p~cQP2=4G3JBQP<`r52b+H7xNF0rJNGjt(l>5Aa;0S9 zV5AFWZqPmit4hu+rV^v(M&hxx4z_n?{&6JU@wX;*(H<$^0tU!q9w{f$@6Y|Tg$u;A zvYTl=L#Ugw@K7uTPh2g<=$xE`tPaN+;xwyg7d-~FHZGBVnahZ;f*{%HAB!}+3woW>67Xb}#=&WU#8 zkC|z?4R%jdSe{@7+`cN18g*&VhAZAJ(i2a(;|`!;Jo#lz)7=eH2JD4Z#C)=q(TEgN z%-(29g+b3e%8+|c+2hD@uC@`Om=;_b80YMR`Y_Ji*wi(PQ@6i;HL~s1UOO4>!?>Be zLjwp`qtLK{ZyF)@Bc^K#BdQ0z9XYgnob?$TY&@nXXXX8EZeu0#!9Ip~hxw9Y5c~$$ zeOx`AUEfdVUqeSWUf=5vFJat%)SY(j&(u-}1WxT#$WHzgErX2y<%FR7v_?~PW7S98 zodEE0@v?UzC{-G|Nt$+9CR3X?EG&Am)zpbpTcIeu7_kc{p4C(e^i5USPdl(sN^#dQ zu8GFPMnnv|X*xT)?jH7@8c@l3xR&~WdEb(f%PR4QqVz4Ngi(D_>u~EQ1BzT^=`{3d zMT&p-P0#1*H%oit4I3LyL6Iv#;X5OS?Z}MV`7UGQJu2z-#17Fo^(@jc5+@PbQ;EgJ zDi>8UJ)WUu^Nmm0>hka>kv7r6L zOjF06_jPB6Y`QdlEuXO<=!)y?hnuE{jB&e-SUN>DH(`9W_|EMR*m^IuaKqkQKpUrE z(H}TKT@Mn0r0rw|`mW%KXIMfprm(Gw?g3_L=+)C^ascO&e$PEvRzNsB%nTjz?GP;Z|*9$D4r>W5B+X zqsqxzppQ!4<%LDVcYsGM;EKr)j3kKmM9B|5z8+0h&r;1NMtS{BvX>GKLN~e$SJ|>Uz`R972fJ#Li~9sWoN8_+Z{K@C81c;bW-X#j`Hd zO#!N}#3P@3HMI4mS#d>ZtlmY3w<|jnn92i2lwstwM3<8^{8)bd1xRxzA@j&rhl|<)-^vXCdm_(2Z{6GN^hA=H#;Et*T{%x9WSFY z#4OVVy(5_T#C|7Dax;CyB~Nrk>hWtYHt@`CtlA&d$3l!LfnPg~!WP3mu2Nr=d$ca? zkF!?ExaV|^-~PDiHwy7QsJWpzPXRK*`F8LezYM)22dV*N1-_$1;_RoQp2w=NVM}%M zVJ?0#tCJD({FbaC89CA4h}gIBU)*3XUUI>TMz}p@8o69i%Hlsd8l2)!!{V0?Us(W; zA~hKb%$uvpzQ>P_R_OJ0>9&xd=;hb*Q@?#papP}dFc<2GJu*kRcpi39$rPqJH;YV# zw;i>MmozmXln`#UUWA=gQ#u@gAblM1xA59iB+;GJ@M!UKR-FyvbzK-b?KSJD8D1cY z@WofJXmxIH@7rMEVH2!+6y~o;gRmkg$X6ML%c`7+TSXL~X-P?1p2Z((*u{shT2# zrG*Pyw$1W&VTIZoNL3U>r~L1`=jU_CQW%`@>zPn|;9`xc`rWlUA{0V39%nw7@?Qn0 zi&s$f#Y48VGUfFiiBXlbZz?4An6n1-Qbh(NO2%4lP1SdDK^J18J`h8f1&fjkLTlo! zZo^tB*g=;n#)f1$FDR_oJK%?P(;*B|@iX){+)T8E!HZD%Wk9H;xgF+CP2^<9_^CfI z+C!7=$|J3-9`LjgDA}DDb|edzt?U27XlSfFSdsBwztXOgNcyYp6$<@{U;Y~7*4>A= z_m>=~Rw}4M16wm{6UVcn4R53~bS2z4@er_VZKIvw)BF)@G9Fh`7T~l3*KeL}x!zzgP5nSg+O<<@pYg^OU)Dd(F9;-#TogTOXdNRvKVePRb^5D1#bx7d1 z>-?u})5!&U$cAWEITbIHS0j*Q9&{m4EH~kpnZ`vy9P*Gw>;KTTBW-U=mCZ#a6nJ|&N*#=w|y-Biyt)Mu;ivn3#aQ9{ljZQq#$R%u@2%#v2~#N{!1dD;52K6GGdv{?`RnX=_It)bW>VY z3yra)yRGx>_W7~)#IEBo+cU|qA58{-*Pp*jSu!ymK*hj0gmKnEhrc(k4x3a!vJ+WT ztv-z?BP_^NXK_y*re91smO=4WApuuh;_>kP8LHjg6C$sEOOh@h(jz1%1i_M*Z`UIw zJAnCZuJ|U2%ubBRZ*Pyu#Yv|6 zR-fN~;Ala6qR#KMH@d!m`zIy*W%F%iZy~E=-t?;$oi%UX!%HD6iG0&NJ&G#oSyYaN z2FzMGBfu=}aTGw3Hwp-j`uLmSrQayk+}34!^az4c)QLG5A`pN9T)H)@d!Un7x&hKq zO}@t!-r;YH-Atasq92!SU8DXBxB7fQL)EVUX%_pIyxIRklKvm5?te5|nc>WgU5zV? zAEK=!n^}um$nEP!W92x}tCa?7y)s^KLP_o6E0d3bf7v!}))MExsR%*xkarj*A$@6! ze}`NDGLP4NDvUE@SEJ>xw877gZrdjtK0*F3eG@YF(<|L5WYX~9!7PX9AhXk9og z{m(O7E1nwkrsabQu#lhOskOqodSq$-XFf}Y|m1b2& zKPy=N`GHpCmrU&ZvC+1{#44owV9-mPQ##7;6&qQR9@?MDy*)6l6f>>B&?JXM z`E~4)6xm3a!^sxKtKYv_wf@v!S5+h3nxfBByj;rWK?Ky1s>?uZGpJBsa82nAlr0Dw zz(>G7cKXAd3PD8D4BTbeRF;R?RJ2$YH&UWjJM&+lGyW=|KrVILlYC|KBzBZz`@zwQ zD=ceDEsG1+-6?A>YkqLFTr15{0ZwG!7Lb#xBOg-ld!X)U%CI14c52l^+ASrygy ztZgMc{)mVMCBuhxPe~C1l zJT$hL44EGyO;-Gs8HT_LCp$Ivh+0}8)0wPP9qHqc;W(>rJ!lPYatcR!tdr!}(v?hb zhx`u^N2gz%skD{I`YM|C9P}=NaCFDEavixHK=$a;zYEeM8W;f|&}Thh%*BbtKCi~N$ktG1Wor1g zzFlwj@5ft1q;05?dosJXeHud?Jpc8-SP*vfS_N^iJq`)wfaMv7;8f$qoW?_T@@~;& zsBh8k!aRKO@S!8oj-Wm{gO6vYjyypymTx)X#u{N!QZaVS#wE!+gp<3I=;uX|rN38t z!q%!rk#8h~d*Ggb&~E0{_l#%c98*W-5vkqS(SExDqnRl@Sh7t8QX3*wx0)M6in>Vu&25r;WSIYZ4 zBH>Qy7cQcR!X-uW6&A&o$$F7Rqvz3sGn=Jb%qK;|OsF7B!HJ(hk}Tb*;4ErR5E2rp zFo)JgGcbOZ7bYkp$&Ca575TE+PN@;hfGAZ6Hyk-b*uDq!VgV1?IMUxq%>|}z~oY)2>m0V z{wHY_NN-{~(Bwx+OU$F&j>q#T81aPu;4Q>qtO;W17>$at#-JzV=Oi-ZF6|&e6(-vr zoR)ZSOXXqShRk2`%w>Q75oOHA_R%B;XQ<+#(ry-3lfpm?N0TYel|JYg%rruPc z!i{suOXpOmA46J*6w_rH$8dEuKPFd_L7HdYsXz5>WxZTy0=GaC z*K{2PyL}fvZ?%ttkM}s5JgSa~#0j{uq=S`XX8lnW3RdCw&YnOtfnKNU(-rj_s^alr z@;Ef{{-JCYwg7RP;j%wc{DZ;Zduc`{3#6yIEg~Nk)Qc)aQc2Q5W}-RWVWJA&-rH&- zj#wxkQsDZ>QkR*lQ%Ql}H*Frh=4%Bk&o$^p`Ua}2VH4HtP;=IuFE^Z%iaGT6-z77= zI4U@Qv|j)Y^z;}HApkegd9AqdUR00RPoLvTwrMesG2J!Zkc}^_F3NK=w)<;hX03@^ zB0a(IE;-Df@+Ljmd9ucmBV^{`2BgQn0%rwNJ!bgfF^k&SO{^V-Kq*_GJqnRQEixb! z_7cC2?HKit(?KN9tvTt^#0NK|TVknql>XRSSQN+5oABHfBZHQ@NW5fmP&}B`b8)&- z>f4m8bf4t$Z_yPn-2YH%TffnQA-h(@jMi8SN|=LmF+d;9A{Q!rqmA*93}k_CaJ z%h>O}cWu*8q@TTAdro?5QNkTkiY7H-dzA?$DNEd_@#V<&feF+@AlESKhFHI7-*|aW z-iMq20+m}Z3#moSw0Y)$|0ktw5QgjxM~hjFPm?oTB;Hv3f-84(quP$F_r}j1sSkf} z3g}PYCV{?zIkFjC1#430v0n-%!_0R-0Y$e z6{IriJ`phMUGF;>zm#&GCPM@qyJ|nq`}>{;tGp12mtN-ZZpwU()CAk7D!KDEd8gzKtcfP`iUa*+k~>-8`)|%MOBp?R%-#mdf*z6aNx5Fh5!m+Fk<%s# zDJpOx17pOr>JDMNdLV~uxC z(}1i%;!Ojol3KVU!f5AHe?+bPm{j^?7wiU^f-%6gMw$Wlq7?ofIw>X%%1fFOH5lRf zs35gn23+QN*VR2dwL+|j<8XGF=HSWV-WfB~2^`cCS~T(HzqK6OJ~rV~qGrST`(pV5 zo18BZTraR1r7^V_2G9AHMKu)@2?>_P;wL%PG<}3!bUuWM_`CQ`9|hVC_Ee=R^^&M; zaECNGe^9<%xN6^R4p&|cT37C;6QgygeH8xhl*pb8N@D^#ID+)K9yv3xVrY8U0Cfq7 zaH8kq8b-~ z^3XHA=}mTY6QbCvc7M{+nc7<>Wxnrkz*uzjq`+J@X`C-nCO^biCKuWAb6IQJC(Zf; zxE@lOImZcMh1p#dY4|g@qT;DuD6p8a{^Qb+KJ+b)h*$}GHT>dT5Fapsnr4GTPTmLL ziaW}u;A~u2;dG!U53CyB3}8l~;eB2g9)vHm-W*A7G|s4$-aeLx;RAZS)p0ZiNfybe z|8U~)6Jd#COP2{I4P;Zc!2O_DeYihfnw1fk3|#9b=?be><=9@G)b?=_r+%p}Tr!*9 z-eoo4CyS+BsVar0ZuB;q$c=jVWf27YpS;B1&%Igne8B6x*$GHuR;b1cy9W{7p;IoM zkddN5zl*j>V58>$wppR26G{|c=|@(T(bq$mkFt(|8#6YYv_V;{H7US&9uE@*wg}_3 zlHtB3Ln;$TW$#|;x{v=>>LOVd29+^dd|@$(wh`PU7k8>8*J4xN+OWk%)g zFaS1(VkMD3B`m?b*9c#z+(zV&Xv@q2S00}rUAe^qHXnIq7uhDyRMRTe;43u^98-ky+#!f}6 zUts8Gf7?C|#w^O&U~bMZ$iryJuu2`m1{3Byeh3i!0;+cD?~AtF&&~yhX4C9eG9Jbv z9GaFn+p3`Mcq^--&hr#=jNty{BpPeDnQGt+9joelq88xdC}8Li)SHr`YOsZ|dt6nZ z-aS&*_5CO6O!KP5ha`(f5Z6=a{s#@7p|PMbo*VHOBGWPD^yDsa`T3frUTBAlT8*abMi$=vX z!m{Kf7h0U@)Qc7@OQ2$82HZv-rpsee-vgFpx?KpBy69SdO-NV*#*)UWXuLq-3D`Er zFm&__fzb9EQI_n`^NXwmE)OxQ!JMP~jP5i@^XDdt3lLS!k%M@xmFUd#U2^C$wwDX8 zy;@|}`h!k{H4#OxJ7qtn!|_!g>E*ZZAthSUVb0(|rYGxOOu3?;5C8`s#E4r|_-IA@ z(M3=r!m}q&o>`LTpHe^Q(N5ln*MFY`+%Bs(Zez7&H`^cxVv>b?=YEYkOxWip1>>fb6I!v{$4QNks9ZRIFHH7c|DTu^%&eGd zkaP1RreXCMe>9CnDK-3vX-axMWEe5oAzl`ji5;b@24^-!jjV^z@D%jqF&-B97F#M` zt?CaGIP}27z(=Ocq?)mk~l&%N^FUaJN439Q8;bCZQ3eGQLa|q5hlhhZe>fs3K{}{I=VH>B)0vSAL_sY+W7iu1w6dB#@CB=nvvE<8Dj%NhXEfMcO_7 z$WgPIbOY+3?945^xe`&L4Oa32y%MGgif*P%K~SVv9qM=qROr7=Cg^29Utbv8F!x`S zL@uCRuFJ>ftrG^~WSrBV2xD=KeH{!R+pXQl6(ZEwW~e09x%Ep-%jT6oWLh(_BySfw zqZJjNf^{WY|Io6u*je`qzg9+*iUmw_DAr_EwO(3AQwr>wp;g7sq-N#WXDUmMhL*}n zM$^*2JPoS~$f@;~3Z$v^@e#mWQ+E%k&l%S4nsgW^WGVK1DSFxl$pCcoh`D-B6L!et z+0xKBa`eIo4(71WJ|fAGc0OuRhA35O&lrIL&Jgq1N5$&yJTiem_Cc;nc(iDVn&>us zMl*0^!fk@Tw+!_IhQ1H5=t`A>%UV@RlwRLHwCG*I#|{=_&AWs1$p_&)2ItP z!Z+}Mx?CzgtBXW#wG?)@t;mh)!8OTjS*@hOGi{gDMHTV9nv%`Pd?C{*mo4h4Vo?<; zZ_}oDg_&~FQCzCTb#64vMGq16Q|O&zO8h%@O8r5`v8kMi#n_{B$%2~^>!Wey5iFM; zJ>ri923(8pNJ9�Uu+sqh8}8deYj0*(2D`h6|Cg8jpM~6D6b>*M+dhxVDx_6uJPT zF=Rz=(9S6EWeh`|`7SMV@s3tBtK|*$-?OR4XcsIltPH#z8M6ox3jJP=atE1B@0IIV zt!Q~WPHpTQ!-)vm^qc8YkSu0oSImm)UXH6};^L!==c>6gt1Z4?*3U!FmzCwIS_AJD zN6nT)OK&_pFgeSLv~3j{&KfHoQ#BjZED0u+J-Y$gh$qpuGE^61w@)0Dj1LF+;#|$T z*nFnipGDZONHEndJ-SxaAF$g$!>Z5!m3yqVe)mGky=Eb+?UYqU(Z$p9#tM7og zDa3c}dUu|jgDcgwI`M#_fG@>U$k2AhQO5lMHioV0K{nO{Z>1v-^Ico2E?&rdGm4bQ z!n)TPVrcN6E=V0mNyFp2a3<=u!=H^aH-V?rU(d3xCM zlMzLjtW2RUgx$!SHc8hK0T(GI_{K?lq@Q*;lA>zH$XRJRaadK}nmV;HzG_q3MTLAi zqP5c$nL;(ee#u9Wb9=e4SbK<$olZMq7EZcN%nR|b_N=yi0gj9lWfi6vLV(nAzZh|h=9J0>RKc`Y|^$l>AfLHd<8cjD2 z$$Q^cQW2c(6a*{332?dDSxYD(3c^MS9c{p6Gf}MAjh|T$nkfO3NQ`iwt-Ncy_V`=B z{wOlY6GiA^|0|svRX*Y_mso~%5_eI)*FB8#Q)e=fTA#n7)JN)oLCKg18X}N-DO8Ru$VkQm4tvTZQ6C{t@=DMt}E_vs7HfZH<6-<5IW?_ zF3tP$#S?$e>W_vZ`=XOtpG}VBVF`;8aUef;JUjI7Wz^i9cm!QX^%?mWTQ%cV^;PBP z+F*#{or?s7Yb$W7i8A%GUj@YpS4C&%MY)l>Spov^o>)}Zq`)yJpeElY>Tz>bMI5oX zpH&eu9LW%ZHb8qve=#Xh`2#hC)6$SD=Z|jxM3$Te!hF9)rN(Y8zV%U~jm_#|8B=gW z^GX;x6SSm3i2k)y40>^HFV#Qm(_{Z4(d}(HE(JV1X-$m@1Ly1sEa?HE_-nun)KkzT zkcT$FB05^=iCX1!Sx9H7=1FOBiYIBbx;$Fht5QG6F&M@tU{rBkgDAN-w7ej{=gX_< z%IT-Up{OW=%-NUb!|*O7qjLRL9OLm>lXV5&)~s74mG;<5n-YkGrR-wJ@El63{%~)v06VS|;h_!LL2dA$%l+^SfRB&UmFdQtmOE`i_V%fZ zCVg{5x1DXWe3`7opw)AqjqZVbbj&38>U9Z*{;MkFhO_=);*QrVm0+?pVPT3wgpEWi zC|A2<5BxC~iK4XX73=RKe!A&Rf$bAdRzf+NLk=o<`+#smYnHBYz4&mFzUV1#82RQI zG=a_Gb&7PvAnjXOY33hC^Sg9NYF1*)!I(C-08QSXKPD9rnV&JlGn{73o5w3j%Ut%J z-H8T$Q*Wj<-v3T?FL;fE{*oS&Z+PAAH#-!5z7oeahCFP)-`9(i?@E%LH@Begon3yG zRkQkgB1d>Wp~xv``+H&$&!~oMtnMPBya;&hVbD1NS7qr@>lEmb*`5>1+BH=lD>9?CDx`jhy(26>FQRfo(f#RBP##_D-?PMF@ z1(NC_7MOCyMtUeRzxRX{Q=y#{U1^3)Ij_PlOkhHR>4)-i@I98QzUZSiUD@LMeb8T7n*IIfvR(tVod@z~rb7WpP9%M~t9Uj0Txf zSHZ$jLbp*@h|nf8_+nJ`DT5Z?$LTgcjK9T=JnXM{+Ji3Y#%)y<+x>9n7} zl&D?$-Wcm$p$-i=zW`GZQO8>Q1kfi4PzUC(E4gHxo7K;kl{=7ZbpITJOBuxBN&U-P zP{`&$0%GMdoe=O&rAq~U5EvAn+L@JWt-PVd! zkJz;Pm2l®30FP4BidzT3Hq7W6|HJiBy%j;BE1 z8y8QJfGc>s-{}pLZt)U zrta~!KQHC2ZSE*=8!JhmX4!Od<9h(0;d38e=p&nE@!jXA{-lln`C7H@%gL8VSgZ@Dc>zX#+=-`H|CIui$&u(q{<8c~%_)YeR4R5Iq7XD)N1(^F<_IvHqjPi-&mOmK$LHaQnUg0m*aWhj#i%bxDuo*wE8 zzaW0@-OZWLzP#7IfAxJ=`W(mU;y!;A3B|#m#y{)AhYF29hjj%7eP0|5%uxZ{Z!H&Z zUVdlF6p=vH2={iaLAU)+dC<0~mR4|`9A)Xr9*^}VI$^>sZeAeD{l-Z(4SCo({6k`T zf#s~Ciz}@Cu)Ij@0%v$49dbOB|0%)u_BFbz>37**JMo8St^*28Ty^t z@GHs`sAx?cO?z`%-b2e&9_0Ud`IC@)oB>r5Nr9;HE|__OO76ercV*o9hlB8=E0?A> zio#EBRG{`HHfzX;b+;e;2xHrUCzAv8m6>)adnJl$(=&ln#0AdP%A?3AJm5@~&qYx8 zMfZhzk>9#4uy#w#$wwIIOnR_iSNF-YmeO+!Z`)IUAmW#soPCY-%ml*H>C!C=53jGw z;aeA;Ni8CT^C*HIe!VZio*oNVVVw^T=jA01qSkZZ`!65&{TCtb+hZLcr>6^l&#+Ka zEK?&+3#7>=9`*2*zz}TshMbFF&oGnHrI@R>a?2JD&ZXL8qMtA9TTtWWq4B4fCM`P6 z2u1Fzvcl&c=!bBbLa*%T&Fzbu6c(@YvV7~5$LXhEUU!G5m+bVmp0D5Cz|2Zn3&ssy z6e7))#agzsT7CcyM1RLm49p@^`=|o4=dcc)8Q3~YEdmO-`JjKsZh&asDp~4S=Zxb` zrkV{ig(~g~a=5lK3M*+omsftHazbv3H`@(S7z#Gax7bvX2PMJe$vN>ku7faR3DP-s zkJQRI2{H0>js8jl%1^zsobcxFiJ{ThEP?UGLqs2REO#%eKFVEkGxVWYpcJ z#MC?~n(OobByYLs?L#LPgHeAkbYk0DF7NHJI}v=vY8QhVr@{^Q0iPG~?B9-x5gFdk zc{khX^^pcGH1O#*&WUv~pl!Q(isn4tI{@SvjF!Ra+Ocou!Y8`2`B!#=66f%j8yHz$I;dNYcxJa0}28hLYf2{^cNGnaTxQw|GiY20Jx|h_c3>cMvCwy5KP;J z!ZSmG7aXWb3F5tONC2^K;Ag76$;_b6w=Pk?ODwmRO<46xpA=;U{#g_6s)lV-n?!Gg29oZOw>eNR0O0R z`5?On3ct<#?Agtq__EASEH%{p(c;dE<`$`YEDOu z_^?g{*C;#=HqFxlr7E!CnH6kvM8MhNMIb9uxry3vWWG7jN_aAvax=$hd$q z3up^Xt5ZtlG)66tqQWX>fmAHb$8$($E9XS$dhyyQDcOmp;)S*1CIb9FD1 znU?D2_zI3_g93i02WnM;okA~D!(wAy%jkP&^;tVw%M?xb7~sIYN_Ptg`=|ztm}&-O zP+ORGlxsFyMWzr3ICYA?Yl)IH%h~??lv6dpZbvtGQ6&hSFI2@iX1FPYQ4HO6Geq?} zHh zeaD`S!(i_}^{1oC_l78e@zLtV511_3FHCac@XBow$nBOZzbCW1ko{NHJr2R4 zc@Qk4_bi^PJ|mg=CVtrW5$@5`@Sr;}nX^s#fPY3va9^=cH1R=af_wD)nj`3l-Q=rm z%XWX+G%aHS8TO`8L!&G$OV7@BX2++M+sDn<$;H$4TDZ&K>+z*N{kX`px6pn{a;bUm zgQ|jz{H)tW30vPn`%(C(p6v^fPh0yN=l~-u^e5X)2A0$Ll0{Lf<#6@_q>O&{qh~u? z58(Lz6JCtb(!*=onrLRflz%gAS4%f-%iHMzxPIJkxD)4y+ux6!86dsDei5ghhwp+s zxsAIuVtb$@$>YnT_Eel>c}Q zp}g-v7$&({3jGtG+f`XeuC*+;eN??qGvY+!Re5@N?1^yv+}`=`Q2-MDoyRSpVVAnC zc)&w8)#;t?qmfHX{&TJ`&0h)}=NpjN&jDlNbGv`hA?dd{r3d;jopM2&(Uss-Xl=hO zIof7!{v-8n(l1jyl!rRw2sC17-^`X_yT^K+ahBbcU@kP<6tkoPD19oV<>}kmQiA(T z-T_}h2c4fSJ6z|uE%!TQnN)x_Q%m~NvdpjSMlB7js=fPWgn${xtK0;~>_P(Avfa7V z%qgpwnIFEyO}j^43Nm#a;0gXU^PRtA_r!;7@igt%Tn;bSBld7zT|=*ME8J(v)f-tA zr_4-%6zskWpW@Ye(fC0lh%7Ne9W&C$I1!I%9QBKKMs|TdWs)2>H|Ks^*|7+*wW&NQi;yBlDl{d2O1Q5gf=2mNrMs80N zD5eRCk*^R7ROR|fIJG>c8a5j)B*N_>_}#6OZ?^#$9YV>3v_2eurd?wdgO|$;KDp80 z4mKN+J`?*l3m+Hg6#Shm-2Hag=)YGMPH9)j$K4y|hiWF;MR7r!w;c=t3_D_7t@Jkk zd$pNv4Qm0=#y01Tz3cc^`y1fkym<^*mDY;-Y(W<_?XuRRZx2u)Ao-92eZyok5@nbk z+e(abKR&iyGhNx~(iO}%`P2iv=Jx_{Z}5GtzVl+BE7t;_sw!M3)&M?AAsnVg2y=%j z)Vp-dyS&L#^feD{%o$ETd}<=~EcQXB#>P-rShZ_BW{9R&vmRlaFH?S@(h6T|uENq_PLdQ&(Xx+?FFc@lU5bv>XjQW$&eR81jozW8kd{=;zfUBJ!%hAKv=U- z2opapaU|6yP#h@)mlKc7W>ra*nsRz9U;S|5B0qQb`g|tfXYmE+g@;M+4yCq zCqMwfYiqU!uPtT>!O1n>!t)9$gw>7|z3vdy4vjbo@!xceo7Pj!R1=Z)>R@y&C>iBVSX`%kSMy-FDSC8xJ;A z6Mjy%@~<`Vf4nok{buO~{jOiUMn0-PTOwG=zm*nNVCwDmN^1p_UP=n?My#mv{5qas ziF@j4xBw%NU4>tEfP5YRwgvn_PYSTVuGy0*)w#7=`pY5$HbKYzwXP# z7X$hr#|?tDjekMokUA36iR-PaM|XRS{` zBU)q$+U@L#YFkv;KN=fHyhUEG?$qCHOI>NXw`5U&TE}^Uz5T-*24MX~3Pq&yF>}{;ua2 z|E}krnWgg0xrvXU>!Ew|bg{>PeTk2U|NOFcQ557;%jV95^XO^q&g^}J+qkE1|M~u; zu)}3KQX3{VGV+Lq3l~=~qbU;E%y_W&c69dR6Zy4r@OAL^eAzp^eSKWGovh$@_qcm` z`T97#4TSZ4zwcdszCRDlVA$ycSw#h93UAC5FDq#ASD6CWKdJ1G(|4M}*Q|7HSNgEx zbef7ev%AZ@AVL=Ho&I%WX6JrB{k|}Ao!#)0=`!%6=Y008eGdcOxo8a9wsJkKAJFxA zw6(HtVrk7afv&ZZtJFc|-hW#k*d}-%^aQ!gy z4NL(&-x|R!=<_S|jRlnqr%OA@AivTik$)BW)6Z+6ON@iU67f^a@(ZhUsXd%V3_OhbY8=B@@CLJh z;<+z9v7BUmNU6`HwP?5IfZ@SFIxh5`e$blo+NO)*g*i9$Ok-X#Sd4T*3$7z3>@&br z5W)}us)pk8$AVqzW3KMjT-yCr?zo_VW!EkGGuZ225jo`BZx3=*Tpp)iH+rtnZF>bH zP#tD>(m||OiD~}XTI~8LD)dJ>f>)(3_6wJd7Iyymgi>Rmm;Mw-YVIp*w}ehm`bk1E zyn=c;m*N9E_!S7Q>o!Y5$Jtq!zJEP?uk^p2qQV1oXZtm(_>u49XT(9d6Codw`{R*D zIlzbz&pnKZUKXL(YCgNsQ$|^vIRBMiaK@i~w;x*r^mUnCXpa>t<}Yk(VA7Kx2E9*Y zvaOL2FJv*dspMLhoi4Qc&|5b5-7K1rFHa2m4MUYhqJA^xJq~P%(i|V{>W$f@Dn%XI zq7gS9Zk^jZlJxi-kG=9fJzU2}*aycUti4UdPViu4^RcXC`=m&RQ7?OYzN?_Zl5!(u z$K%`CHEr(N3RE{8+3!!(UaI(guS@RPm6WJRDT3!|s0Csg7hxj(`RYg0)z{V2RC}js zE_nxtsrU{y4}Q1!X+Hw6;ohsi?3iqp-s9F}=2d;QosPu7Y_uNkv?|}iKi)eld9YX; zd~-%N3n{6%_fdBEZNw&mOpQ!b#@Vn)%GFxym8td} zNU6PG zl3{W*E+-}48|cO=e`SG3rA0m?mLyR_JT`LQMk{$UXWTsD==Iwvd8yl~<}q(lDPttn zr;Y}&cnoa8K0nV*kR>}br<$>@oKo(;(-<$|ffhyR6qi0$?8X(5ksaR4M<_O3i&9dE zpFW;928D3&)5Qej*v{3Xj#x#Q)P`ToW`NbFxDf7Roy;mZ0y0geN4{5ly`2&RK-{Xre4ti>s1mgows zlvkpul_SdB1y;@nQ9(fuN;O>nKRH6Dg#$I|9L02$Ls(4#|Oppe{j_1 zf7wi{JpVa2!cCn1D!;|2Jo~xvp7!JyhFZh9U%Xv5EsWW=&!4wColdpcW`3HVdA^C& zmE6i+r3Ec7`=kZ4DGL=1GHmg=q{D#O?mJr8>!_H9(nh##t2hDu;HukS$^f(gU|BMt z4I)idf}aI*T%7A?mHS}@`fp2ip=y6l%{R9#wf`QL^1mMqTKd0{_N4XSDy>45XjC8= zg>V6Izj31BS0@Y=h2b#tynLG#16@1hp2sSofjNv4zB9xN|L~bqJOs$WKxvUSe3U8p zZ@?vfKoSifu~M7qBw*$v)M|rIP^|4Kg!2aHKNgA78|IemtCbjJ+4(;x<^MW3-tV{P ze-o`){?AGjSe-A(b<^=w9GsACJz^&cXvjKdIJ6KhsdBUD6mRS#+&>}Px$ak?7GHXE zHqZ*Ch0K<%qv}`ImdStpK{5aD!Ql97_y2D|Siel=FKnBy|5Xdc9wq#3q~2HFTQvK1 zt(Cs&!fIXhy(}+Q{cu~^>)UJ1$y7t{o3iuQfXh>Mws})OSct9%=46 zdg}wGI^elhpc)2Uip9A|mI5JP(JSxlcH{iQL#{Xt-mrkqQlGa$Z@xcVzu=Ad4OKQ< zqetSi+26Ul*A{YX{TN$6#@3H<4Q&Pazr<@Tvji=({|rk0e@BN$U%USID{0N^zg2Ag zqqMbO8Ulapw!-<37>heJQ4LHKRoUi&wuZzjsM+9bI-qJ2j@BTT`?A) z=Jve~iCBvtpXQw3vU?W1Q&#zf61!y&rov|@znoec$cUq-XE>oM-8`+wfTFTe~MxzWu`dkkUKUzndeYjDn}tA7E>s+a{h@+ zknCFTj&HdwB~y>8{EKa={8#k;zYug{U{r>>~0RR7- K9ZdBA{09Kkwm+u; diff --git a/knative/helm/knative-serving/charts/knative-serving-0.1.17.tgz b/knative/helm/knative-serving/charts/knative-serving-0.1.17.tgz new file mode 100644 index 0000000000000000000000000000000000000000..2117356ca431ddd9783d99f3f86d755a2eae0ddc GIT binary patch literal 67443 zcmV)HK)t^oiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwQdLucqAPCoO>nZRv>UXf zr|YW(-9Zv5C*TFZB{3soZs&d;ah_y87#4>w+_W$hnZ!kAh>pczunh)-;hJGZZ%8DG zxS?#cb27$4wWoNJ{^`+5r_<>i?Crt-JDpDT|DA)~-9L5r_V+pm-R|M;-k&<%z1{BK zpHS!VK$u-}sj&D{=fPuDC-;pMoY5bNkd(7Ny6J7jT^nw?zZ35hl`0&6U^|4h{i#K?++UKU@IXq7Bn+MAEO^gIzdnu4Y@#n z&j&;>qKMoYb3OQ2sZ92Fb}U1+6LPbY@L29_8Q?06wxy;S=_8zFDUGonWUDlO_i$@1 z>)*`(DUYuoZ;VC!zjx57@qeeY;s14%DtA9N`#uS0(h-rWkK`El_7D2IgWY7XcW~6{ z4dbJ|qi%9Ub`Rr&;hQ5ulEYrF+uJ=NZ}#HdIC;}KJb1HzG>DTU(uw!Gq}S^uTO-1V zz=|Y&)arG5yHU3n^*UGGgMRm@zq{Y=bb1Gedv6X7|5s~0Ou5EV<^LO;=0rZO0Wg>U zy9axR``s%4?;jj&_s!#nlqn(@ zPIsL0-J%mbBIkLUUXoZ4CHv?<{{f2n;|&plCZvyAt*v36rnMihz2-kjbE$}MBgW=W ztvqqMwe_!@iA}ERAnfrHyj^DkrD96c1mQF7?SKrZ;$f;Ch z(nm^ILJ&DSmLE9N6@s57iDN#=&IKRRl(>G4)p?OKMJMDf8R9$zln5euE@B5vN+(o# zz~U_LqgJf5;a_fdLBN!jebhBS;k)9eUdK|M7!h@H{^^sVDg70e<(!C^ zFr{f6bvqp^u1wAM0Qii`M;#3uka$dviM;8Aa;a5>?%GLBq{t*ou`<&zhF}Z0jPZnAl9a?+!dRYCJk>oJ zunqI!;gB+_rbU&Er+hTM%rsM+a3+<&lqui9PRcAo#)YFuXNKxMT4eQvB~4wckKT0N zbR37k!k?FaE_ILrOF7Nvx;W}|jvBh~KZjjZ8a6iT_G-;~<#yfXcDuE9<+<+d?KU;+ z+5wG(u&V9sd~3^b9|2_`0xo+*-QdSqq#SnR-6R=w$bRQ=_n>pw?Q{>igExo6J$%?X z+)d)cWbX|=93FIb_qx5|;ZfW@!ZD6J``vDG(A~!il|!?{uj+-32GGmg?aWsJ-MR|s zcB~FqRR&m|PL7$P$E6<;$^;n_AxQEz7nF@I<1tBc&7o%_#{JKycO=eX89a)0f3~kH zA|~zwAOH_Y>H!QsXw9PH@jLxpmOmhbv#ebhh?)oV5^zSC>Z1yk+x4(Q?eApTN9Cqt zE|unDU;CEO(O4NZ^*fe_GbEz@d5(bkA;WrtFAz0KZk*u&>4CycNS5*`Ne~xW(QVaD zil>%y(Ky44WZfagG42hII-TL}ptsjM93=aP`*`oo;r^ieCW-ggL`phHiEnL;1|dzIpEX~^Dn%rr>Sv_%r0nVK1ZVB7Dypx>L=q%n zMa$rMuqJp4_7Tr0Nf6H!;=^KeJ%FVMi#pjY zjSSLCu(U&X(FM7oQbTy+ROAU~aV`X5@e~ayNfRW!?Wa4N;5$0WCy3>ffj3HDXfwLosG(j9HQrgcaf}ChhQRF(XE$j%x}>okH^N~!^#6<7R{`$R5)Bu zsjwn#blM)Z5gj62Ot+X*q|?M9V)+89FTHqx3%+ ziOs@iL}-~`po<}VLj)d?Vm&@^5E7aSK%bi-2E>HTndOh05NGUKg~$yN1r}3sLsInW z#L1%VV)ojaM_dGk`0E0U@3=rI8R2*eechxQ$+_SDkIt{Re_jg&UlrSF}yqsM9_~|L_0(|DeOpzr7CWG?&_3 zpc9;iL}A99O&bh#+nsGa!2*fJGMc>!!V+N*Td)WpuTJ}hz=DY-oLD(F z9Fo|HGs^>-T7qSFY*3M{ntZfy36@Yx13_X!Z^$-?J~rv!2mOR1waWBZf!H3 zNHb~MwVRtCHws86GQ1XLftl1g?6gWkqM7I{mnOz2)hv4JfT^%afcrAL+>Qw=^=Wro zdU0S=XG};N>;jRfYFsR(r)N#4DwJjgd*=*zi6r4T#d80oA@H~(ciQ@-DxC&BG|qn8 zU>>N$cjoxjO#%A}SX}7|6wbm56lTP!uHFdrwxNs}s2y`bf7Os`*$)*=^&;XH4X}ob zGeg)Gq(-cO{&ov`OHho{6tyHDDkGU%UI$qfYg9M_CZ>jteP@PcWI)S6qDDiP*$Q^y zvq_$^gx=6Zb6&<1lnJgiIFV(QRu&5w!5)|1_@1R!BA#zt?Nm_^vV|EkU6x}YG9Z*b zopz_YNTPVzp8TRs<3x`aE>>U{ti--{5e8GomZ4Y-QxR0&0@2_}5_6WIR~P4(uOCfVU7TMo zA*66gG?grfxgzS~{IZQsZ-^bNQ6gNNUv8IrtVo2FB|+8f(m?p%-p|mkkGtM(-83CX zX5H$m-K(y)g?Eq(slY)KYrCXutxEbUxCl)p8fcq>F#@~Ql7wXto)Li+7g{fX2&*zr zMZ>f;^H$DauC0B+iDV54wr9g#&<`{AvQMB>sVtOBRamTH^=| z+Rof@|2yg!hwajm*!R}$bpB17fM5y&@VE>-PH*v4&X_|1Rn$cZVO*6M)s75Q6?v3v zNE-(!l*)p^K7wnVkr6muoxQBrm9iV0QZHv40nkj+?Y7Ehg&|_VXR$*<6P}QoL1C&A zX(U5IJ5Do%mKwhSX+T_ux0EIPwwTFf__No>AVzsgtZ??4+jJ6{+I`eI=*a3cAOc!T z-3DM1aI*n88D=zg!wQ1qF)7dwA0ssuM2>lygp{KSfilPD@;&MOxR7=5s))pTK#WUP{mtTKoM=TilAHz^FZI z6TptOX892H+MSC14ufh#04p@%QlSw?A9O#x4+RjKx+P_!v}A~7L{OffS3UXK?2J97 zd5MGHlAzs9I+ShK(v<<<^;h!(Ax#(jO&^sjE+df}p78WWeJUy0yo zNU+KULBkY#lg1oA*?ts{bj3buDUp*|-HZf|iJOvLHbo}{VTLFJC118^QZfuI%A7GU z>&TF6-L1+t4~+22=|s0bHAoXA=93B0GPKaYj`%Sel3S-cH4@!Gu*4H0$A}Si%f&Ti zqu2HQJoun8y*V-tMs2WAsm;?Hs)e?uD8&(BLoQ-7VXhZ)r~;K$vgM@WSw<3T32RWi zHLcD5l5t=rSQ5TcFO>xu36cpu5_mEJCBspctH7S}f>@2w7#nwFN)$;d7Nj?^6QYQi zP)4j}kC7a6p$hS$7X>RShd5STOiSA;Rx|d&Id_Yxvb{|p&Oj?3O&4~ly~C$u**X^h zm2T(>9gTxikpa;rHXR1j)l(dh!2jH2Y0G>#q%kE-rBjshniWq3Sp1B@QHPp37aB@6 zIcedfIMM)XlHl;aT#~YN;y5PCcoGSs2-EBy*@=XFR;~^#WUKX2Yd19M%FL$W@Eto0 zC1hxqju_`}KCw6t&l~{vr3u-MnclV=!VM*jMruN0YAlrUJRLX{w$T&RICPkkROL2y zq6z3u6sko6gG`a(wo4Jwr)x#uwFJ@6Abt%dZkyDf)OhxI5ql2^NbmH z2+R+j>euCivJ9(uJS{uGQf=-CV-mRu=%Ig}y*@u1v=MN_(Hj!%-#iz=2}~W;W30FI zVD>fBK@-{ZQ7a?|T_p&jj8iOSWh3uAH+tMa>q6ClZ*drg1l|WaM2s_F1J`5H*4)7- zR4I~_ohg4e;V$T$Cn4Ru`uq9uYw!3eoNL|^Y?weFwXQSV4m=<2Aeg4&VGnlg*s0k< z7AP#Q%WM2|&ZvUuBt5sfzfQ~aJ8EDBL&fz~bmM<2Hn84l>h1ChGZ-tv;X#w8*%dgS zrE#cvxMe<&M1d0~*clS*kV;2fP&J+)%|_<a%A!p={<#dl0oW4IpBs=-JS( z&34(M)GC^BzefV7YP*5*jDrnALQ*_+6R((PCTbuD+euTu7M4jK2Zna&G_VF84mX6_ zbZ`d0J(O=7b}Rhd!#pj}HU#G}M09MI4ioH!8?!ewj>8*H6QqAhtu28v!f>jlh!$r- z6AhC$v12|lKDEM6QG!AvNA7_TT$J`2F+|K zBvIu}Zla)gJpo*+%yU}5xzPf zYNA4aE!@1I@e?XRYJ~fY<6=8)_Hu!R^4bU)i7=a*ZPqp_#`AsGH@NV@5Vi@}vEiO_ z6H&H_DEl@d${Z_3)^iX!SB3SxW+kY0;nE~&gy)5V=i?3E$%JY_LMy({#YD9 zdv(z1IKW@m$-ptV{ zxzQX)Su{++Y2vlt0FF)*Dn*`EB}8dM=3~b)R2``_Ny%DKskKDmm&B~_X*>{%bEgCv-0UhLzMs@F5ofsAj zVH#TaN=Zj76vwU?8M+}*iL)6mSknVv^FlTAejzLVMpAwYYK?gv!iWBJzG*f=<7r`J z8uz!me>IpoCrb^TK~H_u+Us;CfXGgJ&)A43=bz9ke2vjwM>B7l(&*&;)9X5d&GnUL z9Gh?79-7N@dLX9Dof(hFdn*<@XhKHVum~SoeARJGvN4$up?A=V3p^st==Rl+tyXd! zR99ei%oifUt-z9)Upx_$D9fN_zlxUXY)V9Iwn7V78!FY>gDid~B2!H{Fh7 z>u$l%`p0D$x&g0^?EL&u8&2qPc-bMi=Sa49e@9}?gBx+ai|@G`#uzT`0z{*=2(7tY|Z`-G>G{$qum$CO9sLdoia({?Gsb#fCk9jr zET-nUFRH>eH%^9(F;$<9vF=iFzHf@@hIZLghqkM8Td-z&BlM8w>;wefgyPkEX zZn)7qrOI+n_hMz-JLtoRRD0HY&XdcG#M>rr(y)is@9u<1qoH*A8@wJ+x_A!n2k3c` zOvxP!xQvR3rX72uG75I;(#>$^g>}EOQKZIx;?0f^3fe}{2yTd)5DB2yj2j28liYlW zUTM7k2E_B5^YJ(M#26y%h6>ImgehryGyGgc+POKoh_HM#B2oorrs9TL3-6lZ=w}%F z=kf`fsdOh1d;o!oN0D#YN3Cnh5|i0|`~Ys}wJ7uHZvt zto6jgbuVV}484>VE@^RM1}V00=BpVSQlvO{D(K(focXO=qFdu554H$ST=^kz;*alR z&a_Md%S<=IG%W^)a8n{>ln|Vxlo4}05XLFG(`=9x5L7jNDZz13bHs%^TU^ntuWWc$ zIz_GC{-pJKySk4p%g?eWRJT|Lq>49TS%8d7rT__ax$os?7zc)FyR1X*R-XJhIGg|Z z)a3a2dG?gbPM}3ovaX$bBN|dzKKZo>0PKt0RILqR5A@ z{-5U`ji#$9$L}f;OOTvzOwiBHX1x2^kI)azlJcAY$jF1zM=jsJn9gx3x%bT=j8d!U ze6wwsg15fzHQcuQ*R<8Rj(Wb6Oif`$9d1QAhvDMkDr+P-S0~3_M=iMsv*EJ+X=^A6 zZr6=?irL71m5re4Z!rc4t$AkYx=7T z0cS7SV5|(A)eNz^S4PBl zl%&Z889r;8fOBa?KFSlE`i@Oy~l3 zm;U+CM2h(2X6HP4DXUg_9Y2uxl2q(zE>O#!FShhv+>Wlh9diBe&=YaaldA2X37!!V zKHl*HMd-WB?*-4Z;FpV>9m~ca?Smb`&zE_Yr3A9yrqD!I+kBEigk7Yk9=!0;ys-$= z7gaM^fSW(Ya7^lwkJjfJZZqthVS{Eu&5)!CiHwIwFAU=h)(=^Kaj}1JH`e&1*h#{T z8MkXO4l3a@OHPO!KOb_J7Avr^DA3YC^{%F^I9~uHUI553E|LzKOvDh6Dl;4tbVD(^ z9AiPw&8H9k3#5w42xNb$T`Ugok`wST!LHX_D>oUH?69y;hV_7hc8L-y^tN8(R^1ZK zL}o?nM?A}+wzR#ThiE;^$YLP!7?^`^-N4rO)$bv8&jsZ`_uqt0&MdS>DM!HrD-9@e zl^>#-?OQZNJbTng2k8Q=_Z&x3@p_ex^StaW zaQhu(lXeHAJ~}b%X&cEP9&m!$VVjH5PD)vRr~iyHEg#^+PS~z}*dD7%TE};x0>C4Y zB&El%7ULa4*?}x=bZBtZ(td-Sb)|=PULZWelu45$`R_*(9iN{;aD9M|GTJ@9?OkT5 zTgvS#anI~uh zV{#e1nJ$VKY>NBVN|8wh>0BsAc{UO_36gu2u-M#*I~gl_g4l6TPwojuCsD_}*psN9 zkC{#c9WRND8=mHY0@OCt=_FIrw^Rh$a5*CK4a=P_qM`ZC8d$~DlMw`fB(&KlUYlw8 za#WMcYPng?=x5O^=QnGZW%(M@49!xTWk!UgQW2&cI^z`6$-QU0pua`4UaonQjprNM z<&L1?l32JER1tgF2Q*!SL#~X8CHh>1jpe&o3M0_n0*u&K5W*0vj3;MoSmXjO5V7r} zl)3O`?fjj1O>XYEE3zsQVVslv;L&lja zVP$(;*@WRxcn1x#9$NFodJ9T1m4F7HJSOPN?t~3JnV`84Da0cfVTE>xinXCb*^uvG zR&-Na-)_5*r+sHDHm^lU@C6z65z_|VqBgtj!r18tw&FHQI9Qeo+6R^-cF5GGq-kcC zG9;Wi_GDp22Hh{TCmku;erB1MMZ9rj7of?+^aFqRcy)@demK5DS3jIxqO(hM`~jW* z`}yg`+56KESI6(r4my5!{=+f)?)3QT)5WQ68H6Cp@($$M&ALyl6oa(^1mie!>u8GbDnr*uJ7>!zgiZ{fF3xc}Tm| z*;&)oY`Yi}EUv>`0EJL2b4SZ=@k#=b@n{sc`sPZmU7w7I31;R3#{#&H%kK-AfOO3- zK|3v;zCQ_~U|ovs8R#;I0wW@^M$^=!A7JjWs6rR?D-xjFuCIkIy*B!Z6v6T?5oyZ| z6iLcr5}A*1v8z>SziZn=O7ZG4LVTm`vOyx12hlx52A7Q^?X@){TF=3d+`2pLtqElj z zz)J@jFX5W&qK!3sQeeZ<3hm=)Id|c=xnPJ7-5iYGt4plYyHHqxxSdQ$La`!1yTIo_ zH?^lQN`x~DwdJG>Hf7&Z6=%^^N#)L}UnP;IMssjr?Zj(BGMn$d$cC?oIZCTwLzeky zRp?g-A1%OUx3kPlZMP5vJ+ji>u6lKepTV3~SwmPnL1H6?&DBw}8LX~cVR*RxflJ+7 zEcz{n7X`5dxgdC&4sd*J(xceCm4W#p>>Ca@@D7LGjFG!6<%z$v;A93*lUWor58Zo5 z|e)W3U?h8{moLPz6+0{UT{my2;^ZfTa5Sb-XW!=?!FTV^`Om6^IH!mkO6 z^)APbEiB}4AZxq4CR15VTW>L0kir@SiRshf*+O8Rld&3vk4AR$xltV()$#mQ#|fWI zIIBSFu8+Dn$(Sc(fc>j_zv3)P`DkQvxIwUOaWV7rRzWkZl-!WC1^FI_ytN&EO7th5 z>9uL~5v1=bedoE#a&?Z?Sho7;KU-2IJXfuMlqwM+xcFGFNrb4@WHIbhG%&wN&RX@a zkhE?{b(L@u2(`3v{C6_dZS_B;!jr7jft#wWB*_gCR86aO820@b{8cN&@Nk~3V*aRB znGh-Q$aQ1?s#cN;$Ja{W*wrh3sKHGcIb{wtjk7v6*lGH%(Gh&6k{=y(y470F0+`d0 znQT}g`2J<9`mY!09Umcp&b{aq9PNH*=~pWa&LDn?+{GkQ)kDcb;22IZp0JF@*CauC z7CMc}0c~L)zO8uy5tNJDAzF14K75<<5y0Ip^q*spYK`JOzF9SjL!4PPY>e8>A>2b3 zvnq@;yci5dR1_1TCYWI>78XoRx1dr{zGPipi|5Pse9dz~mxg166}iRJ2xqjZg^_U| zOn!ntvS#0?_HRP97uK{%^fC7_Qd_6`3aNR$2*N}3@+LG^*n02n(Nz6KJl`5l8dQ-| zYTFp$x<@_qnPz)8aC81$dvQZg(fJn7LO{XNXNcTs5yD0WCf|d7KUbRhp`4inCy9?* zg~T94gil)!;5jA^p?$uiJWC8=`up-pE{ZS^m1i0dYbBXnQ}6`dsFJF<0RsE2v_zml z73FP*o93J-L4bgkxpW8-^mAAFq^P&fmDa;X?~P6fVOV<6YjFQ=7QVJ}+ThdZvMRJ4 zR9H+0{t`-bOVcFAA^~;m?-vJTfzdlWAgRA24QJ54qu{}Db2#mLmM)CU-okPNg){Np zz;o;pcG2~<{v_cIdWZ}yQUp66E*#?8z_nK@c=g>SE)I_q7R@_MYt}qIhy3{F$#@vw z?R|=guQcB0FHPeO^VDP(lBM9YRyljLi(YE$VOlm7QQ(3wH0E(@-2MUjy(a_ujZ6Z+ zRxp!x2?yoSsW8nGWcERsAW^s731a<+CRWh*GAn75UCW;=jx-m8pPt;Axfc-iYuJLZ zPwz4<0L!OG5xOSY%w1v7VCh`C`#x%Y;OdNp-%Pla-aA6H!$0h&rKqc59mtAQJPJ{k z#5T_zT;(jPC}CgP51*_DS!^;w!F>3*Y}XGJO|@AIKeP&K8f0*v2-r z@o@siI|m}%Zk`k#d8`&zBuV)#Je+~yfaf7_9Jo^sU3S1Dle?#4F za)+g%!b?|8*1${Yl7*o&Jqa#}4Fa6<+)maVAKCz5TzO)a4+GMP=8z6VjR-Q~K6%}T z$`#5Nh%iM3NvFj%Dz~C-bAbsSR4`yLa%&d_$bsjhu^Q%S2$9R!}$mvk<7CKeq##{_;iF z{`|RZX#UHW+OwIMO;Man#V7Pvduqc$;(2Iu>{D_ zSQ0D@*8L0(`>i48tuJsAU|6tVt(qjbb;0eQ0l?^U0bP5@dHb^kz&5Ce>Hd=Pv5@nj zIC^X$??gI~NK4_7Y=tjlD}jeY8k=3A3>m^EkkpthJ>lb0Ai5;W6bAjpZqj{d;7lcE zU&P^sVQ9>TJWbK3i+5hqDm-$u8RExa_X>{+x+&ojE_kUF;7dp*h`FF{9_PtYYy;`Y zog#waG;-jjZt|{!K5D&P;?Bv{yUUXNHPM5);vlDCUmcjP8jfHyEfr4FLIFC3>~_#v z7~7X(i5bY>8Y`9xM3qhL>1Jh-F43!$UXwn;S=J7cDZUO2pz@6uOLdh=l?_CHlX%X+ zLEvodO3Y)A(Xf<@){fxkw{|82Xv4yJ$=jAUar^&21)rr&TxzQS_s3t*QfAbrT-CoQ2&nxc{8I|Ek1d9?>8-93P zerTY#1>&}RyWbd&KU`g%Bf^r5Q&v1%QW2uTeK_Tg!epW0jc>b_c_Uczs|LaB?`(r> zh?|2015d#UVQ&}2WRaQMq13iAM!TIZ61Kkc`}nTLN@XFtZ6hqNi|pJcD}wc&YIrW| z`^*B*_JE))TwDV^lI9)7W1jX=>$G-HTJSXGxhf*O%J0WgMkkv5eEb*lAw(R~K$u5% z0yD2)Nn+bR?S$H&bMC}c zGnV&>sbpM_!REiB_}%4=S8y(5ZW_GSJ2|s$GS;@~@jZt3f?$>ff?Xg}gS*lNHc{!s zIeHcPBezTW+HsQHj2D;~Z-ZT|s&5!}x0(@(=qre$it`kU(&iFQ z>3sfhSc&-<2Z!9Y-N1vzXC;AuJS2F05&-g>8d~Tx|7x8@SD6-^Xb;mg%%j-`y{qa}s4~KBD#tFy!k=%yk=_BFctbO#J;+7sX$2P4GIPPg-x5Ipax?DXTc-3@G93 zT$=YQ=@3$yg=FZi)0@z|+;tVHGB*~c?o5LJ5GOm2qo-l5R$$X+0Mcck!%wC$C zWS$^YNPdvF=$G6i$f3fknPS>;%tb=kD4lL2cwSN?NAL^{vALOm+#_4k>OKaEraknj zd$*?PVDYPKWBYcYUXwD|fb<5kf|}Zt!^*yb5KVYu9%L=2&5Hec@S!6@M}Y+!82$lh7^RkWXnO;EvR^XkTqgU{rsc*JjlDd`vJ>i+xPklE( z&&SEn+r|a4ZBwcQSNzZQh7Dfnw1#ELltd9~X+CbDSN`CrqBIJZh7o4~DWKP?^}!S= zG1Zi75Cp`bDN+9f)Tnrf2d{71B`|9D^mX51Gl*p{VH75zj03=~OS!w?3V+a_Tf(3- z4QUgYoWUb+J3P_EikuQWj8M!qAAZ`ic+RWroyg(BjNDa0-AE13~-8BY_3u&ln|U+ z1)}!?&L;rbDg%Fl>oMU(vX=^7Gk&Y-R2xg+$k!}+OQlD!CBevhKMeBvsHKfR7h?2r zp!JlK27ll{qY{B^;*6eYoRO=Ynwa;tmE<>AZ@foQaoy69KP&{OxN@SFVVV=B5|m&v z;U*WM+xO{z=b14*&7Iwy8!UEGK0>rIW2e(KcLcGP^Fb?gZgn%pKKG_6zJ%;gW%orwXfFx;qyB+Iw{>jc{2((%;$fGcFv+ zJO9JA`E>U7uYdl0ar)!g<=Mv%|NM0J_DktSIc-ka7uyUGStm@Gf8i24_TxC~eqJ5f1}vG{#wQha{Lh*o~@ql-{IRG^coX zYR8{;hE5Vq1{1B`uzC3vuJ!`ru?)_CDI;z4UT@Gc`=g6L5j;l z2u^JRn1UJc2sU;aVB-wQQmX0`0=k^IQS}B{Bn?LORVj$XrppF9$qHz@YxDBfQoE}UCzkXd0}?%fq`ib?)*&wt@=*1?Py%VR^#pLnBgpM$GSpk8n?H%ZHgI&iI~^b zVBZasiA=LdH*5H%eK%H<^mPEhCH=Jyz%hfrOK5

dKy!&Gf>&4DYZaES{oa%CS1w zvz_@rYyG9Rex=L68&&jP50bj5WnXAOFa(PDVh>g|ScSD{??4A>cwIx|saU3AIdlQ} z6jU>Zb@{_9qn5pF4eiRxz0&%eC&7G!*6?d_u>hWbaf{&QQSRsLya{P~E3jlQ)%7Zr zk(bMXE_(SHw2|e+Rv&$C*^2Lp8gspKX?_0e__}R=gg_Ek?~_PPrC%iS_3ZyYU7VHb zYND_72)T}#dPmqujZJ04I2smR%~HE&*e_q8EAvaKFI!3fX8O=7?|5V`ELC9pPpVbT*245 z{`t$7mPQ3!5<0VMWFtFVy&ufY*4DpAf7^|&bVZu9bi0>zM_5InjC{txrc(fI1sF3A z^eA)IgJYB%B7i%=MxevF^k=pTWkaSM+2p{WBgRDm#%!CTZY2iOTwo`al&ZB62SN5W zZ#9)ngIqd`Lo>UdnrZQ5)=aLCE=}-lq5H%*bEIZZ_7l>zs#e~UR7QTv^K=p&JYLhUI1j6{)ItwA) zhZ6&P#8E7sjkQ1M)RuA9vh-1FzfOscTk>vbiVJ-bYNuj60#EyA*9@%rGST1 z*+Y78-X3*2M`e$XJHUrXNx`{tn$dP>u6!`GlaN6^+5zZyTo+X|7mCZ+)7miEk_F<+_yU~K)Vx!5aD zk$aZInfY?(pJS3{M98+v(ix4HES*lLbFjAu|L=4<)&C#t9qj+9ySKmBIp}r|clZ9( z=^h;RI)6f)hYh=2$)&>LPn`#kRh`^7Qa*p)`ODVnUFLEtvA`P?kFikgt-tJi`Lgx- zb7Ze!4 z?Mn-ZFJHE{0Ll|kx4|A{m}`OfFKvUE-AR_28*E!Y5z{x+S9%0J7l{TW#<>>ed_qdk z{K6#(>unY`53IWpMJ0M=?H+rf0+>D{@$2^1+0Y*{nCmVsln#(*qm+sRsNA~PvAOeL zpk0VyUAK&6I`lYoA3a`em6_j{!FwuwKYxZf^#8j2!WJ-kY?w~k7Y0?Pt%I}lv3%5(GF4QiTwmPK{+veXt z+EIUVvE-=rUt6g4&(`WJWzsd7yTpqjHT4XrW0FqVa=Zi3_YvINGB-D8O|Wf1m|f3Z zgneg+X$O>Kr+%DeZuVckY~d_xm+w5=1p#>KO@2fF%DEyHRMdMhS~Q6UQ`3>7D(AUx zLZ!a}zbrDVvyB=-F)#bg!1D85Z~K;w+h8HH+Nw9F9$bYI_xP35JJu$EMkb zS^B(Ot!07mvC+@|WvswPh$6@ZReXvj0*GQ8ZX?C0a#;))Jkpj@Tvps$uqP zZ`vNQ%-;Wdsw@7bbxwPVCoB2`7VQ6f-NSBq|KIC%ItQEm|2oP{Ss9uZF4*3vQu?Da zvV%H1H@&TE%91|%feZSp-uI>FJSnWDEtig{zhzS4%(rR-p^CnIiNZUj#vIVy0PwSV zNc}G2H)LI{XiszRf_5_v*;+?3Bk+pZgt7~pUE0{$bCDU;HqcD)-73wC+P1klRPy*( zw3y~v-pTo=Pl~$3o4_>*eMbIWI2S-=RxHkP`?u-EeMJc05P?S|=yQp=ECY%iZkmxk z3aV`tzg}2SEds2JUI`oT$%KpPJrFX1hL4Yvg#g_jEx?XfFv<8rVGCt zj(!XG$tLdcmIpBJ?^B0<%VjnFpCyCG*ZvDUGLE zMi}{U&Xc!PiX09@|CT2sq8>@xYl16j{QK+tr_lPx?$mmQT-P`Zt62f;^8Eo+kf88g zFu?_Y)}5pUd-y_)<#+{pj+lu)jFfo}ad z4MMy|3eQzK8ymP$Dmx<9RhlI7y~Xci&jmreo9u7>m+(BdJ`ofC{2NmIKky_Cdg(2e z+sp8O;_d%?7=KH|e;n?2D*WHw+uhyp|2j(3&abxX`~A9Z7T97Bx5OUF4nvh2j^T>v zl0J?BdGweDWTi7mgV10j^CZml>YEfOjb?vo1Cmg$UoFu6k4S z9$Di4{^R#2{zse68%W+n57g&i0x{boK8i!{jO*|GdOvCjW| z_woDh&pv$Lh}DLbGPiKtGL@dzbDJX@POnZc|9SH6)8*Ca#qvWH$LFOCW8pA! zxEykxpR${3_4&+PV`p9H1dnE!cJK|ZWk{;Hn4&LV`g1BOJVL)!TJJXd2u&f@vY;(Rdys>;XpE!>R#}l0|;+AZ#uyM&XFHp=xS(n)ae}6TKT&p^V*dr zY}#o&cjva*t+(mL{x?BzLYG|i{b#r6l_lK|re%&S;2f+F4mE!8^#ZZc?Sxz*Nt_F+ zrYGi7(1QLv`Y+4PW_0hF_L9T`UTh7xw)!y;Fe#M^wrT%|E8~RL#)f$EO=N z<0&6aFEh>7Cy>M+Q>Gpjidp-=W%mD-I)QuM<+Bt69MAR*EQ>XD2{|ASA8~@*0 zO1S@rRm8a(b77B@+t)`XtlBvRtnGKf(F8k}2*+80`YWlAmA_lh3h$#5K7WwdxTdd-7z5j-3 z)dzI>QC^K9YVeU)KDp>)l)lGz_w+(&=Ho>DC z0~;e?Q=YcmNB@HaS|Jo*QT)$tP57#0AsQgP5E0OjgElvcP@$Ri2zBaC(V_Am(8*P)v$KeAA4TZ}$4SS^y`mW`o$M5zw=f9yNVl!vy5z{qkkY&1{C&?tNQn zW0vCo2VMYL!2bt(-75cg_YXJw|Fx7g+yJgXQNRCbX8NZ&;aS~W5RIu<3bq%eWGi3! zzR*(BdzKf5mV$iljiF*mp5c|D%@v=`6`w!m6`z7FpZ1PVG0vh(KGmA5-}0&U(0t8j zX0284`BXc4@I{}4HC_1#HG5IqosXm1Rh@eM=XO`;s6N^)8Au*q6Sc(cn`eRS1-EEI z)8hA`=e$74OLWp35@(|7e`yhnxW{ z*#CDswfsN3hx>b*{r@`3Ow;Fw4EwyV3l9C}o)bWx`Zas|8ZztO=eR(l;MtrQEHkG? zhX&z<=ARqOf@t;T=s?rr?PYbp1U|4;2FuBnVC_7$(9E*7|p zHP)V|$9TacpSRO^0r1QDjrH1WT*n*N@y2z$v`-h5zKBikCWE=3L`rIOzz<6eboOe%4mE&3o{T6+WM!hZJs-{JxI)`qQ8P3ht_P|9A?4ksl*@_tj+TNcXyA;BsaWZnLs-bVhfr8LU_@7$U{ss?bB z^eyWEkC_K(fhGFb=z&dHPgyAcM@uAlUQiau|IXoI&HnFpH~AmdQX1v|_wnOO{!#ob z%lz--he-Rmt-rpUU&#L{++2$QpOoLr5wOtytL1;`?r-9M*Haq#{~fIPsax_#l?4@g z`j!Pl1x*hS5=-~=^##VJ{I1Gk`EMd&A7TWq?Emd`x|{dE*HfD1zg_dk5&S_=-%_F0 zp+3M_7Nn(UQ@#`PNyZsrs*fybK0tA-BJ3?r9wOxzcCiufo3h@rQ2yI=-cKq2cdPsV zUZ>aD#DA=%G|K-EcFiBv@VA7tihwUt$=~}D;0hAn&H4cnesLGeN_hR_o$DR77*P?G zit-j}*;|<{Q=hVtAW}wgilywM7Sw9nU)w=4{vZc`YxaDCpIW7^!$~}<2C{#ol01=$ z+vvMFWug4%;nlSJX@SN5pKjIvvwN_K|6WUJl>epci0jz}%(wx$w5lkP>3VhqWh^~F zYb@K*W_PeDk6jkZeF#ap|Fx7x`F~~C{88>*LT=Vm81r+xB&wLRnSdSIR>9->ts?b8xuH|G1v=oaO)I8Rm<5CITODvk~i?^3bxB z{I|P%Y$)Tg-~Z_x99H9hdVBku`@d@`vz@VJm(Icnpo-{OO)D%Vgr1ionC~*FAP-j$ zwrYo3Gkhg`PaTpuoB!)NXYo$Ixh&-W+WTMod!6ov|JPCOZ~r~6;kU$YKgr|k@D|HX z(58=CO5~(h!Bjg$e<8Flxf2bsQuHXp4{d31Wk5u#!lky)$g&QIU zwwn>WF&%-A9sY5PRXl!L!)g`&U%b<6E{phozf*tzZ~iEe|5KaKR$M@Fv{6Q zp2G2AT)^zKx@EXpqz`K1_rMbNV#bII#PT%#wl_X2@c(=#;~dGbkpFA>-w*dT`QO)5 zo(=ymaAALa$*`39@y*GF<@rD6g4|2}FXI2*{r&x_{_piR`~S6+=feM*x+?bmlB)Qz zE&f)kZs2D;G4{K6ggSE`;$yaKsMC;+CO9*H5|(6~GS#pNAUCA)yY;Ls+7B2X4E!_C z68F!9q{RL+gAGHmby#Y09?~5_q!Kh%Bq;-8$6czo0z*4P%5X}5C89Df3wy0QoB{4C z9Tt}lWcBZvBRm1-w1Fx$p9nIdQi+P2zXJ3mS6ERtx+Q}#=hucdavLE7HEwW9leu-C zcs>~=cZx7QB{_2*aV`~~xE~V&Ax?e{Grumky?um9*oOg4&|w935M!JvoMt>Jo)CO` zsAA4VLfL!@ffJOcho#wnQNmoCGDQT#X{}O_J!D3m%A{WY<)!_^#vOd7>Eu1L#?aDl66TDy_#670rxdr&YSX#%Dv=2NvK-E z6|hkLA5`!E?`_`yT~m36@?TTe{lvd+`OKt$vyE67hSpl#D2Pq@D&=1C|Avy=$CLk^ z!@X+$hrQjs&PM*PqdY_Tuc_;P@?W=Hv;6^UODm9 zI@;UYZMk5P2~S8Lou6L3KfAm<`|)&flBoqySJO4E2>q;#PSs&7HmlL^_Ze+-xBpux zv*rK4a*~rM6a4O;Y2STWX#ef*Rp0;I-{1KE)>1~Jvxjr@ zxF9!_+}iosJ=jgx{?AyR2*oKSOqodpfrqhAJ!WQ6*qQFPMHixd!ZMeI?mJA=)v&_h zg7;vlGl>0~l=`ycp_v$)26A+hls) zWO{z=OwT`^{_Tg4AOAjMoU-v&Z*~6h;;P=txb%MaNu?cIK50g2H^_qhce&cio9}Y- z#+~u8CN953^qVM39_d2nJJJjgD-Hy z1E+6Eil^R??saBoN$ys1R99hmW(lgxcrfiW@?}&7e0HAd=e>e6*JpkfYe(^qlfv5d zHY_Ztv9`OG3p;X zxAo%v|HI<|7M=eb*5bc=2b=s4>nW=}H~#3S`Onok@bm}#%S`N%x8+R|X)*u%8~Q{j z8O2JZQH&q;{m0$f`>(s5-sb#wEoDY7M{PDWuxleNRL*%9#KZ3BwsfdP0*P{(R5}ea zKLo?{kp?8nQVgE_`-zCJjqB%F7W2PLRKVGN&wv-5{~mO!{{MsB!_E2cTFM&Ef0rYm zKjIni(wMQ~$u@6C5um)}-Gb$=Da?*{hFs?%3X2N}?$kH@a&mEce06I7_;miZ_~Y&A zyHoo|DTZ2q3w=6}ai^TJ1DrL5>To|%HWEZi|F@n15h;-}2*GX)($+r;azkbKw@c(% ziQ$Hudf-W&;4GtT)cj+S_5>jr^NjQ@mY(lv^kVsM|8JD>Q@sD%+3j|!=f9i$4{Iu` z*?%QkSWimsB{yzg8;{>=S)TvL*=oDKqAcM5UU$F7|J}~U|Ff1d;{Yu*Dy##jmij-a zvvbq4qT>gjbnBca$3?W)qlb`uZGq!FMH9*{NS4wV%f=JJ5R*Y&1Ih&7E#J7PYa1Jb z$=l2GS5aXxBI@M)(iN7h!2yj51Vd*dv3zHsQJaD(F;BJhX=eJ-5G zGJx2@rrLrEs%;g&URXf4D$f3;G4Y;ExR~Ap853yu*!Wlo&izpW9C!tz_#l#|urK|4 zE%d9H_dWRa+c*OGLzm_Cf0hiM=>BJCw|f7(+wE-f|E{IXke7O~XT126fhVKz2c7fe zEtMkAv^e@(o{SoI4y#KKO>oau;~(E(nwpE}4bojBFRWz6@Pm$rmWnuioS4&%)cymN z<>kM1huuR5Eb{*xcB}Hg*XeA||JG9Gz2&y#dHr*d%fe{;-@W(?7#h*|7WkayW#(}l-1Aw-rLmnOP>C1 zj{HhTet(2>zRl6zvpCvYs#N8FdrZ;^9WgG*qm8l1{@dTJ#D8@6_ItgJ{9i|TfzGkg zVnQOtky&_jJ0=Vba+)TTjZlW;Ydj*dz4ZcJjj2R3&x{!&$0SYBDCGmQpQUWHjRZ-7 zq)>*{IQSj2Wa|ZD_6aWZDidT#??__evj2at+vp=pr-(CXsX;;+5h$gMw71%CFaLR| zxFB0E&uxz!#~wFCb(;BU1Dzlt6Bulr#<+R^`Uf65!SQ*<=I@pYb| zAx(+g`b%5hW?O%05AgNYU)pM-|IGy*ZT;o{+IoS0#Del%qO-TBa;u#Q{tJoKR+}aS z@0jX>|FYG-kugum&a-9upj7!k7Kto{=*1#=VEUg0{NLR_-0M{H|Md1Y=l^Rd<%59w zlR!c0M|kYV9WuQ2kNq@d{0NkJd$B<>KTD9k9o3MSVs1vEO3sLS-5WRUR=3^lwR`5G zXDL!uBoSp&;WYILCf#Opq;0eQ64usD#hkK{UoM-Hu`9u}N%}~S;eJwFz$MD?w|r2s ztxQdAne@?Tf0-#BlL;;=@QkqI^Rpj!FDoAqN{EaF&CEg7NwI8*N^QnvoJl%J2^w;N zGQo{WrIi9kmzVFtg@!6>Owfql5QfHFD%nP7O811(-wjR>9_W1qJlg{eZmdA9c2*io z@-#R1f?mly9wRKFZe&x>AujZWei%tQVkD{d^|~F**Z2rbT9xoloY2;-qNH*+FW`>K zeY_IlUTW;xJE`yr7LkAoyY?ipOM>_isWG576GRebZoBKBF|$y$!TUml)~-BH6K&nz z5TTGDF&{DdtM3gowjKud>k2snG>yuc7x%fsw|ML5k=XM2vc(? z_yl@!kK@4~X3wbEa6*+{#ed~QD!mSEbOPB6(16%H|4AF2F?50_Bt6l4#HU8J#;A-m z`j$s_HJii&E-B|$XkMMmjKq3%G`bQZsnF!AG)n{RlTgS!IZiaV5oSqLJVv(EG!ZPV zhP^sj*cdVi8~%n*<~_&{VcG{%W(gQTpzW{zrGnhIA1q~qeshQurVo4Y#fULU4lLOzo}pCJh;8mD&&WJbJ8sUiXEFnzVu2R|b?K`* z!1O9PU`$7WeBz+-34E+-L&{bH)EWfy`4s9n$l_cGkZj)`r_ST7#)L96FcM~@(fpMp zVBO*rSyVx`73s~Ki*V)e4MCDmNVOT!w#u#EBx{>RPkD+a4wISzwf47KJeNeY%?4Xr z2s|H+(<#E&6l#RvafUFPqU$5+>1P}Ll1rncw3cTvO^L80YK16hJSL(vEYH;~7RekQ zXv8<*)z9*L4)*8LC^Ff3Oh1cP=fqbHEgtMo*ljvEi=QFF9y2dxnYtfUc$Im|1L=)G zTx5wTW(y=#n8XfHZHtf+ca8Ib7QQ>hz9nF^LCOa^6D$=G4=@>Mj8n^VQNc-7_FIZ5 z<|$26A{01Ln?CCi8b8isa#K<))s?_Z0*bF_vw$|Gv}*5a4V_TbU4kpuh)BPD%GV}| zF%&r?c50ecG2?2idHE+`YV;#dv7#w4eKVA$I0hlB&99qo8-7(1Y_#9Y$VZ`n2m!}n5oxIByY-G_B3Teq}2P+ z<*<2-#`y#@AbVg;+Z<7rz%6h#LJ3irrV`-+&yC0`F!~@+1;MhuQ=0+l6^KgRz>9Rh z#4n{?{KtVyk{cpQc{Aohc4?~{$LQ^t#$(VCni$;KlJr|iIMn9D0{AxiX-t^;NF~yn z60Ke7kdkB@QRPyh0Ii-1!NtQS*Jy0anwnt}YhZYgw}FHB5M2qqas3Xbl5C?-?3(f0 zhoK&-EJ+YGMBZ;;Exx)orev|=Dqof;^MO!V}%$YiC(|~LBl*9 z(ljNB7A{;QS`2VBB8IoF-d%>aWc%s#Uu7O8Pl)sjk83kB6T&5nS5FTJ)K0E>Ef#8| z#d^b@1kSSP8>V?#v}iW$;WL zeY$w(u%-VA9H;-NVTVdY?lKZ9BVG&+?=1@%SI0v|#6lUUwK2KNsIXfiS};^afSGMF z$hu%3t?4&GgQ;_`+PxWNp!?dzwteLtKeDb8$Us3N4Oy*@*?o}Yd%|pt#KH-GtTl1# z^RoEqrNhCcqiVfwx7eB|ncy*z(oLKMskCQLb2iPoc~Yhh_U!j?rw9J!6Q1T1ChHkg zF9=SiHBWmDslQ0hOv=($+bD&0u?_ss|MBX7LX_TL|N6gM(Bc1Xz5a)-S5L%w0p{D& zjA=~6mOaw4^R)+I1u?>}S(*!+_Uj=mlCn{rVo~}8U-UmlT+pV}>&}huKU7Y#o*Qw_Jf+t}%=f7(xPjmiT zqo2(&@Hcb}9A*wa(W_^6Bz9G!Tbh8^$~oMuKP$sR(OAnn=XYlneY-h)-5kDd4qsjQ zDu=H%)}Do$r}jNR&CzT<`@Jdi`~Ym;7P^GrIlE@#rPGX&ru^3Io$UQdY>y}3n@D1m zOT#2oHY~?WS(BP&lz2j_o29kR%GPOJCs&QsT8$^MRpTTsEL98iw-71$`z+1&e;82z z@CeYk_J6N;*gdGme;*#~Ztj1tr96%OU%HU7@aoS)&HekC@MzgL#VfXc^K9zkxO6Y7 zB#G@CZaY*vdeEHO{8WdN(I zHB7lVN&eyV_-)G^Dy5VWEYO%rcvXfEkwdv`qfb)rGORtu$Zhcr4W?$x;5II$kzc-) z#(xa{>6YEEyx7yAw$&;6x&G=?BzS)egWiwt9B(O0b^E8>aH!sP&S03*M z)wLj=dxk`opA(z||COy6fNiK*}xi_Yz5E!UFW zFEa#M96!3kXlSLV$#TaF&W?wa;gtSbdsnKdt63o)uFMJbSP7=`vy`*D`C2$*bHhDW z=ww0c#Zo<$4*xUbSSL|#qMsrYc04Bxph*(BQsQXGq00y(&&>Zr((uLv-_c1v@m^iZqG3u$V})MDu913O zm_L~bx;Nccd8v)i+aUDv=g!a8Z9E~EL43G}!kV) zGC>K6X=0%^8AVGSIxSr!-dK$M#nDYo5hHUJX|Cih2W8vf$D%13kd(6#n6%tReI@N; z4JC?=*=ZLgodVe3Z(?=u^0&!jxvPNIrLw%W!Ir& zDWqoapub5eo|2aY1~%{GVU_czgjb z1;0jEK;Ri>no!))OfZ}th_D+fID;qf(b*7TxV8+v#-2X({wlrEoM|rM*wI{^8f96o z+&=A=rYX=Ai^rIaG@NgFuKWA*p8+C4k~}u2NZ2j^pSP{J0AXY zcYQ?Lq>WmC4nDQa=$YVp2pgOWP^DB6fm759Yq!y<9)lzy0-*;+ZivvcaOm4cf{d_8 zQX(PJ*J%fH_s$}W+)*tkxzOv>xL0i09hTj_;OJ0TUdtWIG~Gt8&JY zNrWwRMSfX#UWlAA%0?0PwJ3{l1Sw6L@4wX9W)Z8KvIN72oi4CCO|dYq%4VmYs|@UI z^noix?ns;~n~4R)24G<(UnuAZEWR(u7(o zN30%AD;gl-G#(i@rMaB4n;)?V{qmSKP7K)!#-j4Z+TuB^V3?S)cyAdNa}csb)#a@o zQx-WE!cvPZaT|svOt#T`XS1S{f1bTP{cv^m-P!5IGN?qW(Y7h(!SVY{<>ftPekRBb z<+)6!_UIs)!7NoSfxQrBQ@;ysY_?GykE=Suy=<%1UM#a8LWti9KDie$UYbJ>xBqRT zjF-}kQ4+S+s4*uh)~X?sOifo~xTWP6x`(hqW^+BHqxU%bJDK{|J(eq#YgH+UwID~= zWNMC7Ph8i_P8r>A+Gu6*?MkG9U7^K&5Uk5Jnd?<*Dz)298m*w^HJ(?&D7p{RxUz~q zY6SgdsFMF=sK!l=LUkJ2p5l(mRdFP>FZ^H@cHp*%8Kb93f55_0Y%xT1faC!+o#%W2)dS=t|l`0AJ;@nhL9o}n_ zi(IJnQgT91a28pEQt=6mm+l7^>>(2AVLo{nUXbC_i>^oT*)Qny-fQsxvG=acjoavg z@O;j%Ksi%udygdBolYmydrr-I+}(*ceNox&WM`9X8X_SHV+!C9plr>h>irS#FMNN= zTX-G-1Sv`)W!dfSkf+Y1O%eA8&;8VWA*j2j(l!9r@~WwftshaH8~nPb zBi#7Z67F)+E>Fh6Ic7it(F`g&yYH@9V{Xws9iji+2|cET`?RS%6Z2*QS*-@lI>MQ2 zl*%**C!=P9{=i*G*|Sjj%o- zSOdndb+j-ud@1JG2PJWiDpy2O^?f{61)>2UE1XySd+nB3>INX=x#Lw{AfW3RznO%` zOlUslnCmLdSjq(GTp5j~fDJ9}D3n+atw2X6@GeN=vX0&CFhqwTnzNao4tfCZg0}t) zXJzLE8$i<%fC?wGBj`n;x&xrXuzeosXo&_KGUXGq&zNKy`2m8(2!Mgr(&bn*Y`%fd zjK@o!6u>hYm`x;&gVarmB>b8MHMkYnw;-MHI8QE_Rt=0TEg%tQGt8637A$Ld2IsKz zX`UpuH1L4D!)%VH$qiko9(l{=EbEc;@mr~f$mx~MNBAM(WAfa_7-%{Hj=M-)DYH@s zc!O`as%3HS3<6)eps+svz0(a(_?!u*)G(8y)*wG*8J97S47wh%l9QzGIPi-MjPYQ{;lCd}>0a%1N(_f*`Xp|wv9Z~siVuvv=1S&VR@c+AQ|GD^Ib4wIN? zQ1NsTB-q8iFu}Rh)vL0+b zq9oB7^*PzGU>O%mXL*Fl!VmWUwcjI5M~CD_ihT{!ACM~vxto1Q3z_?ztL)Z@-CQRN z5<%+aT%+46)y{M7o93kfQ$&mPv4^6ZV(p%ELAi zyL%c-?&U!mGdDI<@zpeAYATb4;8+61H(Y@GeI$i4P{-%2NPz5s3h@|5otY1L%rX|k zcV@H4nq_24=TJx}k0QpvFEJ!PUk&_7-rj%G<~DEkln=J0@R|SWNrM)XEZqiMeRnZD z3$PUx4q0(Am&qJUIKf9y9OQmbS6kyiA0~58STS9jW48K~HWQM~ihMRIf;uL!zqTkd zd5ga}ZrdWXjEV^(CkDixef{-UU$?!_ZNQ3b0a|3a=ftdbW_z~=86!lp-Flb-ST=ao7Ynj|VV`-`P-X*l~L@s3Jk73+POouo+Py1&<&uJtldI z<%ZH+14kZF#rk076WW$8E8J=g$Z9EpO$IVzFaVDCV8--TzR%4zsqOJ@IscUE>9$M` z)lg>yeSC-%K0&;#yne5k@($b?YLT-Fg9b$bmX;Hkk{j}D*u6I^3vzz?_Vl;QAJ4$c zy7``LEGkfanim;Z)v_hzZ&`$(`anvaZ5c{P3jE;@?2yBGrGbVF=57gFH(<|^EH`0g9D-6YnZB~o4K6{eeOhjB6zFKfI zUh@XdmE^_S%ims~{^jNC0eMNIX*J=B!4GgjrgY8-CAr{#&#g}Jz_&fTgG*y0NH#aV zZT=GH+6ry0iAWj-)+f&j5QbMtE|4w&ih;B=FW$YpByZncK`1PE5=^Pa-=U`wgJPi2 zcRV1cVu3&U?DGj%nhEofMO04NxpzE(|Jx%pjx&SFyrnE!G8G3=9)1BfvAY5O*v=eu zte`DIe^jM2s@a4`WX7@yGqPwjg>;gU%(6Vi%#ktGbUhdCcQu(x`uStVd2Eet$8a!me{+>-wU!u_nBdtf^v+umNYb$WsGaoG$K?m>kY z0jAyJUh7@&(`^CT##(y?;I6^jmhJJf2Aq+>X%Q9Zlrm;nW-FQc`2EHz>(=~9nn^7q z+1S;ttRS}I=u zCTD4`8F6LVl^3ANXn{JpwZ$a1NR&|&DLulRCw)Krevn7wqZ%Begz~0JlCpaB3|fLC zRiR)7i;`bu&nqttYm>5Q;C{l!J+w<1t`SryH3#vFC{pSQLX&h#t<-Ahw>?5dn4qJ? z)d+a85Ol^PchaXxB3%hqn}K&iH7ok|`D^%WmTRmbagLrBQeb&B#kAx2?Xfk~!?x91 zwbEHtidF_&8x}Hh{hp z1abz=coVl&vP2?YL(4$hTPkb`r8v>!1u2O~bFS#+N2L*Do9o%WXmIhQRBM)r=j8t$ z{PG|F>L333;Na)u{-1vRkAq(Z@Q?p~_~*laxj+8n@bKW^=O5mDcQt(ZD?j|#&mx~) z<6r+e_?f-@wP7cRhkyQK!wI%zN4I50w_-(iz=*n1s@p*Ng)75afpyDJu7h=l&!I?= z?}sZQXIyI*1DT|u-woF#am(H^@bseKAQSkkglWuN+AI^ib6oehZ&#qgiY8>710Fl|27ErbVXk-du3P=Jk2ENZ;ZS#pt0m0GtJLMkr>Y ztj+)aoSYm27*a)iA2E4y2sVVX)8TKIf4%(e^u?R=x8$wV3@Jgt2NxCR%q(FHV5OxR z0Iv<^ToKEgCJ8>t7CBlYn$i(ZcyqkFWMU1w01_6*M{y=oT#ha3848poEl=nTWK+AB zI-F!wXeTmCO_#QrL0ZkmfCeu@m= zU7r8%3Mekp_SJ6M1zBV=-SWsTYEszlEsCT`jvN1-vVv@vVjV%uST*Oc{M!BsBj~JAImdl|KB>@*BS1be8+ptM^ z0zc#sr)eo zVNlL_%wmHn;P{-+!hZ{M+Os)JdKDmZy_AG})6)L%SmlKF;W>?Yto9;EA|skirP8gy zfK)-D+702Jynq$}-USv@3QU$0(uIs!pyfe3(G_|Nz<17p!`woraEVK;wX_k0MS&kP zK_+4&il$Ugdn98<(4R9WgkB@<+E*m#)WN75+8J1F&!N?nkKtqt#O%Fx8_+n!dn@?^ znrwGOdpK8rF6fhSZDd9{URt(K1Cpi*Ambk)M?!FOpOaq%@yjOttq=MF`2)vk_v@v8 z&tSSis@=R7aEfN!zM=lh-?_EiOPG;n*^CPSl{ZW&I$^^`PT{NkyTC7;>cDjdR%77Y zzbQg@_fq)HiNB!!C}b@LjKpX|hRmWzl6+8%%qJ|+{0+Racw`1JTs&&X(@nL@On zrKX8rWWvP6>{XOW1qRDN^W=8`Os6>UlPA}sGG}rWv-wf5fBi&G>KtWuS^%a7V74i} z2GEo=f#QD_VLCyLLlL%Z*u&R?p7o z85@vSG)YD@y1tUHq>bWIk7=4P7hqSV5C8cuvw}x)Vn-c zcFTPkPAUj9<0EW^{i_gco*X~@7J<-68Q&g5Xuj&KZj96nr?N>$B*vFJ@31(_; zTEp)fdY-gp4E;2=OOj(SMUXbAxOXLjhCmk}Crg`LF>M21wkg?vzJG7IbGA;XRHTtA z9Hv|nJO^g?HfyIE-D>7UH|09qA;_yP(2u#DzVKiX=!Z7K_@ ze6%xww2%jxdg|CIwFWjzIi2>%0e-oUsZ|c|;ka#LmlwQ&;-)_H+`d}Q4g&&tO`QG` z+QoumH8SsZpJ55ZKGJ647GIaLD6%6Brp~VOT4bzpdHxHQW=BgEEWn^yJonC zbfV;x0cMtL&ic8y7V<{)(NAH6dqynOX3lZ9tH&CT8&|*K*ub-y*<2Q{xwu|SoXUdI z%cZs@(H4z8VO~i(lDYQD<${aNg*hT85v4LVa!_q4`W~Wr=ZmctLepD=>tD#|8Y(Y} zYc(K+4EKXTeM8|RW;WiV%5~yIGyG^I@6&`+wVtl;@bJxu6i3`R`%Ro)10L_eXWoLr z+ric4al)<|N8Oa=zNMxv8;o=7jjfX(DS|J-)`?k5yn+WEe65vbL1fB=LG1}c%M6Pc z$4EM{u;P!;2b(LPEudF%TC($!62C_%L5X3Bh&aXXIvUVa3EoWg?Q7g(UE~(n=DgC< z#%%baz==)$8-yl6$`JdpC{ijwBuPr6Qm}QJCyCo)YfG`!flIL?F2G?aktb8k59YU* zDuu^t@Zy}uIZa?7AjhG**Wc?a&D2^7;ER6f$a?YQuJxx;MoU9AfT;$2RHk| zos{EJ49=JNWLhE`T9Slm$U+BtU}p2b*tW4n6Jb`q@+q%pa2lhU=HlBHX}dp{3ha$p z>g_6&bHTOes9WF;mloV6G~oXzyd|xUa>NoTCPAtNNV9t`xDLOf8FN`6fy0(r43<_d zGaCY2^aok@FrNWn3ximAsXxp>+VeIuwAHyVbS*KDugm6#DIlj*#PDYn$tvB>D%+!m4^7a+Z-uc5{p!R0wl%mUvF{h&GH514_nymrlQ=Y*YL{k>$ zfZIn4GUjNFf@~UmGBsq_lH(&#G{S~48cmC^CSFVE@vYyh$8lWNDCKpio z%-!eePOE{7QZO^O77?Tp<;}I}$Y(sE23XV-se9!sYfO#u%peUkjnOzZm@#t+aql6` zt(k1oP=&|Hi&p0UX!ubfV|K|B&=5S3Kw*YdcF0E|PH#&e026b)I7_HfZ#R(P9d4i- zH!|aHPzN_8kvrJMjHy%##Q?i*DdJqL?xTsUkNDIAO+W=N=l`?68ju*esc4*#mBbAM^3-Lh}Hv zUG9S&)y6qJ3KVX&e5c5awE~L$%cZt;S$4}`Ia%I&M{QUjp0%;Cc+g!g z2H?C_RBH4=EN0Tq0^+@O!9HFanc2WexC7>Wn~0`|NbL89rsnujOogol2`3HQ z^{CyoN0!I$nl%r^@56!`e!flCziZam3zSrkz{0b;Zd$q2K`C7(6Z-k(|O z`K}%Hw1I#L`=rQay{o20Cm}l#dT4$sR51jh_UV$hslL^=U`GY^06p0|5gLgpQOuHH^VBvW%qm0|r+`2uN% z9~63u8T4_d`;b-qkph#Kbz1IGAR~bs2nKPe*b8}|iwvpOg|lb%G&7o7=_!^s;)Z51 zIUSyVx|*4glLE)CDf>O?WIkyP%p+02G%n#ls=(*&m}M-JlA7IJ(TzqT_dJ{oKlC#z zDZUGwLK7(_Arz=QO(oRYvWqj5ZJG;j3;BKIc9g-gvf_H27 zy>)%fZHrj8&L~JaJ!7Y5Z18N8-V&d!K=S^zkj1m*6~$+}Lb&*}(@}=)T4*baXIq?t zPfHDE@$6ogSv*@8vc;#ZezSNwP3PyV=`5aYb)Lnuo%XYM+Uh}z=X2GF7SGn#|IW3( zKPP?Z4)(L14t2$zK9DxGy4*GyPVl*lhBa8bRmhwU&$pIff<9KrFyR-!BPr$_r5M9B zIx+o4u@lx&%%HqaiVa>`0wjnF+_Nf?(Wvw)(7Q#`EtS{`*1#4AZ zws@9{U%}!DM)9G{8wk&-jGto;QwYhVHc~dBBbKNh3dM%&Dbf_sj1>x-JMlSN9w@ov zp%OS)*oDS<)vC|kPS`vJ3Ej4bsyiz7<_;Fh|5NzqE4NfgW$co73dobFh#Z$oMDNW{ zTBNM4K6ez6h=cz&nZ1^uE$?KH3t@==0$8Y+qzL%8O+lOJ&tc0=-uXIGNvwi0JA zthn7toSnoOJUfy&15)QuU5)e^TFRXWI%3XTHz?9f8c=n@XHg3o^_)h6+;<|W%TuAp z{ci~qk&Iog@-fep21cxq+`_rc+*qNm6#Bl)QErWOoKg4H4%v@_>G1h0s-+<;_feRX z6Pt~~mb`{Smk0QA5T$v~elVD^nambF|B?Bz)XIKw2pmh1km57oUEF4UB-X{B-KId= z^-r~Cy^DhZZAnqF-e6}N)#uSyQ(b;q)>mDAwyn6jx~DsV(@x4I*F6qg zc6DD1a$BS(a%}ZSypX%$oYAdmYdsk@U!fwiKmLxiW4pESW5&hbyMZ5fp|kEcdphg> zns%LaAD_;;-|1R9UCWB6v+l2aI_v&!_j9+_ePko+Z2XpyEDZdgw0*yv;_OOZvsQ+s ziu|(F7Z!V~muHqgesJMtJI<*!@3Sq}L-Uv$>E%u!?K*Lo*Vo?jKUfr^%^3{HDalyG zQ_ip;FU9u=EVQ_EP!u z(e6l9v89BjX(nkjWhxjA87N!G)W?b>`GnhY*U-igY$$H8ox{e80k4A2pt&u)oh@wk zrl1R)6(5IxC?b>CRc-wC*f6b;g-3&QT^aDiFc30Z*Z9d(GL?Cz24SX{6L^O*t7CdK zNf=d{oE(!G7rCL8TY=Dad|KO@%f+(|Z?=*vgMU}c+hQTVQiX2Es98iE?!M6S9`9aL z4O^K}vbwWUhA8`PQ+lYo<`?@C$7veQ`Ury=t7)cM3YecqNMn~~s!@xFO*2)^TiU6H ze`l)UF2U5Mr%NzZe!2uxonp32F!c#4Tt7m(q!uc`hsc=ZgrDZ#Q*}bnszLnYjZF0(7)3(K+x*kTRK1rpbcPYYtz8(~|-cR9}Cqyo*nd{LNes zL_-ERc)~I}qCo~3kE&&MWv*{%7S}3aHgHbGDu)|bl(k4Dk^=kLd^%_TQ)KN8h-pIS zlqYnQI7oB*GYaTL1Oy2^HbwYG|pD>>{YIv|&f z6_r1Oj& z(UkWA9t3RCU>1L=7b%Zu(#PxGFK$vj`q;=$Z(^SN7O|}S*^E&8<7Q4cp-Nw6R4CZu zE4~hcmn)4fHS~FXsJT&~2u188Y{zoD=_)08JFuv8U0dZ(#o zjH-1}Ta|2c%r@{S-5>G3vWLH$c_}t$8P{tBv$CtP{Tw+uR45o4VSoYZeC9?<0Agw& zb&&!v`N48>@#1gaxikHlCMRCf8VUnk=rCS6H<)yd*`a0ZzFGH%N}jRhF|J zc|{Y&dgMK()w|Q|;FE>`v9yuf4UDwu43)AMY|f3qxr(K%prREmOBgA$KcJL$V;Bpk z07g!Vt1^o? z4c`7-D)O4p*gtz7PJHNlP|8h zh@X?QTxmITQtAsMkN|%B!f>52)zsi6jOZ%Cj~ZCm8dz8x#BBZrv55x|nb9;Il$8?L zQ3X0zd^>jw*gF}VJQ+N}u&7`(1J!+~ua_jx$(}Zd_zT0sn9(Ph%v0+LwKPfFwVh_) zu5W%aVw#>AS;M43(CiyIsXx%K{U%dWe zBN6$Vk^&;^$pD8MHGWH7{+o-JmsdfsoY{8V;lQ7z*le>=T#QlJR>Z3> znTXMY2iUI!y!%u>f|zL^FRf*5js0^$&ghIKXLN-Mc$ZrZIehzO`wCEK_1dM)vNDVE>bjZ(jyxO}@tBXh;vN-f*aazh|8b8+}1 zx#=fy2Ne!s2{YChxoEsy{KNT+kPlQJaP!^G9kA~K{QwNIrr=SW1!VG1t05~9-j`X; zSvUCigGi(g{8w1VVE6Bsbc%6|SGkTFQ9P1X4!rR|eA+r5FNm+6FWwi!YnIn&zRUN3 z5MVNj)k6CqM#RXTMgjTB#6Q)FgME|ul+i_jl;2BF0jcmCn)>AMMOiDCTROI-$+2RrF}s2IM;IU~7>ro9xdTzPoFC0#^a`ZgnYuv54n@F%0g~C2FR;2Ecbv z+%Sws%=M2DXeKTLM`9e&EeafpqB?j!@0N+JcKgQ5vo~*@U>aM*NXLHUM*AdH&;oBI zy&^6evukhnZxFmnNEAxOF~EG znW{_Hi88F|EY;dN`nRr)6SqAJYOMQxH$q2}nX|S0jkKhJoA#hm)L5U*^as{?Y(b*^ zXaz>~Ou~Z~wNoB>bt>1(%I$)cu|B{dAzl{kww98nieFOfON~`1<*$JnxVdtxA-q2? zLMz5_dE+y@`lwxtJujZ14BG&!>Av?D4}XoyBMy=?;cx!9JRHII-|fW7IPfIuR&lX& z@es#;$5QlxVs?4%&w9HYs2o zXiS{0KE_#sZZQ8w^(~qkf8LHa$sEp9OG9z_ca|Uil*A$P=3E+C3c-mBf zC8S?AJVHEcrs9t1!&vPTGO)C*@gY*``r8WC2IF`*6d%6o>NO(?a`&>r< zJW%ocyVu0A@9OG#Hw*R)Psi(V(r)m3fAw~Lf9iXmAj{+S8{kDgAXFsy0zSj(#g5C@ zGUam4>o;2j^`?WS^P#uHxB6zM^SML78{UPbxy_Y%GfG;)yvLm+f4|Qy|6rtkAv&lf zGS+0KA-^cpgz=V7Tv%uk6cPstq)lC|o~S7FxLM0kY(}91p9q9=y1#j-h67y*|KAZw zaS5hLA_pK>fSPRTs}BZFpTARh`+6S?JvjL@YfJ8i`1TNlPr9n>Lg$qZ;pB2Qw-xa# zyYG=7`J$%ER(Y~XHu5rAByv>ay0`-QQe|-g0v58iCr&A3kXWp&RK-(Nup2NDr5>@x z2i9_LD;v2&GA-m3r+2=&cw=fmF`Wc^>ehwa-2~6Y>+Uo}X&t~lEw-!t;YN%E_oEGE z3sNbh(5dl4BDA^6G3o=a)ewUQ>Gb0nwQOKZk~-K=kb!>DrUrNP$QQ}BuV#3 ztWYqk-J0f#E``aRwwAy%+4*1t+rFqZvK?34iEFxMX~fVr)&;FuY00=Kh%Nh~v;OQ9ogVLGT}$e2u={^iJIC}uix9LktVnKyRMWH1RC z$~d~UIYzzh;s?RZICeEHk&T9tiOvuv97jHiVJ1ji8{pWLTcz20;U26j$Cx+Ef_&?n0kt<&UrVLE2w)x?hNzJc5zi=R z=FF!4pa-G*_VZ_{!V@Qk6^|%g5}I%j(@?EzlL@eW%@5SJ>l;rEs`kCiAe?M#pF0R^d;q-q-Q2+Y2` zR);1G)5E{tx6>2VS8$HS>+o|{{Jn&1xNP=wqe21@-2;SC5n1!Pe_b;4r1Wy~9cKUbdQ0@l2Rooc0u*P+v6xMOlG|EEW@ftQOFKX24cBV4Qqs!hN9B52T?8sD1A=Ahj-3fBB4->dJ7rL87j+^ z7VMe24h>odadiPiyThotrcVe;+(!oxG!~#YU|uhTB0K+v9eHL=?U&H0FGyaxPaa~g z%*M#7*G#+m)A@yGmJvv+Rud=b2y^@**!UL7Z7m_HOSm`cD2Ve-s1S0wyca5)b&%CG zjSZS7d;J#EG>km1qvj(pPF4D-ohwI!9?75&rr|i&Di}%TLd;0!9Kb5-ZfOA> zl5*@E$W^9zIz#A*q(%vCip0l0{~SKY=jbPJNtPAvLRhP&1R;P;l#THl5w5Q`99U~F z3C#A<7UN)e8(Ap2@S!RqbOpI1!)Menw9r5(E&8OG-K|_Qbp+@1y1&yYwuebQ8<*B3 zrcLn$2*Jh_Xp5z@*H?x4++%oK@<^CQ`EB8&J?&=aukS~)?;$#(~T$EoDm~mWG(=lB2IYXZi)kjvrO;hPKx-Q5zIy*X{>O)LV;3;aZOm z&9qG`+f{QW6iR{6o5|{U?c{EhdMartVN}?^;Y~0OKyStI zDqh-k>=K09B?r~-`X$dVYi%jYu%lt53**YtBZ3E5TmZ*7PX9ZK*#Gn8<)tvhyzfx9Y9YSgt;TP$PZ%<8HMaWGi%v7^ot{LDpp?8GbL1DL z%Bi=P_q|i!DcEeo#B5-Q5xPya?cilAJClaCo!i!Q=VI;PTPe9q-7JkmfL&o~Ec9mh zpBIR=J#|gL9n+*nVadC+mLaHFmx( z@pB}$@&&SHgWCc>}Ol5TWl+e2C*Y`mXMCuR2+tk50+ohdH!X!49?lSUxigtg>W~bj4oDynQ=T7bcx)YP` zHG6+d{^rGt50QpKTi>8VTndeeS@R8jc}(S7h+zj$VIV+4k$Ab-1Vg!)?fcUPL~n-w zg{T&Az#@lPTp$#QDBe6Y*V-cBE}FcD=Cy9w*933}6nqCePO@rpJx*Ouu2xEJ>vVY4 zu;a`eS3SO4Z1r@a)%nlYpSkMzvW#XIZxdR*N0XQN<9F%b%&Ax-7dBwaneX54N9Sc< z-{~egJm(MJ@V6TgU)>8Ih06Z?{L~uQ&hC%R%bzCvoTZ?x||oylms< z>aJD}eFi#I?F&nx%*c{@#Ma~emC!M<>n$na)CI=4QRU343Rzvp1`Ev^J7}#|Iw%iP zP)ezMjUZuVn)Zbe3+#&3z^yxVUWe5oNc2wz6bS5wJo#yJ!$wXeQuNyAHswzGgOM!p&)qAN{(b9&6Gy`%TqiJ7%j zYBA%U_Uf14e_dy{+UmqtJJVd3X@Ax_t{|Qi#BZH6>Yc(HIn7nL*cBQ{6DROOjhVIg z+Uzg!8r9yDsLZwPy^fQ%5(Dk10h-k~GD9)2&7an}gRoYo9z^ z&lPaSYIm1mw8$;T;D)zjjlCWV>H}SpZl;j7)cd$3T}>dj+2{WqTn{4Qo*l5wHO_z_ z&`U?@b3~4d?q(&ejzx~U)h`e`GC7fY{(T40QKS|wg5uZ)UG4dF^e)wm#YA;fNO=t@ zmg!wnvHkjmgId;YE!L>j%L+RU^~CqH&=6t{(N0=5a^rZq;~Tsx6n!Uxg6-S37Dxe3 zE0c@u8Kh;+xo7llQ~9|)=`M=sYjOE4E0e|Rc2|J){d{pyKK1pDFx|QGjq_3B2U4EQwgHPZ(4<%5~rI^Zv~bBt-b&;mu9An3*+xqJbFIhbu|5 zeHy-2pEdRN&)pFAqxAdYoo8VDZzBwZDi-~qlzp&cPZGAwwfn?RNk6TG>`yv=angmn z-`LxtcZW3x3=2OWp6tvjC`-02NicymIn_t5tE2z)F-x%(wKVsQk7LL`${1nKMegrJ z{bfdJASGiHVrD~6p1KPVQ_pdJT(WbTZ)7B_hn;4@5#KtKG|3T3c)y(3VVq9#JkJuD zDZyBCJD+Ea>n+CYiJ2fnkE3Aaz{$USp69Mga`-Ov)9LFi6J(1Nt`wXWPv+6oOA(=7 z@U10i&Qe4l&2JBUp&KLSm-9)(pP=adt488M<@J`wYOCJlJV?x1p>T1zHnPOq9CjjM zLZK?*-but1aCIp|5k}T{hX9*ueEp3jW)h|NKzXJlU4jro2ok{)A4r4kbdK|dMPVq} z#uVg}Kr}`&HkA5rBMvmfpwYC+m8sB%)dj(N@%@g_;#J~o2Kj_ZJpmJF7$b0L!})AZz!9>Kcx1c9>wO%9;z z5GG&-hT~Kerkf0QJYlJa3HSK|A_$#a}-;@(tBR)Z(m% z{T<)o63#Nx)zgwbe{8LR?^MkDtko0R8MRV;dn>FDgWO-A&i1PNU5;(4+dLLG%ct+O z85nHNY;@Jb0K`76ffN0yGxA^-VIjZamNnDvB^kbBjSCmF^PB-`!9Y0BreP|_Vb;iz zZRaWHOGY&A#plna&Oh)s71#1+aO$j0zz!n!Z%0;bj_I_!IyrruzV7rDXXk=bbs)`A zG^E{pBsJ5GEvJmC;)3Yrb>JtI$-yvv!-eINI*Zgp>Rck~1Tn2`Y@}tbtN^Z*Nlhw! zuaK1g$aIwl_<99-CC6kLVaeGTxBiq4vA) zLp%`cFou3m<95(ur7+ykS1)ji{pw0p3ZPqG8tXR3R!~Hrj;l^uCC!N%g{qEjD`uc? zFNWNz&fF7x?~gBcq1)miE4H)b`L-V%a?|fj0QW=90e?Hi9d-LSmQMCL_ll=TlWJaT zm;58fF<|_~h`~M7=zs5GjwI=?lT}|#&f9GHsh2`1=z&OpGB#O9$XBH+wVfn8$q#hFrzzP zsk$2asMdJa@b*w)9Rgx+1PkmtJ%n(VCl~2I74TyZ0r8~hrpQk5l3K|i zN%CF;s7j?lH8Vhf#kSa?-oK4I#Be1A_6RGmL!d4ErxeVscTR}bcnJ&Dpyl&lLW&J7 zTNOl(;gv!*Do5I}MOSWJJ*^iq&n+$n1q*(FBf^qJ%I28sen696Um-d*Y*UC!Sgfcr zy&n=7J?e0dSAGh@K2GTSvsnsvGqh=|JU+JhTGAbuHE}uIecezCna$LjfMsmIfDsr% zz0Y_Q%b!l9V&8X%1Lmy?xD9vFa?hgM^qF!ebg5td%TPdD{pJ5vq}CfvnJ5BA&Erv3 z7S2zHG!c|n0krZtAPl+UJi}lh)f}zsCm9OuQB0PH{^(X@#JhbWivjgey8^c+N%kRkh-1$fzz88C<4=yvvq^)<&;a7BDEetv%OyUZyYDQep`|ANBd1& z<~ncWDeGaK+lR;tOXHg11Fj&rQmZubigG6$5!!8X41wN*zTkoH(0m*;i-f5$QISPt zV8poJ-_EPMtlg{Ad;!e>p$Z^KY+7$R#|Z&8D#Sp5!su8@tVmJX%~w*d0pl~I)g8V3 zWX=xw7*x}U}3j~y-hUptCW>cp#^hzh*V6GMW-;2=q2`T#VUmbw*uH($WP z$awx*)uq22PV@P7X8wXRj~Z_EW_R^blm8PC{=QS-L8-hxe%qzU8Jd%+KHb-Y zv-=7ycqkwfc46b z)3{|QtW9~cs~VhzOPb~>RIEvu_hY{#se8oHkM9r{nGUoKD^MIYF4>+v+yoEQnE2sZ zY~MXFZoGo<-)8iQLK`G5CEA)ct=m(OSZfU9OQFEDs&u-X3wGECoH# zZu>~E@jcj{oP2QEP6bg26hThh&)h92O9UqFlY8yTCo>4-BXn{QPONE0Iw6YY$9}lD zbqnxi6FtK|1rvOW7Hm2ygyzcs4hm5;n{y*F$dn|V5*wRG zL7X3Em~=>SlIdAav@>p$DKWW(FMKRY_n7ga}S(y(mXe>=2qTYt0TNldPoD1v8z$WSwU+ z;$OnXr4vG7%qNykDdu}`bIC^j9Pby@9v!o=CYy@x7s!8S7K!{5iJ|>70f2-)nw;m03Jgr0iu$@N?10$i-RF&nYKC=kRdzv$V?XMJ5hO z2Q4KARc*feAoOKYye-0-7V>n*z}g+J-{;;4E+6<{Ddf4H@p4)!@tOS4wjJasMo?6B zZ=Sp|kVazOV|jk>kl4?1(KaoGnu|6Mba`U(WDwGG6pae;xgJlUD0==;NXhX}g90;{ z(Hr7fq+tz%Sehd3kc$;3>%*7t0vf>fQD}M;HBv!8JvbYl)L2jE)6ST%P8lf&-TY}_ zkPjsEA~;euamQZfEL~5}gN-jlDE}UvMTnF|c*p`O%w%A?9tW0f&P^3E;x6=*5%~*Z z#$(^8&ylQ*_A;DqIQqas$&^L3DGRHA86D>zwOU~#6kbYQ7pzh=vXvo^*wOEwZ;Xy0 zQF_DD0MTfb#=s|F2uO12TSi-J#%4$RM~J7NBdaV}TK4B^)Jt)beLwFcf4``H-%Nvp z|Hga%emM8}^}*=t^YPsO8}DoU^A;~8jl>L+j8&p#bGrp z7YFypJsz7>1p(Jm5~jsq_@*DCLt*wB-$@V^y0V}AxLjp`d#G)YACtFnn&?^2X_E8`A@%$tKN+2DLa9?Q)wz=06H5 z;_mPHU@A)5W)&jW`15JqMun31ypvfyWoemcW3|xnm{sqjf>gd4ilTLDyBf|wvATc5 zyU+A%2C39Z&L9GcmR`Q|pwR!IdUVP{@rjFH zsyGX$;k=rxWi|FWG&k^`4}tc6*3+dHFx+vz8I=^16GQ7@OSH^!jJ4jAGy)saq(dCC*3qVt>^qh0ofxTLEmb#xQeJ?8;cPPaW*-A#_DhZ@mT%MhQ*=r)5IA zwZ0zjn&;7Nrncjn6_^HQ0JGJUuITFn8GIKL%mF&cQ~HIdZI(zb2x;uggqaJ8vTi0{ zY)6GqSwWGI{w1OrO*FhHP(ma$f+vZ(iit`8A)V({VF?f-!ai@`pyG2lnBFuEOpr_e-q5%0X2|Fm9kbRSr~H+gRWVW z4?bU^?WN!*)Iw~l48{od$uWS-JH}U>02P692pRj&mxu(A5=9l+$okA|v2mzMajhEN#6in zq~ykdkuqkl`(2s-*J6_I9_Y=U9T669T*@w6pi=F7!neL1ch5_5GA;)(oIUh1jW-%)K1#Dd1~1vz3K~_z?kjFj?9(g0 z9eLtEB@>T{o-|}O&a5-#o|ZJ6P@F**1#AY%Pv# ztL*}eJsB65us26xB$ts;5Zj4xYUR|<%B+c;)#6!y7^pJS1XzbhNM3!dTscSaW)+;p zX@%xy_$4^JxUoUHj)R?6#KHLA@9{!bl319;Pd!|!f7GYAgFp0e(5n6LZZRXPrQnJw^|=xHkNT9l3*d8Wxrt@KzK~bO@#w()jR|?nysNZ0-;0A=gc-Ic zMrG0(p0D0N&b-Pd|56-*->;h#c(Ahu6d!Rd)h8dOqqcv_J(f+t6@*TSemRP=gGc< zU2m=ngI_LjwS=Kx3H@SWYf(9hH-l8S5JxH^Scf|SPmMfowleUj?7t8^oUbqeVa*Gi z)E9|hPS18X8jhqkY!46Bw7ujQ0dv_Xyl(KT|G*1kOI}otR3jWDhS&{i@HqBAzoANF zNUnrp7f&73z1?H1C$JIri4lg_H`!Ie2I-Of)GMmbYPQOe9t@H;4|Ds}bS9KiW+@~L z{+%yoT$@R^JeJsry#^JiI(3crVJYlnn2M-pEvCS7BajCuMkHo3ms1%hVdExh>D#j-aY-9seL)9uf3t%SFr&slMRqUEQZsh zfX#5JPi~HOqJ|#fj@niFl1|G z{|&ZP#W)Rqd>#0Al_UWN_A7OQzchU&NOIaukY6)UdtkKHFHPTfiUpS|2pcdRW1!`;s(RiJqAmC;%a`42WT-e z39{d4vsr)<<207B^4!F=8>T#|RO-OcF4g$&kck3$rhHc)Sl2wuehbu4WVjvPB_>Pu z^=DSfBfDu8_$@6Izc|2g2D66cQba?-uf(LE%?Ki{pD@<&CCOaP9N;oiwe^zfbO5UC zSz&oN&}8eERRuS!=A%nEr+ABgER&$gH^G82o0GJb$hoVR>v3$Qj;7P0-ZWHKd^;13 zt(>iO@t2}PHXFl@AuYGxreN|%Th^>hHX@pTyxJ$v(&{XS5(V%K_zBZRaWd>-FjlUB z(3SZO3(WKrxrvHwFpv*kUS2Sm1&4o%OKZy8m)d?4aN) z#=<`V7)?kMz0Zj~LAYgb|8URa>>utq^20q1XoYo75&1EXoZUPC!w&>B)fAyWn-E z$2_lqzAtEBBTo{46{bvGF8LDWVq%wR_ClF3w;R`XKLXokQBYpGn%Fa$71ug%DI3Rp z_UhtQ2TfS&BKEYnZ4)c(@FL-N=9Y38qvY#C`x(drH{+YT91|UKwHc=a3%=9u!e%#) zhC5EOx`)J`sc5`7EDK74?{Y~?2=$oQBCnREZhcKCRJvT2B*A)$uaF5BooTgSu)vSH zp3FY3l*&U;PR`RemEO%T&pLrN0cfeMJewjgY__1R(gS}@Yazh&)Q@C935ZINwhk2y zMiamV$zZz=fjLgNC1eLyx_~p{oNSGxfD#AjfO$V3bAPc2b_kths6NN zt;0Nsq-JbaSFO%k#GWuUFZ5H}3dK$vJaBaVa%BM}2my>DQhf55L-d@(@&i|au#~Fo z0MWdPQVXV{DE+gE`lob(uKIx2a4a{QUmQ?l!z)dU0a8}+(2Oz{EKn;jb)#s5pXOka zHBSfF>p0vAopQ>E%^Mq5-zUTnCCGOrg~v)0zSN2#ZzwfUtT_AZLD3?M^|Yf2p!0oR zTRC~=rEGV;3ILOL((%vkGi-zA;5-`m&b-{cGI#sDAFAv*kp2tvVnk(%XEDLM6tkf+ zpLrD(RhF|x{hnFbZ>p?m>39|H%Ie!C7R2A+JnJ}5m8n-&gIk;RXjN?$q_Gz-miejB zOQxux#r^k78J;uFpmccNx0rVK$0L*2MPp%!bm55_!{`D2xFlRH%*tYaky~<=2%qFu z6>^j#aJ6=%DGfSiqGO#r0aOr{ynC^f!Ktzi_uy*S{bwo2>p}Z;DEE(31Yre2N+M4r zPC`k_LIg5*;lgWF(`p6uYEXaA-1&|qg$V8B=r&^Ck1Azf%1m&Bo|>)KogD>tzSv*R zCQOol+$a7)D&TY+{ptB=qaYMDUik8KLacY#Huj!y736Ig#^6TmpNiymuqjhY6WIPxaUxPoPnAUtZ>(j+D&EU;sOmF4s+$%Ex9_w4sPC%h za(oNnaEM`V-W||3?2s_)UzLw^E0#fLgI_P0W?Ie`f`c%M-7dhCR{|zHTENbkkB*b` z>asuEYxP;qZ2;enOY>9iZ(Q|Rgj^~nf{ifhdVHV67sZDOjH-8OER5tzFE53>H6vm? zI^7?)olLKn?9oHqLVvFOju_ZB-c|5Vu(&3UEm~giE*6)Je;(2ahSYl$CTePtdmbPX zxJqsM~h6L5m3UefLIt}e&bws0T)$mb{a6^)Ni&Gs%i^D64n5CJ- z^C=X2O-Djk1XQ-jxJSu0k_ZA>gXsls8l`Q`GSS)# zmTUM)aCsM-MRx3&_3u|4Snq5v-WjPu6e%&xGH|2$1-DZ*Z0zE!6`WEq{Za{097E9G zwvvFiU+$pS*<*)SAn|516VZTD$`*x?Pc|-iYTafgTKurggt~Ld^S?m)Yx!0tNndB? zo(XirBoE*WDZ;DoAKP9qYntod7A=J(1F>?Ur9cK#A;EWH)jOr->Z3!0+S}@q>s!Ia zPo1KnWlz%omVy1(C9F}Ih$H>55A7Q$Iu6m4MgL^Hdb5!byo)f-Z}DH$NqJV88+|T@ z9O)<%4-H0=#9I8!P2*+V!s`eKd+!Af0 zEqF@6PGpbht~-(`An*e8N3DTZz+VI1V9kNUo|{J~6?kLf*$-0rz+`Iyc&n zd^ext8z4};@U<|px;6gX^(-zrAmhYH4naw=?7F8#gT-cmik*)TLUyuak=Q#j=SvtQ zIcDC$Ma2DiIO6uth10`O=_ zsWNV^w18YxNiE`*_e(8andOpZF;J?6wks{r)^G9?J^c!OPUQL6oRF;L7;mxGc=(+2 zjnh2LufkYG|)=Y+>luQ4#jwm;BRH1>T z6W@i8QoQPgjWe(Z9gNqR6{^K`i{>c4V&-}&AmF36I&cQ|h&I=>jK4TBStP}faTEtGSv^_*{Mh!v;o}e=m%4!|qp5+QYQBSXUHB6lW5Sb5nRpg;qH;c$fl(UUfJZd&!h&8-Vf?X#Pa-XLt8vGLF9m3yTM*e-Wp zdyU6Twp3(NH82xVVHtcR(cF^M^@FJ5W<_oZWX$)=DSu1!87O_#ZAZ(2pnx@>MY{spP=t;V0^5#Z3Al2_bAw?ChsDe`Xj@bGZrH?N!X-N7oJOqTcO z!^`UED4Pz?Xa8;3>oDHPt&B>`?r37sDqhqzw~CWp_6Tx;8b0&kg$fhkQAO`#bB;w; zwx`{s@JB|*p~QHqB3_rSK?y9)AUac#nG_34$?%Y@gspNNJxdKeYv}3+wEnyvepa3t zCwX~OZ2*)~)r<2LX_pHlyBnjcKYv)SDOlRO+#-#5Ryrl{?f;p_A+tm_cN%y4-?cekg zh#&Y~k2?N_dlr&50$U2su`(WM3NPqw?b6o$0JWpQxhVGXP`O85M;aBNkeSgy8@s-X zjfSELjZ7>W{rzpF6I7-W@LJE5dQdNCa7KFbwfBgQJ-WG_fD!{10ApLipG6|6rA3cL zx8~S%>`tZB_WS#F#|KWT|NE`l>%`{!M)iGBd(&4U{2c>PncG@ON=@M+Q!14mC+quV z(daOwa6}T=I460yt|g|-eqFF+*PR_{>lgNZZeNDQ^~(kb#|!sJ(oQ4R_bqH>bS{W)&(8l8d7>!IEPNAcrgqeSczrTFB5109RSZ^ z{bbHzv)hj4{ABKuntCjN`w_-NZhZcTY%}@?DUk1w>&bSpb!iY!f{b>7>30bAkaJBC zo*YrZ%1Ot*Mk4*7S3Sx208uyPRcjItxCPxy?eCsQB{Wx*-2ISk1@IztI=X8A9<%z( zmVUo!v)WbT{1%LQ>X~6dvF^~>bhMX85bh&oUjGkNUYDSxMyKm(P>y`2q>NeAqf;$w zmV@!D^h=AbRRZX`jU15_rv|UXQ_Ui3r~!-O1&Z_rz*CSX%aui~)jAruP4XEnbHjOoz^7~rA_lQSMHT@{C6u6ajbMXgCpWo{q?4nt&^u)4zmZfUoar5jW#dh)HhY(h}1 z_$QdYSKOM2y)Y1z5B`3N8>&ej7kbV(w$~Es2Wj@g#;sF&GP>qUo>43+Vl7)-sed+b z^<5%qYV?SPkJ#ah40ox1r}NZ03#lk&($->ip?jDbEe#;aox7=)_H_w0sL z%FMWnV;X1O*qJ>~&tOi@|PA zU#gyY5+Iu}-}^OIVwrJIBP4+B+}CG{+g({?Q`Muh%4hz!XHwZ#Q~k9B?4bV^-2MhW zX;hHWKna0B%ZKM~_vhUoxFZ;7KT)#N9+e(+M$rHGbOFDYIF^lg9J%PPZU%K$Ja1dd zVNB`x!ojMy+DZp{9nqt-Uc3I|kwd&Ne)c22F?H?_G)Y=hdq4S08SyR;4hgM0B z&Bf{o(QF+madk-uCOpS+IE4DdW`=6A>pIEi9uLn>eN zU;9p!F}^{dpF58!1%(SkevnAevY2P(Iw8%60S6Xt-Np>qXEMn&Pw_iE)#>v5fX=F$~dr))S62E>_o;7OX+voma zwYj|NbV#y|BC6d}C9&nw<(O_NT+Vd5W+i{yUFMwHzwoum8pcQ%IrJniLj$4lNn?mIHginA`1Z!*F!KEueET>#$v(NTdOF??*nzjj{(Roa21{Wce}hb~FQ~q|P1*kPAQ?AH{;uszYcD?i z!Nt+);>bk_(uHo#YQC^PjzPAIlj8mRH^KzmLBgZ6KxNHcgan zhF5!B^}DI%eF45(oE8;U3Ux`$F`(*H=@lCbi?2@x8d?XOSIaaKg0(5@>MCU?hp?6t zl~4_SG1gnlB@|@jVy-L7>0_{p7#stVGEe`?)~BIOvPVH#qD0DZ2P}}~d6Us7WItm- z2%Aiq;mNx*l_;@)f#tRYW1@UXq2M8p6aM%(SO#<>Vd}F!rIuEkP6WMi95Md_)RSls zTA6_5EwrUHFd_9HHFuxvc^sPS4AiMVHiUO18l3qCiS>^DwIQWGG?E1n0St4p8vK6% zhCq40&^4+U7y&iolL^bLHWPg44sBTjA*=Z%N_nKK6Z!ecuY2U6ye`5;%x=jOG=+h_ zErtIOOn3L_DOE&0>fAeeHaC$XN9T4NJrEz!c!`ZY^&Yxl z)16iXO0nk4!nCdrur@P}I@)?^jzqPg1pAkTCce}xelf#09Mco^W$`PR3!U2(0Dh289S0cDOLO_q7lPw0YW zzKa2QLp2or`QR))!=U#MV1%|=b>s~w7E=2Ev-j@ZZR5zk==^*ADR7-R*U4;4mi$b- z&sqC=9Cx?RB#xKu?%BP1&rKi_lCVt?90IhXN#}m{vrq+);6oBA%Zi;QW=&d_NW4*~ z$FHh((%@NXa3(&9M69HvhuJ1lAP_Z?HoSEs7Pkhje#>BpjHr{tc78{q&Ri&e3u|s+ z%`L3Cg*E3(3v0Heg*CUZ<`&l6!kWv!&qqu}F~6gVnV!r-Oy$OSS$f4mlY|b^HAd^5 z9c5lW83^i=0Szb+z7%7kd8gFg2k~qN)VocgM^_8u+0Ix?*d{$ zR2$`^QyI7I`wJ9T3Po5FKH)bTmaq)cfSdP-v6W+fs-xEIaf6BV##C^zOIp$F|5STbH%j?+-iHN;1)7=MI z38m;H^jRE$avY{kmgi2AmlM+qN;1k$-m)kVQ<%-HW~L=Guq0hGC0`i_5y;02`mfA? z2HZSi=84IKg+BAUoK z9x?_I2lB)hJ^AdJAEX(|t?w@Y4q_3-oGL~(<0Le6V-vjxS7Z6Md3_cmAZ!AlOl4`v zSbo(rvv=m#I)LkF5;32MCrE9M4z0AYVD40QtXIHJUkJ z)htW4Epsf|jr!zD%JZuER&zE#Lsx@J<^t<#)|7)W0Y#4QSSLXvR|lzEP7KYLDw1zY zb^h}@A>u2to>xbS&kuC&f-ZsqXh|%C-#+Br4nfH?$F5qk`JzqKIDTtlKVV}HUf4rM z^_5PB0UeQ!!|r#DMx|q$d-!&L;8uXKCrUsDM{|#!c%J_2M%=PF7VuJ7%-NMV!7Z#e z98FDZ6dxoCo^;$F^6_8vGu07*@)I^c!iSUl^)$mw)*j?(#mj}1dK3DYPm&3-p8P!Q z3-l(qp! zMscm z>$qbJ$Qcv4%H0hGZO>FBiA+ibU7<=Rce5v3}yAV2}nb`}4LT7eI_qmSWPQk?pfPEc8V=CcMkKWb@C? zPn+0!6bs#iQ5`|A0r^R}*8`a=DsSZu5B0w7Xi=c!9FHB;@pQDzPD8&#&F<=?%ewQzA_ixdlPDF^;H0z=hIcFB9o zvy#(~=Wow0Zq9!=Kf9_km899;#sW(FrG~P#B+ZXvcE?2`gDJ5tvek#BcuFu_S~yLm z(8|}^t7ElShbzl&Zq9TnUd=}QAr_ORHsdu~m#q9-wKKLPwvi*YhN&^(Jdvwe5R|lP zoVDo}S%TP*G@kH#8vTt;XT*A#RSI^Y0Ae9ga?7TOOFp$#*BvrhZrG$T`L?B_JKNxm zWhPjcTQ*m#R8>kYC3;%nme=##WJbv{hsKsB_fcin*X`zRq8*(0zHwYiBpW7yG4gdC zga0;|qPI!H{r{*-d>%ZX7OL@}IYkfjX^zUKhYey?C<*(;s;SI%xYQsQsZh(MnOpU& z0t@yKiu5p@JTxCy#4?&)mLy#((Ah7jbm=v);EEsGwfN?1A($SXUB>XLz zSti?ydo>rgMYG^sr`I^3kh;VX%`gg+dG40g<`!*fFZ%EOqQAzy@vLuo7T(np$SO5p z25|^*Vi5u4x2B-qwFgqB8iGt^je_2!T1!Gsf`IT4k0(@M1^JjoB38^dh+qg9hWQKf zItB>6Mq|apk#VF(B5b5$9+F8CC>{mO4shE^2tlP39;a5xo`n%G-9|7ky#+0Z$9yfU zcgZi9UcruaFx5Rg3-7QFO8f*>u1KV+>v*aPM7@EGa9+S6TKG2JZm?xi?syg|q}=`5 zH(ArWC6%}vT;!!oC1dyVm&wyoE;PMVzVi!Zsmo-Ui==_Hxcud@%*F9=Ryc~;kbhq4 z+?<4&rv&#|sQ8fU`4GC&2r{S$!l*X}YH03`Oo_E_1v)Z;4UcNgBja!f46G6s+ppPt zy+32_myi^|GwMAH0X{OvE(vjQ9bYnZ$%3eH!z8$7O4cy8G}wvIo695!F2R$o=^C8F z%tuKO7+1V5`G7%tP9W>#Hn~9Oiu2)xP?yN*<;_Rj*(@DKIU!+~^K&!Q3DB<`v+<#_LrH z5WDJe5{)nB=GSs(!@7lh-|hfw6s%_Pa;Tx$Gk0!TV~9&aT3~I83Y?dQ&lld zLvO;j5M(`0Jmbl`_4^j2NP9)@MYyG)`(1J)AVgnU(NrYh*JYC11>EB*m=X^n>?I0e zt5jL!+}UTYY~(*NBt4i-bgd^;!a>~`Ga9HddM<||>_GNIE=dxaU+OCln@H@o)Rx@y zjnrmtOhCGuam?gc1U0u~J~IRl0eu6YY z_qv-6SE@Eq)Z_b+)!c`8&$=JMOtV<;f+xd@jD=kG(ETK&!VRS$ zZ%2qJEw*!EN{!8voL_dyuOflVfDVFb>J1~ABAdFZO}+p0bp6Dr&mfsSq*`fuC>sg) zPJ7F8V-UTHj7_KWIAOE!UDzBJTo|(m`3&>U6XPOEn;PfGNdQHO=MLIj?TPXEhoPbr z@pP@*HPOZHE5LcI!6g1*L$PMZ&B~yP1eGqJGqJ*^M?(>E5B$=7l0+C)K1vjDVq*PEoK%e!R%qdDoQ7IgWNDhMZS!Zw-o z6>!`zqUNJg$_H>~s6~zo44SU6JRHZAT$5+R>Ql3FNX}0#PCj1$atbKx`g20V>4!$Z zpU#q8VD@IiouAX*@=$d|+`%duL8dUH`I2jSjp@)8O5a+7(sV z2p36%w=AI3Yvzg2uSszWwvKdnO02|)rg@aXm>QUYW=7diKnyfg>X}OqoD8r}Pe4sa z)*=H(pz~aQ@_!QdL<|)R$x9yE`G4i`%b6nKsfhics*rNk+7nalV)co6aF_&n6$+|V z^2e{A*;e~dZ@Oh^=;L-yqNl85QC@T{yxXPZvYXROe0QO?<>vJAF_kTA70$LkSfgcQ zIjz1uboasBb#$zRXjb;%j^#>Idunm)h*fqbcyBq9H2Vswfx(|2Dz0Mb}% zCqqiUC84dD&JRsQLNl;w@GOU5q$(iUdf_wbU>1AaS{FMxfSSk;~$ii20{F%Nm0I7G&rnL@j zbE42mXMKsT;bcr`wBX$|o94$On`Nu1hi$62YNWF&B&~F& z)=gv}LX#v+ufnD9uk}LYo^A*uX{4%ZuBK|FqFQ?>uI#Ry0BX-QE#zi85`MR0&)duU zQuyQ^u#76V2NM7+p6lvwL6J^Xmin9CQ64~wi83g$dG3J*m*>NvFr?Y4E)Q-Y5Ho1P z>%dY;>56ysDJb3B_T4bDnLm11#tO#Z)@|MhRb zcV7L+%a_0PI&c2*Z!iC=3m^XS>OWrnZvXhVSFc{a{Oxb=f4sRo`v-sZ`)^?~xy8SJ zfB73b`$x@6UcLH{KiBMFLw0moW^^f5bOns4O{KcbPQS8gSPOgIFqHH5x~1okBq*(i zOCly*DdwBZ^$zZatDLxHP8lG*C;(&}%!(Vv%!Vxk5ho;k5(N-74o*wQauy~bP1+Na ztcZQ~81qeI?ZIph=6VjMWL^?;H9ZxfVxMb>`}uQuoqyf1&(em}hu=(;MOpM9Ni#^> zw6<_UB~u73z|fugOcxtT!!APFr++5=js`4L&KsAY;B;SVmi*8jC)UvdW|rE}4hgH3vcj2G1Bwv-%B^HWVL2cK=b=CNc4dHD^M=@M7%twCb4y0I*=f2*pU0 zmGR$?N&gjWLn=vHhfj82feqpG-o8J-AQwV0ya^mWILkPvdkJj-D=lOf zcx^D}hQ7G36X2695u??k5gqV=*QdKB6RTSVTw%Vy9eUG? z^k=DsCM3!!Mdw43gpz4CicSd)q_DGMRCGmd%dm3#=Yde;5)Vg1zv4YNuS(`&%)`>_ z3Up0wGL$tg;F6|-!~METej!4AG?rNO^U#N^G15+jyTqUbG+Yh^F9|ppiDWUb-kMFq z75G~+V1b@7&3b_!B~{37V=#8A(jB4%VWCW7Gx=I}7A*52p_2T3{+9H}OWoEhSob02 z5OE!h*+pJ#XsduO!KNc3#$&ooLP2EWjcuPae`nc4gFXPQ*3;ahk4GbZmMmV9MEtx2 ziE#Noy?gTWfLmn36!od1hIH5mp6ud$F9bv~&l8jAG8X#6TXIvFN;1hEA!HTiE?A}f z!xV%;amRh;Yf1sjXE6)^j~mmT-LYW1u*qyKIU!%aX?}RBazbw=h!TP-t+VQJWD7?3CmfEfP*F%q1UdrbZ-Bj&BgJZd4q+8_yB&S|m!Gp^c@#Gz#o`GMVXM4nQqmE-tOW|6h3^7fI8_dG z21cXzdHPM}y1OOa4v-1pg1w)g^y79aC`T8b~Y1L!LT3$yiIjWV4X-Y=bdDM64m9=BX@e z>{E)i1U=O!t>*JJktahAZj;P{G8wFFLz|E# zIXVmoV@OrB6 zG{-IGMQ%WC&I@lEpN%vra9~3JI<5&2GQ>O_W+4^8lO&>E&e=Ljg1}C(v89;oz&YO$ z>)=odEa#t6BmN)6^+-V*0d#%(+=?W6Yha8#X=ch_FLD zn$E7BfPl901DxzDyHb`*(KKHqqjB!iP=W+ZK@>XB12Yr<#k}hqGT}z$%dhf$2B$Wu zsV}}Q5w`n#$-rKlrCu&WIS;u?IqC+q!-fSn0S)-SGPI=8Q4Uxj!jThd0mAH_hg`W& z(U{pNkicP!*au517qM{x&gz4xdl=6EsD&mhJXaq^Al*)FW@xLkZsVT1Y(NW%fg}t|U_$$=jOsrD0JQ%$yir%si z*+)G!pnOVVSOag&`~+zGU`mD@tx*t7gOA4g8aCJQ4k#L7!Wi|&nOl_Jn%h=^8InZW z3MR;U3gc^lhHMjDKqeD=o{KXryVgrV_uN=S@RrC=t_epz;Q`f~MUL@yFFa+8sa_Im zqJgF{>ie29#x@}CBZRrtovrJt@DzE`LjRu(KN#&|>@DbK#sHh=2pT{-u5VSF!a>D!ION{?gc+lqTla1=%|5No zX0BNluW=&MHlNNc)OXNYuPL65JE)lDFVMW$;?Hk>86bpDcm6so^5najtsUHX@KOqml zqIf734KcE_qnX3o)Z9pE_}M3{YEvR$INWt9rkxg_nJ`eV=j#;&l!!ziM$_vkX4F3w zp;R&D3$P_CofB+dLi=9U{&!}Py-;9i0O#! zm}b{6@f*}oK7ku#!7^BZG!GWc$b?R_GRA1kW+{t@d z!|yCNo9TP`3C+GXXmUxfg=W-L2S18Cy}4iC3x656i7n@Kh%S=aizoV<0awQE zW1`MSES_*F(bpj)p2=qeU_8C8OmzgZm?* zJSAIisj|`P@|Giy`Q$V`#SRDRqAVN?7I+w<%fVPkBV`%Z`IaGe*Wi-v*CsAb$qI^@ zPksHGoY!*Z?xlB^+&0M$OK%&UwINSvNP#}-otM^;=3Ui~TSsX#OX);x=KzmPC1z>> zc&yuoY^*TC35{==pHhV`fY-82jj0oh?zFXlSd^r0WUJfV!eb+1<2VUtK!4xFqiG$1 z{od0^FF%T@Fts4zL=Ie!npt~dar|yseMkHb45;Sg%S8RVWwlYDq__lTKilJ`ggr5j z8g!2U#<=eFS<&sSiMc&LG`l^GBVfRu)pc17)imV9WhY#O=5x6f-7VBST=Fv6x0)vG zDC|8TPv*>|0p-zCCii5W|o`{uKjqRR}JDuuP?I15dg^mzle#WD%T0kgq?>LT%% zvyEZ_XRPKh_J?U;pi!SMCMk^=hn3iw$&z?2*AQWtBggIe?Zx%ScPD>6dp9qK_oE%X zmAXhq`jAS^`lIp%!VIr<_hdcj;7oTQs`wM#OsTBXaE=@q3FJU9h(pF+i2IyHNHq}7 zZKJ1|(8x$nzPJzXY3!4e%k$@}nQ=KO0CtVpA4wjJO~KMogPE1p>oT*lbRt_UP4$~uX*HeSv!*jE%j!I{vYhraD^2yF zS@~WyqFGt`_&+$;_xGePUBP@d)1l6o(=};Ri^FXa;RMS=G_20pjY8(+@_cCt#;Ie5 z4C6lW2a;mWQHs$_qZQNNW;0=cVw&VVD>k?^1PBo4z_SXT(Wvyw$h#ra)*a))(gJiZ#kEo0W3%D;PXMFFurc9pO0={xQZd1(!@}JY@qqV1e95p;&W0S(pME zvrJ+0AU}iU&}C~V!cnm{yReY{pTfr<>`)<;u?^lC zLYzcN#4w*Cdh@Q|AY^T^JWxa;cK{Tx1SYIjIsrNp}M*+rZC@5z1#dU`>`3)yw zHCKLCRwa2ZD{*eS8Mj-Bvz0iVvLcDox#}#btB^ijOSu(62h5u5x>=Y>y;ZI7ndL%8 zJ*So+x2#BN<5Z|&=QUxWCwv>Le8^*|fDy|iH@7bn+m@>D0~3wHq`ZbimoM?lt`{ZS=7H{nO+-B1P9M@g=H4<-yaJ9T3rO)D z@Gf?;z7gw^uH7O>+WDoJv)=l_fVL#dSg)zG@$uQtgmwsw65f$J8rRI#UsYDXt@!+o z%lW}E7F6I)!?n3|P;+L&P9uf2Cx?BGgoH?~Zsz%nee2hcW?w8%KAUQ}G|aDBF3V8ov+FhsO=Q{XZ+IYA!#N|YX=yzfzCJ@mW`6twX~$M;pqs&y5H(rT3ySG(pvXtme#tz+WB0qbsyQtDjUCHBr^m5 zv$pT&L!8}+Th_?1RFGdvbz!o%YI&yo@Y;o&+4^4corI!b7XMWHPM@#DzI04=>8#z2z;Bh@pVr#t)AJBn&{dz;DKf!L_F{1-F-3^ zNi4f=q?kT@hcc^WdKC#6m5TIxWWvKl-<3;kq2>6rra70hvJ7uFlPiPI#q_qA$S;?n z+cIi~P`k4qD)ESCudaqI&nOw)SuR49`EF5osE5WEdx7oLb!UBo&Wyz{Qw;^o@580B z4Kr2ijrE3^D#k5sRl|QU)o>eNYEfweOyx@(V5(KjwgIM|p~CeWgiC6m0$fMLBrE*X zM^9A=L9-GOq}T%s@88;zr6hxE6Nbp56*p;8s^%ddwFjR|36dmZaj!??b6xX5?`l&Q z5qB(x(7{1q;!r>)#ygHQ*)VsILjnCAs`l@EmSheCQq}Dn8jqMFV-Y~gP07Pizz7Rf zoN9b*E*eD#fk~7`u0*0{uptYXj>WfnZVu*e#$p!f{ClWf%vGmX23cz@heKL3oPKg| zt_;b5s6%3m*e;SynnV6RX1IYjrJ^d4U99GcQGa@6s?tqwR!9N)j(B4lj`Zzk8>Wd8 z6RNmJgJ7!fs+c-^CrxFFdGt2Z?o)rdnT^6Q^&z__B4k~H7atND&6P8~1tp$CSj8<# za3tG^cZCZJa(AWysV0d^pik_x7bH@Xcp$d!cxO}E8g$jpAy!v&wcq7lvcX&|Z4IVr zE(x1i)MUjpc`V%dOGjcCEw_`L49vhyVGdGF;mpz~I7D57n9) zvkc+i{#{Ex_DRfSf3GVoJ{*b=K zjKaiOZV7otw-V;+U(;#Tb#n=lo`77Eu(`Q(mMhLLRhN9~eIhUa#bWV_Oc)JGC~SS( zBtS8A52q`4Dr$+OW{fI zNfIM~++G^!p{hv@-qY!rf`tcvZugUT4&R#V{?AwMG$#`UbczR6e*sJYMkx$OCbdMK z7|Jd@$fbQ5t#$UMF=<+TE^X={O=jWN(XYW-vCKb3k3mLWvhJu0OyTj)&MT;cLSA{@ zfo(EKR7nX$!>NKS_)Jq$tYAPT_w;2u-iGT z1Qr_HrkH=0-LbGzb+Uj(T*M%ro}99Hc7C5cONh@}c|`xADGUzfBvE5XNJ(Cvp1dMn z`Xhs+vX^J?t%pM{kFXU>?(grr@zCoqpDPh}MLgPxho1ib(f;A0D%z&#zU% z^#0-e?P+GsPB|5`^h@_?9+D{6pIO4+Lpv~sV9kBk@f}~h@3UtK&KWmyx;do?L$W#O z$(8F~K<^llV#12AflB|LY4#rSR^PEHnOG6m2~nUcOeBlD=|vWcWHb(@gx+#^!tI^_ z(nfAy%allLlmFIK6GaX!9`k_3rbWGRWA2S1mrvHLNYp)z{W((R%rlye@^Zmxox41q z2(g~Ut8ay?jj`9EmQ!$V%zO(Z)bUgdEq;;|ba$R}xuSTfeN;_$^H0WSxb9<+w zHPrKOA?nLgI!~?{%hVntuExor>xqe@0on1yWRiqjO?L)?80<`_RG4}Zl?@`6J3hN( z!H(pk4voDrSIkpM%ywwRJFp)@)GbW>7it=5akGQhSSO>r)jZ=u*?y7vpkpq~nLq0m zmed*qRH~bph7zXuhSz39-<4iWBb!ovq5uklo}p&>RQj~O3AJD@LS}{rW}6UHz+Lip zIMn195m3bghINM|3MitLCQQ-0e)qdb-40(k%XJ`X$*N(~L&Vo?V;AQF2KoAf-108B!i3 zF_U<;>YX}`U^AtiPqkEdkrZT1u5u{1vp5!Wuxxb(SIGm<8X6vw%-I^dybUKv49QKL zux;`K4J6wpKVx9=he>Msk(wK#G?B|SjCa#1!cwjlNX8X9t%^5u6e$yr$5fGf%~)6n z3@Qn^EUHD$l`(!9n+vMFrc7;Tx&%$B-c@TeXJ46fr=V0%%?T*I=g1;1S814lRP!Mf zokUugOw_EYz@d(*BxCA>vUBqaRj3(xA23gIa+`WDRz{qeJ9K13nExXSO|sO5qyA8O z#jf{O_SIHVJWN*~HbsQVku4So0~y332&$2)i&Q`Jl|D_4BiZt$IifR-L24+0oq987 z5-ku2eA1kAa8IW)73y;vBUP_UL-oo=02)P%#?lR`vyD3gYS(>(A7<@6oM&_P?CQ3b znbtDXT4t(OyS2=;mYLQv(^_U)%S`j`x0aa|S!U);W@#ET_Ea~E{GPt|XF+)IvbT3w zaeB`c83EU>x0IGNkTAs)n4#a~KaO{Hz5w0q==u5Db^ZV>)YtA8y_pn?I{~|6K}ROT zA^-e!ktFh`wmj8xi>lrZc(aA09dAryC3ixmI$SC)c24yd-6@>}OSjSM^?HZ<`|#gh zuUGtUuYa`vr~dxIe($i~Kib>>Q?Gw?(BJzL>8*66GfE;AjsMhpa9hQ}J(J=D)g^bk z8#Id2Kl|POZnwWtP@?|Cf(e0L0yO<^sR3XEqtK;0XTwOHQ4|=v=Ej|^y4US@-?U`m z36zEBA9>LS5rFyUzu(_KIw+q1ql2UN{I8>o0x>|WII0?uEy2(4#Aw9B5iscHt4@I5 zIZvUEkPdjj)in34aDRa}CQQZLlW)a@^6;3L&DZtW-HsM1;*bVAW+!fJWVXdqWIF6? zh6m{e!lS{)2A|LoyG()rvFY-d{PqtZMj!529CM!?lg-VIVG;zTFE{d`81&#@fceE$ z<`#~Kqra^10S9HZwc7YB3dD56LItMm7ddCjPgy;mv~Uly`G$csK0EcdT-tgj@a(rfxed6o5TG*uebYVu-ogg!QtSwcf@It6d#2IaD5W+sIn4X1qdRQGZ^0SMRzrH*Bczt$yb$0Xd z{NjfXSMSfRKK^k2?&j?3{Nl%tfBp62>DkrI$DhyNLIXgdj>#tIJ~nl=k?s zbz{Q`!g|fTB<5;*Dni9R8&w8K6_+u;;{hA7GwIO)b>yg1!3|F%+|7vAmnPAJrapPjHcI-?&hforHUyJRr*32C>1+^ z;e%~wyeK&)d%d2`;EOSXkI8sc$8|4??^No#rHW&+WyV4zQ>RhzF-}HK~ z_t;?f4LhWR-8XdaV0Sne9`+7*4~{&#_vVQ0_x9dUZ_wWz9(ldj{exZK>$Cmd8+PEa zgI@jZZRYg}?8{YbyT#jMx4b=e=WmbQiWl_uc)U$+XgBr(hidMb^GjS=k%IXwZPIdb z$6R8jyZWhP@}~EuXJ-w>?MwLDeKc1`1T&qf2C$abz257JTJjIO^~jF9)onHV`+F6& zIO$<6tPi}GVNYOC8f&;~WeYqH%kMiNg%+!(OMFl${mV0MI=J(Dp%^jT>1 z@95SF{18r=-+ujiOg6uK;o&G|Qkt*2`7i97^3Ln#7}(8E`3_b# z=<0+29qj-Zi9k%aQq~TDT!ytt(%2j80XnP2()qJCXT#H)H#4utPX(^`lc~i{OX27A zZ!_eMdG45O!nJI_x3A-u*lNX;I16rmAn-%leZ6hKpb`mR>Rlk(P$Tbf=M%W#Tr+RABDtT#=a|7oFzM{LlO(;pV z#IR`g*|atc+rd)uU<33+V2S*@&Vmn^Ljao`YVrx{>SRY6{{C2Xu+wU*9x~_L^zdWV z18xPgpPNSv^nm8}VhNIvpZSb5pjkUN(F+JeMj&Spi2PK~A``i%j>%@__Y0}S2Dj|X zixh%|e3gAS;&7AajO^HcYCS3G5unQ$F)# ze8=LHw;T(H8}5*;ziheeTxwj&*uLzmWHMl}W*pP6qF5;5iQt(0baSH_S(vLPW6Q0< zw;$Q-{_L?8xcG{pRkQXv=049-XYna4Po93^a?{YSZ>_vrL0PE(RcsOg@MY)Ym<17w zWmiSbRKW}EKYK_0!@T}?cemf#f7VmJeA)TS#@Xk{0&QHyC+vmp#$R^6e%<);rDI%2 z$Y#1Zx*@>UI@#|u2^8s~%@9x;-Cxjt;HqB9@A`a(9y#2Dk9=|sc4V^I*(9be7W(?* z2J{bc#{hf47KVwI7r^rXf_u>@f}VFb{?4#&cwXri^e7}5Fpp}k30$EvqZN+V_)pQ8 zp)$k44ZSp=)wdVd`dPRVBj&y8Zk!K^QAJ@TMvWtlaSQ{bsa&)l6Gbi2+z<42&eU3c zbvC_xn9gQVnQdon=I?c8JdkNUe}>*4|F8N>n)NZA2dt!fg_DHu+J5G~Y}mOd=Ajyr z&Ho`g|3hvT>cU3rZ?Ni*xozjHr#>adh^f~yaZ%0i6l8&&yRPtDwy4FyxbuvkZI;sC zNzBkcXY=1S$>zt+=Eq1(CL%PMYUlM4pTJIzSup9!FWUaxD`Y(h>7JgDF;IcaH_H zfBm`o1x&yiA2ak<=XMx@!5@(TEH5NHM2WiSC86hwBs15O7r`7)L}Mh+o(NjG;9^5v#3Ei zdQ_DOaQ>RRHph#~D|9m(|7J>X^Dn~67q)xz`@aGIXRNw7h$eV|Mfjh?!-D;PcdxhK z+W*&53XFwg73iiWfv!nYkEg}K3-vc{dFWd&iuW|ym@q}Hu^@D@07y!RIjSglLEB}D z7Nl3i@5CsQ$-ds*wqoE=tfuVvf02lLx0NFReeP!%uS*(o#s9^8U4fWz)vy93 zex;Kj>qgeqU6MY;hi*gJyHP-1+6vO&U*!hu)KX?oR=EDn&c7i^I~lN{4k1`@{ttV- zqWpKzYvsT76!$#SD3Uwrp?;gLamA^w=0!4@Me`$_9MI$;2Y=2xvzdxgEn03n-Y9Cb zCRBOjcZ)k$W?-}G4_DGjQ;R)t#}+X~GwW-98kg$pYuncc_SUJVGM0%kLZA*8dC~u7 zp2~1K_CehXaJO&>u=Nkk117Q-b2NBHuX4l_dSuq0xCxmZ9Uwy-QeGu^{pTh?NJ9=KU`K|B1EQzM*RTKYymr#3W)0}l0Zh%SC<9ix zRRsKwg-puJSPXJ*V0|t(`0ANXiy0K9$DPYfaOEN zpkI+=e=yIpmU~DbXf!xW%cBdM-^{50HW-zBG#z#z1QW| z3d2vs1=X1Py_!>>*7-QIp8?f!N3gu((g&T>+3&ggP8P6v3o4w2>6=l18N%$GjN*^Z zF%G!YRVwknrEn-zS;H`kW2@3dbn_g-EJEkv^0GH_XuSpmutY89HEpqe4hv$@e~;Cq zgE-7yaAAm#*YFG+<0`xHt)-B*e5=wx{-1$;SgZk9r2jkW?H1+#-Tpx<|F5GIm_8$| zD)sihZHqE{lQA{(`=LY3R7Krjk$ae&`A-q6bv28h3PywM>v;*cs&8rS3UZB}%2 z?2tPitAqyTFiQB&5HI}0XHxMHW)2$KAmon41M~WbDfn-|C4N8>4Ih)pw;z2LF!M2@ z${WL{d-(JS>)+t~o8V^Y!g(xKwE{ydI{*87#q+;^wAX9T|2oPH#=whNmD#s)3oOqU z(ky3;2({{oSMIj{j&tSk2_GW;_i`4*%hsEW9xraqwWSVgY`k0rw$X zzQJMU!X(Z_fHm7<4-)=NOL))QFsn+9T4ev(E#dzT4-TKZ{`Z-bX7-;M zOaCBk?YEwRKXzH-{6~z%9h#^y3zf<2Fkcb4==>iX^^51f*T(-}PjSz`WejHl`YsuZ zPjc&CheWId$ESJdckGS@@0C@9q3muMg^BRlF}XaudVhX>eg4bYVr}0yR-=9Eg*Ro1 z^KVJN1*JU({=a|Jp8vI!hQQGIr~8{K_e)q$E5nuno@KaZLo%?czE=Z4iyfbj`h3{> zKPvFUltuWD-eDpC*WO<5+2g;yTl~lSL^VNww6KpFu#c7DJ)VCn;y>s z)Rxi_h=|1$5^bD)<`N{k7TxhZmxW}iJ7&Rzk3tc%W!qRN{}u7S{iCDZ{xhfl&!oH{ zmsDvQgQ-hkoiUjFAmM?}!x4$7cS}c1b~j9#6q!WGlE^U&0x}B30I3fTN82Q30c33ZkOxd| z{G}`Jqm93G2lRI1FI_d!pGC|^8-Mx#H(romXv{?-$@$wexzUYcp~>(@m-~$F;N!9Q z?~U%A^n}lLo&%wrbN)RRD~y&JKP(GubNw$o-k$$8ltuYpcbCck>g=3FSzr&J!y);O zOU?8Dpe(Qp&i~P2$^WO{-)-$bYbkC1*FQ-9SNAkG%L2PUq`jAHhpW&^sUb` zkLC)q&KA#A&D^uY*Mm3o=;-yK=l6P)z1iQT19tG{koEfqyTjojrTwGbqyFCE?(5#5 zKkN?_t<{j7GJR;435NX$YK^^_E`NE z{tgVBO+1>WlXV=-P3j;0n9USw8aPiI$kIUULV#anRR5!O1-Hvu>#N|#-pzH5wx+6b2 zqw0=?>4zTJM8ukdRg?#k(1Bi!Y;YC%d0*I6sku4Uds;@!gFFFL1gra9CM6{ch8@XA zA@j2=l9v7Nu+WRAupc@e{X}werYqDFj}4~nSV}-hE=UQ!le6FiOi9x~2Vb`v!>snX z>Bf2UePTyYZ=ambYVSMTHZ#XMZx_v5kVo89vzo2H$L2L|_neo%`WyqIyBzCKjn&lu zJSYp~0{zc^uN41jZ}*_J|E#4foBz?-9BmfJ$H)TdPH>wG@_Wk#>8|e6&IsxDv_W3T ziUC$;hjgF&4st}gL8!7kk-1B~v)@kyH~{j@3r`k^^|hb zr@Ur%wOK&jTVa9YKo#Hdkc^=2m>!T9v|csOCp+je=ig=l%|6ce1zK?a`{n$fM~D6A zj{koqrJ?`NJa)1W{fj0_NRR5>F^=d;j{Cwlm&gWMavO4D7Bu!8TKg!f9f&H1@R&YC zZF#=sA@sj)Ajk#u|De}DD*Au-58C`sYbh&=|2XF!sGkM;o819T<3i3?TGfdT*}TK6 z2oqVi-}AiOoA0ld|LdF$J!c!O zEEjAoN>Py!mi)F^AcdR%$hjVx2dtCF<~G?hrxFjPgy%8!EBS46#FTzSOX~0_;3)Jb z%=)T7VbWLq339&b50LV8^B={YQE$S!i@P_bLBPThTWMFm^=56$%1dMVKl3J9KK}dO ze$oHq@TiUdv7WLL`EMnR%xc-bV0aC!fJ^qbp5!N73JFI`5b;$6gk8k{^^c12Uyt?< zpF94uF=72SQDE1f|F_{5n;#Ok7FAeFVAv|CfA-8uvjR7t!Byo4&U5M2ue4c$pHo?u zOf|^@yny~6?DvZN-@*P~tN&X|d3^j=%|rpK0e?MqM&Q*Vzt)r;c-644HdAm5_$?^U$FhE%@_PV=ErRl#YE>@SMf(5Ue!>59uirb` zZRNjpl;-(gXD<2*GGR(p3*@5nf3)8#+W+?U+w;GcvPAyJYEAbORPL-U zBV=6-%4)~4j_i;%&;Nt6fGs-zrTkyJ{oY}F{?}64{9k|U{9kQpOI!Z9<^Kc#0RR8L Kw=?hn00;mBbS$O- literal 0 HcmV?d00001 diff --git a/knative/helm/knative-serving/values.yaml b/knative/helm/knative-serving/values.yaml index f595d4b1e..6e8e87145 100644 --- a/knative/helm/knative-serving/values.yaml +++ b/knative/helm/knative-serving/values.yaml @@ -11,8 +11,15 @@ knative-serving: configNetwork: data: domain-template: '{{ `{{.Name}}-{{.Namespace}}.{{.Domain}}` }}' - http-protocol: "Redirected" + #TODO: figure out how Redirect is supposed to work + http-protocol: "Enabled" default-external-scheme: "https" + # external-domain-tls: Enabled + # namespace-wildcard-cert-selector: | + # matchExpressions: + # - key: "networking.knative.dev/disableWildcardCert" + # operator: "NotIn" + # values: ["true"] configLogging: data: loglevel.controller: info @@ -32,7 +39,18 @@ knative-serving: data: gateway.kubeflow.kubeflow-gateway: istio-ingressgateway.istio.svc.cluster.local local-gateway.knative.knative-local-gateway: "knative-local-gateway.istio.svc.cluster.local" - enable-virtualservice-status: 'true' + + net-certmanager: + certmanager: + namespace: bootstrap + enabled: true + configCertmanager: + configMap: + create: true + data: + issuerRef: | + kind: ClusterIssuer + name: letsencrypt-prod kubeflow: enabled: false diff --git a/kserve/helm/kserve/values.yaml b/kserve/helm/kserve/values.yaml index d6b0caadb..ad577bcf2 100644 --- a/kserve/helm/kserve/values.yaml +++ b/kserve/helm/kserve/values.yaml @@ -1,2 +1,6 @@ kserve: - kserve: {} + kserve: + controller: + gateway: + domainTemplate: '{{ .Name }}-{{ .Namespace }}.{{ .IngressDomain }}` }}' + urlScheme: https diff --git a/kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml b/kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml deleted file mode 100644 index 66ef1c694..000000000 --- a/kubeflow/helm/gateway/templates/envoy-filter-ingressgateway-settings.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if eq .Values.provider "aws" }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: {{ include "gateway-plural.fullname" . }}-ingressgateway-settings - labels: - {{- include "gateway-plural.labels" . | nindent 4 }} -spec: - workloadSelector: - labels: - {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} - configPatches: - - applyTo: NETWORK_FILTER - match: - listener: - filterChain: - filter: - name: envoy.filters.network.http_connection_manager - patch: - operation: MERGE - value: - name: envoy.filters.network.http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - skip_xff_append: false - use_remote_address: true - xff_num_trusted_hops: 1 -{{- end }} diff --git a/kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml b/kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml deleted file mode 100644 index 5e009a806..000000000 --- a/kubeflow/helm/gateway/templates/envoy-filter-proxy-protocol.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if eq .Values.provider "aws" }} -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: {{ include "gateway-plural.fullname" . }}-proxy-protocol - labels: - {{- include "gateway-plural.labels" . | nindent 4 }} -spec: - workloadSelector: - labels: - {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} - configPatches: - - applyTo: LISTENER - patch: - operation: MERGE - value: - listener_filters: - - name: envoy.filters.listener.proxy_protocol - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.listener.proxy_protocol.v3.ProxyProtocol - - name: envoy.filters.listener.tls_inspector - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector -{{- end }} diff --git a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml index 98b42b2e5..503d2e0a7 100644 --- a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml +++ b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml @@ -67,6 +67,11 @@ spec: sds_config: path: /etc/istio/config/token-secret.yaml forward_bearer_token: true + use_refresh_token: true + # pass_through_matcher: + # - name: "K-Network-Probe" + # string_match: + # exact: probe redirect_path_matcher: path: exact: /oauth2/callback @@ -90,8 +95,7 @@ spec: matchLabels: {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} jwtRules: - - forwardOriginalToken: true - outputPayloadToHeader: Authorization # TODO: needed so the requestauth resource in user namespace works. Overwrites what `forward_bearer_token` sets in the envoy filter. Should the auth token or JWT be passed in the authorization header? + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. fromHeaders: # TODO: possibly add this to profile controller setup - name: cookie prefix: IdToken= diff --git a/kubeflow/helm/gateway/values.yaml b/kubeflow/helm/gateway/values.yaml index 5754956fd..a441026bf 100644 --- a/kubeflow/helm/gateway/values.yaml +++ b/kubeflow/helm/gateway/values.yaml @@ -48,6 +48,8 @@ gateway: - name: oauth-creds mountPath: /etc/istio/config/ readOnly: true + service: + externalTrafficPolicy: Local istioGateway: enabled: true diff --git a/kubeflow/helm/gateway/values.yaml.tpl b/kubeflow/helm/gateway/values.yaml.tpl index d1612038c..f82b28aa6 100644 --- a/kubeflow/helm/gateway/values.yaml.tpl +++ b/kubeflow/helm/gateway/values.yaml.tpl @@ -16,11 +16,9 @@ gateway: service: annotations: service.beta.kubernetes.io/aws-load-balancer-name: {{ .Cluster }}-kubeflow-nlb - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing service.beta.kubernetes.io/aws-load-balancer-type: external service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance - proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 2 } }' {{- end }} provider: {{ .Provider }} From 20b356c24c4605321fd1a75316bd856d309d636e Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Tue, 2 Jan 2024 12:44:15 +0100 Subject: [PATCH 30/32] fix(istio): update to latest and remove proxy protocol Signed-off-by: David van der Spek --- istio-cni/helm/istio-cni/Chart.lock | 8 +++--- istio-cni/helm/istio-cni/Chart.yaml | 6 ++--- .../helm/istio-cni/charts/cni-1.19.0.tgz | Bin 5959 -> 0 bytes .../helm/istio-cni/charts/cni-1.20.1.tgz | Bin 0 -> 6815 bytes .../helm/istio-cni/charts/ztunnel-1.19.0.tgz | Bin 2852 -> 0 bytes .../helm/istio-cni/charts/ztunnel-1.20.1.tgz | Bin 0 -> 3112 bytes istio-ingress/helm/istio-ingress/Chart.lock | 6 ++--- istio-ingress/helm/istio-ingress/Chart.yaml | 4 +-- .../istio-ingress/charts/gateway-1.19.0.tgz | Bin 6820 -> 0 bytes .../istio-ingress/charts/gateway-1.20.1.tgz | Bin 0 -> 7298 bytes .../envoy-filter-ingressgateway-settings.yaml | 25 ------------------ .../envoy-filter-proxy-protocol.yaml | 24 ----------------- istio-ingress/helm/istio-ingress/values.yaml | 2 ++ .../helm/istio-ingress/values.yaml.tpl | 2 -- istio/helm/istio/Chart.lock | 8 +++--- istio/helm/istio/Chart.yaml | 6 ++--- istio/helm/istio/charts/base-1.19.0.tgz | Bin 27980 -> 0 bytes istio/helm/istio/charts/base-1.20.1.tgz | Bin 0 -> 36806 bytes istio/helm/istio/charts/istiod-1.19.0.tgz | Bin 28448 -> 0 bytes istio/helm/istio/charts/istiod-1.20.1.tgz | Bin 0 -> 28942 bytes istio/helm/istio/values.yaml | 1 + kubeflow/helm/gateway/Chart.lock | 8 +++--- kubeflow/helm/gateway/Chart.yaml | 6 ++--- .../helm/gateway/charts/gateway-1.19.1.tgz | Bin 7159 -> 0 bytes .../helm/gateway/charts/gateway-1.20.1.tgz | Bin 0 -> 7298 bytes 25 files changed, 29 insertions(+), 77 deletions(-) delete mode 100644 istio-cni/helm/istio-cni/charts/cni-1.19.0.tgz create mode 100644 istio-cni/helm/istio-cni/charts/cni-1.20.1.tgz delete mode 100644 istio-cni/helm/istio-cni/charts/ztunnel-1.19.0.tgz create mode 100644 istio-cni/helm/istio-cni/charts/ztunnel-1.20.1.tgz delete mode 100644 istio-ingress/helm/istio-ingress/charts/gateway-1.19.0.tgz create mode 100644 istio-ingress/helm/istio-ingress/charts/gateway-1.20.1.tgz delete mode 100644 istio-ingress/helm/istio-ingress/templates/envoy-filter-ingressgateway-settings.yaml delete mode 100644 istio-ingress/helm/istio-ingress/templates/envoy-filter-proxy-protocol.yaml delete mode 100644 istio/helm/istio/charts/base-1.19.0.tgz create mode 100644 istio/helm/istio/charts/base-1.20.1.tgz delete mode 100644 istio/helm/istio/charts/istiod-1.19.0.tgz create mode 100644 istio/helm/istio/charts/istiod-1.20.1.tgz delete mode 100644 kubeflow/helm/gateway/charts/gateway-1.19.1.tgz create mode 100644 kubeflow/helm/gateway/charts/gateway-1.20.1.tgz diff --git a/istio-cni/helm/istio-cni/Chart.lock b/istio-cni/helm/istio-cni/Chart.lock index 4f1ad0b8f..2b67594b3 100644 --- a/istio-cni/helm/istio-cni/Chart.lock +++ b/istio-cni/helm/istio-cni/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: cni repository: https://istio-release.storage.googleapis.com/charts - version: 1.19.0 + version: 1.20.1 - name: ztunnel repository: https://istio-release.storage.googleapis.com/charts - version: 1.19.0 -digest: sha256:5f9e835cde6c2cda3a01add30d38cee44a3c2595306f17914015c3ee3ed6e0d8 -generated: "2023-09-11T12:24:33.670239+02:00" + version: 1.20.1 +digest: sha256:8b8e82bd564ae60e514e263ab189d9adb8950ea96328455b8db6942414296dcf +generated: "2024-01-02T12:39:06.271052+01:00" diff --git a/istio-cni/helm/istio-cni/Chart.yaml b/istio-cni/helm/istio-cni/Chart.yaml index 5b75d2656..7005c2d55 100644 --- a/istio-cni/helm/istio-cni/Chart.yaml +++ b/istio-cni/helm/istio-cni/Chart.yaml @@ -3,13 +3,13 @@ name: istio-cni description: helm chart for istio-cni type: application version: 0.1.1 -appVersion: "1.19.0" +appVersion: "1.20.1" dependencies: - name: cni - version: 1.19.0 + version: 1.20.1 repository: https://istio-release.storage.googleapis.com/charts condition: cni.enabled - name: ztunnel - version: 1.19.0 + version: 1.20.1 repository: https://istio-release.storage.googleapis.com/charts condition: ztunnel.enabled diff --git a/istio-cni/helm/istio-cni/charts/cni-1.19.0.tgz b/istio-cni/helm/istio-cni/charts/cni-1.19.0.tgz deleted file mode 100644 index d77c176821c9f25206646dbdda700e65f09bbc3a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5959 zcmV-N7r5vjiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBzbK5x1`2MX=fuFiFX=h^Dd1<@n-*j%=#O?WM;^c|by}Rjj zY+8bCUL;aWQck^TzWXzLku1q_l6KqPTl7a_iy#Ps00@!*9WvTJS`eXv6-nZszRT0; zbUH5%56%Bhr&IsmIqYa+wggi+( zL#CuhLk+o5DwW-K+kga=w_~DEs`iX5HGpgr770$H*504?KkfZ#KS_dNhb=I+yy2uhf8-)KVS*aga@ zB5`c=5+Kdu_?*WyTp1`2;0YXYHly=Q5N$Ca=5vT~i81h5$y`h+BVuLXrz?nXMzUCy z$|bT0NF3|>5)_B`$0Lv^mMBamI)iJ%lrE8opca_Gif6zOBW<799AO^wDT#xa&*zlQ z153p%>$l zNBMA|nG1wPhAxPx0KP;aXoMh9Daz*3fI14L9{-Th*OVPop~n%PKrd6g6`{gVVFXhm zF#^uOS9kF7ApTanc%qy7^W7+`# z@>xKxq{76#y2_@QzcC%@#WBB@kVzC)AQXg|R6GGPn^8v9%1l<8$;Si}&PJ#_C42Ty!)9%IOov_!%R@MG6sO67OGUHO()J$WTOS0sb>&zU|fOB(v%BjQ5q^pnhH+B#jY7O z#laxf{WoJu?Qn!dYV9;tFzSM)xg?RbAqzQE8qmn7$e8X#D(I5NIL8PQ9^tN$ER2k} zN=<$m6E))^*(6?byQtl@1XiTDVwGS)(iE9otFk6e8;ex%C5=#6={e_8(rJuVY-JaG zr|JGK_(>M4O!}r}Td7oDHJk_}nNnn`Y;xQytJ+3GkdbMO(QW}PFrorOLvpSj4#?DU zpY#4&L|P4+5NMWm!KbOxm87qw$;W9r^G(GZ^t1-nfYpht7PXY9MYn4Iw2gC+EemN- z*pJSpdYV51Q$j_z+7lx+`ptR{UeChjOH8I1pYuqTfFq1iVdLEk>60~S1lr4r>b`NM^;-VYL#La zE;6QQg2$Fu6J4TBhnBp2c1#5~Ga;P;SrQs+o@hyw80rAEs=&hWw*&ZFhEln2 z0AZTxiLsNo?+GSctjw!ZTCV@U8COJhw@FlLxca=)>3GhhBCsr(qR>u^E(Nt9s<5)G zARVGiXzMC?9P9sC8WDx?RHB{6C-%ii38HYm3LM;f^EODxr}t}I6Ih_YuBn$Va`e5O8e%`d6<-dbe>DT+|52cMZiRa}wS!5U;aJh8S_d)fuC<%Dk3G2yh*`!4Kx z-V?aMCDk5BF@Z|haZbpN)eGb4q$R|8ckT2E*9&C1*Q$p^8!?*3X7W&i$J)d)lz}H) zQ&#Vuz#A^ya+fD5QFKaUs#bx=uh+Wed!F?&yKa)RQoYEg#)J>FE?Li6TJ~OGj6~{r zPave(G^TQ4=je!sS13%?j72D5$7te?R*`>Tr~=o*5~dlABMCFX6J2<1aB&9nPz03c z&b-AJBZM%B?0w3K9~);Iu|IB8NM3O^M2a$I;F+qda9WH@t zTB{T1OAbSPm$Dh()vFTy!Lz_U`9D%iV`*j|I&8b3*8`dy>EIf@ zN`unbWQ|BOUw4JDRn9!hO6IPxG}Z~KwrK}L>&$v5$X1KE9y8rYwT6VJG{6Ang3Jgb zyJmSuL!1keE_Oi)5>hsQ*4*)YR7n(B^|9`t5GYe_y=&`nCdky&ks=CbSv*4Z4ER*5 zlheo3Oe$mV&~9kyzB>oDaG)@0B@Rp4BU_NpR4j=nB@_-OFA@>;DNymf`E zsxlV#Sq~)--BQ4b#>F3*@*cMSZ!1hvqcrW|*=2tes88yf?lIiA|GR(iqPG8YaQNcz zasTH>JpRoM1a4Le^sENAw?4=$3{lEi7RRf6^2F%>dEO<57>Urnwf6C++U(g$*I>|U zyVA1xGc5GfDHTzfgoZZOFmpYv$8jUjKbt%M`A=2y{hHcjIw#L zCaPdAJo_^0j9oE)%?i|;C<}+D3;q$Kz9+KSo=uUIz7;%6wLjqdA1f=F;&i5Z}X%~FEudLhDa)vB=oRa_J zo~`r$)E-iN3pe1N`Tt=5;Gj1Dzj(3t{Bi#O5zp684(=4|(GA!-FYp*IaHjj7TkJb{ z>;Y`fzndJDnccq7^NoeyIIP=kPK9@5ek^-+p#>$3}ob_m#0Z zPlF?p5_9TFQ3mg_DLPXfyrs&0gwJ_giv+(lze4{RdkWgbCOoZDrJCq&VZ#PJGJo@Q|#!WJ?*cEpTr ztuB0SIdK8FDL#P-SaGu9cfs!j2f?1dTL#dA;1@wKA*0n|wMy?Qj`@6SPHKHK2)|`q zRlS-#coc4LH!5b49Fr&#D5Y*NgkbSp-oJwohR}b zbUFvlyeD?Lu(>#nFPHNGKwdt=h zhS7F0x2}%rl3)N-$M?Q5){mqShNQ$T%Jf3Ko5#L8z)}iB_e<**f!aYyW{RllE<{wW z1G2%yO824&&IM0UEijWX3I$2AOhf^j7El_mG=N>$(T>c{7NC?1P2=A4&fcNF4aP)e z@3a$Cf`)RZMB8Rk$J&?N-0!TWbJ!gTQ2g&CiSL5@43tI46#N1uPpq_=VfgRl7#`s6 z!R_sWOEt8Pu=Vr`kHz88f-$P-gpr_1j4+p7h$+iHc?Cag)N(1hO*{D}VPVFF%fz8< zZj|2TE|^%;DeAW}Tws*NHi=*zCTtF|y>+)u#9XC+c`8mpevyAu;aARU_zY~5r!|fO zC?2Dz3;Gi{C07VC6IhSPoTHM}K9D%J)CWcV7T|1VG-Jp|4z}bY<|eBP{ZCXXS!q{X z*`*S9q0^zDW|^bcQ7z64j|DmkD4UmCy~0%&j$DOa6mcfcSiE{j(`AzTpD@hS11L@f z<$|i!QB0(?A zgHS4ZD@cgvD5yzv;>@H3VWZM(6h zl6O$*koFL|HF!nl+ndmZdRb>o&(m@>7j?e9ssng-d)vCX2{aP3r1s0((T=}dROf*r zYP^oK7F6EA!g9oUeb0SeZ!6Ia4Q!Z4Fs>nqC_^dF1)pNKvi8n@QIA|q&t!5Y?i#2C>jffoLz9P%BeX85vA0(I_uUs zb?Z?p15|U1s=V6BJlZn-*Km9WC1|qt0`?BKjz-9ngy;pthl;S5_aKOv%PI$Jy=csA zuJxk@tyawEW1gurQ+6BcRf$y(!Qnd4@V1c{o3XHs5F*F_kS0I+?go%8yG_GZ%N(vZ z^90OWm#Cu6Y1xb_?y_Wq8g15&9t{WMqqE_g@vwK=ugUw;rMYcxc-6@9n+JURCacRS z*D|oh&ev%i_Amc>cJXd(ck7x6eIs~M*XBGG@sy(AD`^!j6*l+8`ryJ#LC z4=$RydULb3{ncD?zlqy=^}oSfms)JRtx~3NX(PhstGPVgKQ~kQm)>C5KOSp}&rjaJ z9Sk2R1{SFq{wBN^{qx@7V%#70UZ3=jABJ-y=HgD&!?WZ5R=I5!hZ)5<+9C(0?A+LY z?cE1jAhm$sMZ!t%b^m01es(kl={oiM!X|NTpNzmbjnrS1LNJ9)pokN37{ z%D1)ojWw)xpt%X~MJjl5_I7;I|FwUz)xb6$Sgj9Z?wZ@1HzpeC=$*bE^oN)CSh`KM za4q6*jg6Lb^j+@$miGIv&)`w27hJ0H#(Ax!;wG=w zlrneW&7G*~*T^&@W2o*ywj`o0GS;r|TWsQr`FsP{*Jww%^(_}gG&NrZdtk2^s?zSJ zeJq^dDVY;@hZ~pbk{9OvE^acpjR$`~U(1xsm2A&sdz#MfCHplk_MnR`sZFA%>1@_a zbfca(t(J>~+s1I%JXd$?&hQ#!V^z3ctP0(p$|eT4nyP32-i52&1FN5vZK?O}5}xTK}L3)P^g{vG@Jbs9I# z&^?6xfhCX|-x(L?inN%|8%f%%vc~ z@gHtU-y%wpaFJ;7kIH%+suV`TbtSonQ4>{i|Pc zqZH065&G`HvR4SuaUnnVWD1qyA)GyY3Q2JXme{(Wsk$$ z-!$5cAnJcg1xmRNAZV3N%Ln;knXoMf1Zu=z&6R9OpWoes45w#n8E&D=? zm_&)g~|bPQ9!%Q!YY=6e4Lxc4Vr6zvCjlz1{&RtF|lnt#cUAkrr9!v`RHR*1$BgeA7j(UCD zcZ*f7R5!gGl*f@Wn3NzUKqUy&y+P)#UqohtEsY#Zn!KOMno$k$dWy&^*(Om!8I=k} z%Z2~9=NS=%Da5F?4w)>Fwn!9lW+M37&%DV-IOC*z5qbcB=b3p?FoOYC3lyb`);Wt; zz!|*zWt68NxN9s;gsivI)VCernUXXz(I+KFSyAoTjVv>m?jYOkZS9sWlefY;X|>Gl z^_%;luawAeVlX~|BXje==e^;=eYU8QOlm?UhlEFTX0Kb%FW_E>`MUdYWy<-?+(_!R z>}{)Q%vTt}bXCkEyI_YtR56$vf?$R*{ZvU3l*MG!YN=IG`0Gh&LCW1coo1iBPws-^?`AP z((}%k{&006G<++hF! diff --git a/istio-cni/helm/istio-cni/charts/cni-1.20.1.tgz b/istio-cni/helm/istio-cni/charts/cni-1.20.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..723fa59c72c6602c3fcb60724025752bab340723 GIT binary patch literal 6815 zcmV;Q8erugiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKD1avM3$==|1G;K)- z!Tm`dmhhiYX)Z+XGZbYa<#S>%S{T<^Ogv2i}mI}BwT(&~NA(XR3 z3KT{+ct|y;#w5DiZrdsWm+hDt)TTXVS5!f_nTV9+QEU4zJD;}yvJ)g?(zwL=wN#Pr zHd+Pj?C*wPGwcGr(K1yb+G<%p6Ktixg zuHl-;F^nvpFy=}d2Xib_5djzWeJFT~Ahjay#@PSFW=V|p?@(~U=?#zZ*lNM;PAgx2tlJUTuijB>M_(b|DoWox!C85<`Fiamm1lM z&|qjVf)UdgffV5N=8t(>B1>B)hO}yX#6{p>5v~?k8%=1-1ezc!3X6eQ=GuS@B2&Z_ zhDNG6%u;OtKXGlSTOyB;5pL1Ea|4k?4MLhN8lomD&tth`gtnM(zXx3(2@XK_B?MQ}~ zsM^v@QE3R7pt&xZ_+r;GXwXFAr!Y<j;#Kk0+f>0qd7&$?9v#Z$*L1febrtRB8((-W- zWZyn07{`-5B{nsZ1Rw$ii9*Xl)c0PTYJ-ZK!h~^kDkJ@rrXdI0b(mM! zyP}?9%8~?yE_51UO^9HD8^_judUE2Lqa)|8(+z`@_%RJb%01dmH{AIccIA>LydHk zXxYS3GH%+2S=FOjwIxtJFB1=v*6dan0#f$AX3N#IAl#pRak1*pO<%V<63b5XrZ7ed zbHw9vW*b`GQZkNF!IWuuW=E(4IOX9bTu*s81rnYaqS0<`AQ>k9)d3t!gCIpbcXil2 zQyqct#H~d*<^mn#Ge<@*f?3aYS`52HxSpaQeIp~VE&Z~|G>nwIL=j}@$83Z#ajk1? ze_Asqaqr9&{;z9tDx*UxeTVbEzN)?ZiCFTl6>Pb7BMMnU)U?J{gu?LgoV1^7Z+rRC z4#Tb;T!TWLNZ~l0gmBD1QGIJqJ(-|D#o~CrAGWp)*CB??(IcgPgImUw9c3RU5e znF}`KA#<%QJ5>>*!FpkZG_mBOw*t+zRG0L&s!{NYW`AsmqQ>$gZ7EE_PnO{_FvTLs z^fZ<-;bO7{S~^Wj+-O;f!5FW}!blBT;TmB`3et^woC?d5EH3nzWkTvjp;2>?VVEji zVG@Nur(9Xn3C>>k_6ohZ1*6oPRlX7owO{V`q%io&1cj0v23~Dsge_@Z0J1UmGTrZO zJhv)bv6x4eW?r5bSiK9)Q1Br48Ki=saTfDmFlsJoV@09smrtj8&)o_(H1hwbLWF2!p|vc<9`8!NlM0f zXXby;a34ZTJ#s2pCm8ZEcZ!tN zNAD~p1_`Q=Rwg;NlWL@4v9D`^W%Ze}cdTe;l^rFhQ%{7W%ILeW-DuF7bH!=blN+@f zHvL9uGgILrf}{jE8?G~HooM=C}GJkKm!Vi|>9_+Yp6TM%(gWJaw&*8CbyV^~I;d&o&@ z*W;Lnb5aSJmKfobU2*I46q^Pj)LdnIko{VnE;whWA62gNd+{}!Ye2HC55~vRoGR2P zEM0BY(6KrnojG)ncKr6-{oQ~w?e_~ z9}QQzr~jWOZY&wq2N|B{7%DQaXb#DQscxdSAhw(LF{x2oZ|P3Yg7i9>01@$ND6}Gb z;&D+@ce$o<%Vo7sHyI=|g*VzYizLk%by97i;Rz2gfQe#bCfJsBG4T*5iY3!6Fp7m- zOr9*H6sxapInWj>PetYg&|EbEqUv|h=`ih?e?~wmzFJIKZ|2^M%{^C*oAL1#0|5qax z1}rsGsrWB;pB`NPV0U>}+l@;uqHfuZ-k70b5i^YB-F=!bKG}QMkhc+7l2i*JQyAS9 zx&a{f0Vuq3wSID+sk1#2e9mq2-1nL{b}B272`Xl!Dm)7ET5vJR_oEfa`L3!AIu(~f zUW**`BFNm>>_T%-@Mc4$v5QS$34g0(nvgBlY<{eG58y+S%-ZHwldN?6fBrGZR=q+s zvehPNoz7%W)Bo4Zgwy87Myu6o+}yNikCF`_6g+TVnZUag2OhZsI5RUcfB>)Id4z*n$ezd|bmQCHLs6?lnqowkdfH^xkAGI z7nTPQao^LUc(2gre@6bQt^X_SzmfZB|253OJM6#RXFEGJ`|rhz&a+4R?;)OFuQ_~F z$DxZ z!7*j4(rcg^6J7qGTUAE#ZT{@+@=a#;_V$~wVa51=V2kBGT(sP9d1ReG0_$XRvz%=N zRyd~~Uv3%=#VBbGF3 z8EWhFcOG;4T?#-JPHj+T02Ypo*kZAT z>*A(e)CbpD;BX!@ks3K;#)n}hGD+hsq(2mV;E@@)R$chq^6Ua|lm7)aSkUuEvkT2m z@GRJFZj~z#BQ)~>#8B{Rv6(09ieot$*eIE%orIrLX{zQ)mOKQvw+ju^NDo*PDb$*} z7z_?i-VWaHpAUNb`)B?0^TD9f+0D&*qxtr>>E8_eo2CnM-MYC!5&5b2{TH%En3qcO zQb$>b*t_?y`+FzHZw}rL-W(kEPkR@CuOXKadobc+5OLL9Sncx!q7q})^vY*Xz$&dQ zXrB%Zy#`aVIR9RBV|S$>m&p4B45Ys=r#_;EMHOuKrlON;?fo!`6Wm>$g|3|Wa< zT+oiXo8fG7@>+ zB(FtqwXN8NO)_LQS5!)*A{@7$ceZz%tLoTfw9WPmjpCu+EaA48}IQdaH9S zfRX=Vvv^&-&%i~5!oUwuvcyVW2}^&^$8ZmG4{mR#Qk!FE2s=wJw^%$3VvO^OOjr)8 z06FA3G`OIW4CRXTuE~kz2A0fTX^Rs9JP^4(sAeKfk zY#Xgy8DEx~oTH!TBUk8^(HcI3Sfpu4TpL~KS6$|*UN%1^RNQWJXdl(`3Fvv28yAyuua`LQ z!k%x?iy|rXiHPU->AH+^{}YC(xd+CH;?kyg#Y}6LPU7;+Ev;G^>b|zFxay7<{B)iI zT<{tH1tF5xHuWmYM`ERnq={k?f>b`KP>LVHU>uhX0Go~i44Px9Ld?Nu4Vv9`2}z+8 zAtpxW2}rtazm_L5YHt`+GcGL8wB)!&1=%E&iry*~;wdU_6ThXf=~!9Bdu9byc<#dQ zbA8tH5=+V-&cGDMGSiSPw73O#M?_S1*`?X`Mn&l~4zJ7#Yp30;2%yVusq7Q|nI6sB zVwTlx76CZ-X*NwqrG-8#@uzT5;q7gEX-_5Vpfn(|5W2PchD}y?L4~xfv#RGwxtY)S zS>4oEczS!=y15Amh}}{*>w!6ZOiWu@2l9-aI?P%^&k_=rvwiB$^P=5Kq?dHCpdP`R zhAiR&wLVpHgx$*Cn`G!Mnr>}F?v~TGO|Jc=US^l$A3B{*si2lDT7{=l(bN9ZLT9n$ zy+*aP;8=Z zaKw^#IQL)s>d#7Fdi}9R%A%8Y9nOROgR|vSy}2oLfAy@O<}zy2?tg)}{-_meZIw<= zDLEosuCPD1smhz1RK2!Rg8V`N{#V3*W5| zFwfzqO%MI=C}C~t%>G-4&VK)}f6@P9e2VDhJ1Fk|`%?Htr1f3!-yaWp=Y#!T|L9~D z8@dAz)&My_*zfQ4&IY~X#VD{CrACG!-J!Pi~BP~=74>(hA|2!ZOmuf=)h%aufn1C&(pJ$y`?Jd zE8-9)X{p+kjMEt&+1&hY4Y3)$b!^+7N^Q!H`C3o;NwKXF7ydxS;<;}!%pKh)N`@=@ zr5Y`&G1m8+`UUXylM|QsBhW02uL>+Xg|P0bS%ekK$$e;br@)qbUvVVZvhJ(Z?l~%Z zsA3JItEXhbCd?mOEVa3i`HHiSnnJIl!EaC@Wz6+lx5v6YO2&7h{hH@)_uLD&i1a8K zkC!98RP`)#5aj1OEESFHXo!{0@S@7XMtBFxX=6(v_zh(Ju!(iB$|G9p=tChJgLR8H<|*M4@wYGVzbe3{I* z?kmDyK-#Rk{N%v0k8p`jX|DO|Qpa&oW8Q(-Z`h!ERvb%Z4=|49WGPCEig)eYuGZ+S zJ9OForyx5Bw?g=e(rwmNOO3-|!$p35@u9x8z2N#Ie(!m_Z=JV)l`e1Hp>)?y+7h+@ zM+jQ3#{YPiPKz1C!YPrpWzWInHU|9H#suAU{>!sxweuf#Ixlt~&wqH3XSqCN$J*vc z-PV&XE`P|>UO29#TKEsvy_|vebN;y_Q?L{d<26n#{N)~zB7X#l`g1*1`OgeF+Pkxd zivRCCe^EdG>G_N8$NL{1=gC?>)h&v>_k=Y4L zqbUB6%Bd>8|beOMl+mka$e~S!N}b=bz;Ntl!%|>Ibvv8}Zm3^8c*!vQxkR?OEqB z|L;MbjZ$cuJ!#rr2H0r0U^aWv+loN8Q~PZ_fOB{M5`3VSzOLJhPf{M?$0w_9g0qo& z8cmwCSrl>S!}oYUVPL8;uS7fjCXz3=;_l_PFBVa2QIVWsD7b zs-&VK7DY}@tGCg$yl@BFNW~@?Or)H|$P%vY{c(2Kx&+5Xk5eCw#(>8AAulV2N3Q}s zb;F_`_MZV&YCpA(2_O1Xby)-hJD`K&bZ{HL;%A}oVfxEjlyRZ8r9(HZ!h>P1zlPmK za%517>sgB1Z(5>q#gHB4L3tjzfMKb|&|Mrsqe0=1K1N}KZ7m-Rmsvl2B1H4W33 zy3L{)7hD@uEua3;o}^4MVGyHM5i*+tZLuhl!bWhmpEiaI;jF{*#Xtf4OQ!ZkP7DF| z%BIrAL;hM2c=yA3mV)AskhT%hjm>3a+XR^!%_AFqR3emP)t*1^fF{!iGI)2>R_Ssj z$E?Fv%iiX+=y82zREk3jaRc`3&0mei8>#%?4wQAUu~4j+ho?~(Yfaqp>vN9)w2dQRqTm*^Y-KBa1q5UWogS&4#gD= z-}Da;{yF%^$=SQZlivRM$@{at{`u+2$(w`Yw?ij4?&73jPt1pwuk8o$%m5DTuOhlP zKyfv+qMIki!O&g1W;tLOz>|yoem6(l)02IFlS}FTf;>~e-q&@>-K`=j8ACY5@G^j> zmQ~)q>w}O6b)#`2=+_o(miTECic37ApwT!OL#jz*46Tf3qZn?L`6&NN@oHI?)36K@ zeAxc5tTKiTZm(NmDc zVQyr3R8em|NM&qo0PH$lbKADEdFHR!EA=6ni74vBP0E@3;IZA-(^&Rcc4qEvJ2phD zBwT|4F96C`9sl<;07#0Yl-j3tlhbpI%)}zF*e~oZ77P4lav_lS50*rka7|MF>e*Wq zMbWq8vHKfEQTuN+dN+PG7?0nLNAKPZN8?w~VEAq@dIiz*v$EZCZHRgm{b^cl;r=F# zWb7j<&7_E7H3&$SRiA@!@Ld=M6m_ClW?bKo$WutHt-xF=VA?PVg$+R>(@Y8!Mh7gh z&`V=79rybVEM&6Ji9v1pbF#7kx=#dElF{DayW!p7yJ47#MR0@bTdAmygPzCVEAW@! zfgmZyCDlO7TqWqhOL_}tmia79Wa>%#|ASRavahZCe}z{1|BCP&^|O^oRggUXl1__Y=r`fNDu}qPbY>>CkVO)t2Vy;AsM=GJTE{KDGXtjVd(Tb zZ-EtjDa<%YJZ~rrQwZ10&bS69TyG|67`U!Yj0?K(fy|I=%NEHpzIH!22O~4!xI&A$ zh=c)mpfTJ(1YOt{LK@{+xiAi$Wq1?*oye$yI#dil z|GE>&*8EJ;V&-O2jd?;TQacApvUFO4i`oK{I;cWW`2RUmNZrcoM3Ib%1!PL5XqK33 zc+CW)QX4?AVoHkCZd`A|Ad|F4HV&XR$r^elm9>|_UNnq4TceH=#?Ub;$4*Od-daOh zt+-zXOZ&rS@q#X#Nm{LqRq&iGa^*M+swJ~5T4_-m_ZuL|@)-7_D0N>crc$kA7)Imw zC(PLr(+1=mG$sm-vv^U_;0*NrO*s*_o1e>k~AD5<{x^l+Kv7 zCxw(LOq?20Nv-Z!W}Joj%>rlHyc3jQCoK?*>cYzJthQ8h9CTq2!cyKsO2pclz7$l$ zO+G`oCCqr+ss%A?#tTIfoadac0q>YKfVou8f)h5g0T@-v1ToH<47@fK-8VrOhCAq$ z1UyM2fhxiT*bjLt?2-sCx~^k`9t_(faDNZsxrYetHU`X9+M-CqrY z8zyKBht3YBXo9rNw*r7>?ahDdj3gLuxwGr`j$fQeT?%)9--Ga@FEb*IoXg>!aiPwt(cf9XV_``3?t>HJz_*XQXQxoQb}43ufB zVES}5?2x!#FnGGyrIpwwB*kfCd2O@Vz7lBA9rC4)fiscc730NWdEcLvCoLDT%}9=_ zt=1mkeC{Ng$Z4`fnsclM0c2*UNEO4;9n(hF=DEZ5fntUwgzr--g+3L0{j|v&qDOa_ zk~6HcxilvG z0Zo(htg^R3v!9q{4E-e%ZkE6GE!ItlAZpRDUhl%2?`Hf0K(VTWduu-Ua5=p=I=?zT ztPys#1#cRKMb&FGhJ1hTaMr0+E@St$f|T8K>fE$~>u0(eaU8|!F`1l1yWH(5T>b$b z8y7=0qN(liYujHD)mORb7k3QB#o~sGTHZl>3F#%M%o9-=d4odl#?^C!pVwyN=BuF= z3tG!EMJ>(zye=Low$@XX--FyBEN{+s=4VaWic}sO8({4+X`{@hk6lp6)Sl5V*^5|Jbv*5z;_JF`+P=FbKNtnMIz#Ic5@$#asr# z_4Rckg_axxcjcq(5TUeqG1_<-+AFS-LT#iX3k(-hE;y2mY4=*daiD8>d@{FR&_u>A#vOxVe#Vdw1C4vH#NuHwcP90u3fsQwiJn>Qm%s@OP;dAZ_#qjmJV3>x$tm=se4$ zGVMnrDc zVQyr3R8em|NM&qo0PH$#bK5qP`OIIjCv~RDOhi$#oTQw&4;tBRJ&j++vNLzrc5H}P zNw|Oj3xKj!$N&8X07;RQ66g9jNjr~`nOFoC`-a`cVu3$RE(G%aWJ#0>*Cgf79=%0T z6ulaa+}|jQ+JB?H*P~~H(f;1()nK$g*n1WYhOeXHGl(9amF<>mL)5eAU#8U-?jO=f z#@?aQOo|v*gMegN^*IQKQ8)-F>O`^3xW1o}r;u1%fw@$`v|$no8-hfpnG`6D4p?HL zm&Rl|?)M#7$Yh@rgWB}xWMu(#p9rcXqrJfo!`s0R!!Q$z;61Kyq@p?wdLDnTz+Zj` zf}|LiR0Az@m7oJJ=`EO9=Cd%7sVD9K4^}P7zP0ZE4z2Y672!GRFB1SB@c+@P(O%2{ z_XeZAC;$H%tqVWrGcXdeoO75fnTBwbk_EyI;~ZuP*FWd8zUzuF$fEa-C`N?24wm^W z1}c;HsKUy{x^O`je+iu-i^?&(P;{4=LO68+NCQy_9g4Gj(E+KTLzy;8a@4vL!llq? zJf&PCm?Z+mImx+?R`z?rRw$r|1Yxl9bYkdqf}mTlYU9galA#Mn^8z%H!VqQ|hEBip z5?H~P!icR6jB8-R^=6WWf$Q4DxS$Jf$qc!+Y>_PEYxje5Ffs#muf&Cet)W^N|cm?xAXwR4apOQ$8cs4Xz5gDM1tf8Sz@l? zITMgdZ2-lJDJfFBalHtGOwt(W> zGiOUo8<2C*m?$*P-aS{8mW!fMtyqFUlEf|}5Dm^Iy;Jy!+MDTF&iT}LRO<%U?{OW2 z+f}Y1C7IK{oY$2N&iQ71i?%fc6suAPrz=#7QLKE}>Z_uBCOJ#iLF>D8=qVb*#6r8d zY0eExc&-hqzl4gm|4P+jhVE$u3-Qr?P`QNB1mIE^1j%KA*}9Cd%RHyphQHiYbwH2CzEohf;{K1M?*F{Fx5>5N%> zQb?J?#Hk^b)as69##xx(EO3_1J3$F{+yb$vF0A~{YD+c8K^F!gEaeTPM69jpOF=cf z&u0iXgc)yJwIF8Ac%evw^PKZF;4QNTFqg_%aKdIb0HaEoAjVmff#;^8`y%MVa0k7T zfG24rP(_#k`yp?HT@v9%*L7^rgMme1u^tqW@|QQ$VvuRri%JSX#gi02S@zFRF-fO> zG={y%D(DdxdGG2?#ARFXr+ zi9j6&svuRmfc4KL*G8u7Poyvz+nAwHJ8dX5is1?&L1oySCHACIj~Ke#Ukm5520EFZ zL&B}?XwZ4Gw9;4*=a(>ESfjGiFtKoS7R2BUS!+m$C^8J@sOt<9Heb8RlQE#6nPkF* zK|;o!$5Mz(?Kd$lEr2+F#V$WUzz_KOfz>n>z|xn98N=X zYaWfpL+AhDFly!hqrKNp=l`$L%CMsIBtflx$SS-O>3;;lg#?a7*@&tT$V|Fj!g@7F zqVXjdwYIVOJ6Ix5K^tOn4R?1Co_mPUnl;?tZ(tTSZg9R6=v(XK->q%?KP8w-dysmx zV!)^Ue-K$`Z~FiKtHJ)0|9_2Eum6!O)BV*Tc+Uil;lSC!6itwp`BnhXtiAc~V$W*3 zv+MSbUz|u?3U_zcgYca%Hx&n>4`Aefla#{;5KK_J?T*|$(maSYC)ZDWyD(VNc4M|P z^NbRMQ=^E%#oFUi(j_35Zpe25q~vy*D|_}HY{FiV0C+RW@bfe=)I#&N<;4I~8Dq%H5sM#Y^>6XG!SY z-{0Mp3JT!^6dHO1ZU6=KtK?9&HSW%nf`yrqmWhOLmdH@5MW1jkZ;(!1a(AY1&Tj3= zz4PmDohWqw`q6Kl-)rppJbfcqEn$y=GHn%1KVJK40w8N^BF7;AiTK0@7>*n761jU7^?dTKqi%GEM}#oGgl#U1)`d28N<7+s$|ye>B0Ez z+eQzev<-4{cyTp8I6gY5^(!RQy4Jar=10cSAIV}cDzEdRaxvCFDVb+64EFY3w}(!o zuo$+5aHE$RmETx4M43RX&y<{Doz0~&*-vPioM)B24VwMLEMw>|k#Mv8vv09(LIhEZ zhV^lm*pCLoCTC59FO~9N2h%OB{5_bi zmhJ83^y2XR>geE;OHwb9hP9exJ-+@@ZH%2=x;Q&MxH=ghAGYcIsASqS;yFW3&vD-D zE&9)#C6{?qXmNj()bwmT`2zHuTDORvoE{uLo`5zF32g#$vP;0Dlj+6yWO8_QboMyZ z+)>?TO*MoivFYLYyQ9hB)p#;Fy*#;iJn^=3rH_S-f<_dLgS|Q>iU5)J*#p)rMoJ70a?Q^*N3p_UN z^J+v>+vC@^zapxya?vlYhKl>(4Hva^k@gbOOHi55L}lcA6nZzVo*VqQHX9d~4YgR% z+TlRdP6r>?#RE0+dWQKa$PL2s!gFU@-IT33fng(Wsoeo?l-cyL3yY=gmOeMwMaDP0 z&6q#1RKkt+hEdc4BROR#HWllH>=I;q!Tp`pF=?b}bjQ&O7xtdFeiR>H7jQD0Rc zn-%@mm6yLq+phnq8A%@Z9neGd|NXr|yZ*mF8a&nizD8@k|MR84X(N6FJ6x}Q@o#-_ z>oGu3-@S_csnH#J8m(JgcK=Ut59l8Fy2s!_;2uNx$G*jlpavp}35DT=LC|&2Z1N1wF_Um4<}wJb zudfp+wB#7LD?eq22&Kh~;l{(@UU8KeY9kd{V7QQS!I5N4yVoL)16{-8i}{vD5L`_W z;n!;H_va;Q+ZF0%pUOnL5BJ}d1?s;jUa_Pp5frFQ@)U)4>hQ`5bhLS&;O_Jbg~(D7 z{w0C!jkkp@VamHz|Inq3UXJZ<7cK?+7?Hdj>Qm%s@RQUEkT&{BLj+dZvv4f~y${T;M&^yHY)<*r*p4wA;YESLK_J08Y0RR8r+}92OHUI!( C{}g`! literal 0 HcmV?d00001 diff --git a/istio-ingress/helm/istio-ingress/Chart.lock b/istio-ingress/helm/istio-ingress/Chart.lock index 71e39244c..47aee6c86 100644 --- a/istio-ingress/helm/istio-ingress/Chart.lock +++ b/istio-ingress/helm/istio-ingress/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: gateway repository: https://istio-release.storage.googleapis.com/charts - version: 1.19.0 -digest: sha256:518d9b00690f92ce7a833150409637c6ad5b96a7fe203114e53c265166f702f3 -generated: "2023-09-11T12:39:30.936515+02:00" + version: 1.20.1 +digest: sha256:3102d001678122a5133dd1ef858f955f05b5aa033c7b6e95e4e6172602f61033 +generated: "2024-01-02T12:41:38.313944+01:00" diff --git a/istio-ingress/helm/istio-ingress/Chart.yaml b/istio-ingress/helm/istio-ingress/Chart.yaml index e282055c2..92052060d 100644 --- a/istio-ingress/helm/istio-ingress/Chart.yaml +++ b/istio-ingress/helm/istio-ingress/Chart.yaml @@ -3,9 +3,9 @@ name: istio-ingress description: helm chart for istio-ingress type: application version: 0.1.1 -appVersion: "1.19.0" +appVersion: "1.20.1" dependencies: - name: gateway - version: 1.19.0 + version: 1.20.1 repository: https://istio-release.storage.googleapis.com/charts condition: gateway.enabled diff --git a/istio-ingress/helm/istio-ingress/charts/gateway-1.19.0.tgz b/istio-ingress/helm/istio-ingress/charts/gateway-1.19.0.tgz deleted file mode 100644 index 88a3fc468d3df0cc768929b560ef8781eeb176b1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6820 zcmV;V8e8QbiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDHbKADoV1MRcaaQg(Uz|^(CEH1QwUeE76W`X;#PQm0J9jdf z2qKRpe4zkd0F}dBB;{-jtNn=NdHHh`kNy@9qZDN#Xs*n&A2C}(qGbhUTtJF>#@Ce1 z;Y2FR!AX;hXriGPO679Aw@3BMnDV`hD3oe%Mpha??h%#>PSe5YZ~Grdf7_39Hjh5w z`ihHGj-vsXg3+MD%g7SP{%0h4Ardr@zN$G@i((old}(X7|3_+_;}}SuXEY(YDbcFY z%rD&$U+D7szam+I^3O2}~{LLq3X6NgX2g=fM031bP zN|JE|umdMEKt`q+rhO1R)6J$?rumZyBnneqrG)^JBq*gOKS81BOdBSYFcW;~8zN)4 z)O@1Su$dvIn3{^N7RaD5rM2bLhR+rmketR`%=h95JS}5TqQEGUC{{GVqa?9SaTH5b zeIVf8YP$66CgpL(z`kL&=Mj}qNJEx|bhT;ZM~rc0%&p-yNlp7rKh`UY07wNphU*(s z{&Hbu5BRLBltxxajD15ik4$5lvK!D?%4n4HG@ws&BNu#$YJr8+zAEQJjiEPsGTa~b zT5n|{h;}JG-Prc)oT$YZdV5k4CHJa#8j`aA#ze)XQ&hOjjbj``&-J1PlQhMIhzib@ zE31rl;3du|L&ut=5LB%p;Y{I2Rq8~}Q!V``Gbos24z0wJ6pAm2qKVOKiOP4-k}|q1 zmXHg&q8ZLng1~PvaaIZ=_pGC_{14e&^-g3i{kRbge53+uXCY{>Y5u1)0rga>g^7tX)z6?&QouM*_>34veUv zwEP7~@?s35;c#hwEpf@kdJLoe?_N_)1YOb^V)I@~{eO`}N5yi7<&*?inGlAtC3 z+&P#r=+0P@kJW=Gk>}Klv!8!fG^4*64xOP$kSQ`p(*e;AobeQpt*GG4_>>h9RM#XU zWGlnZXa`=ADQ4C<=DGH)T)Sc@*$`z0z=JmpYIm7tzeS9vc!3!viVOQh@eG9r(TrC- z=NX@`FLHq-eZiSjf>5U1Yu$B>s~ zt2C!8Wd3a&xf|#9yyw3#HLQUy$s8dsvJ7$~J=&{#_cO%>Sy3*4O7@@Hb4zWbVrw01 z5M!{z4~ws|fk&BkwSbvKIGLStbtX`1$8O-xiYyCcwt9Ghi9pYv9qXt~6z#o@?wEwL z8J!mbfrM7^jHfTD6ona8eP5(=tPHkeRUGX^JMjJ5H`H=@lDA7vbcN1%rSQlZ@yYeg zWVavfxWH?PM9a*AC}6y^elI^Q$8QL^EaMhUMo0O6&{nEox^@DxcEMz{1Cu3XM=L@z zjb{Q}z+_22{>(`EEQY^x0r-(D^Gt^s+`1%F+Iu8cET<^6DKE=G84)TDqdu&80SRGH zR{(M+5uw)N>a5M(7^Cb|0 zFgcn1XbXG!(V!En21mMa6RkcQdgAuFwcv$_{+zx5fXzgVAt1oZZs^-Ph1ZjrAz2v# z*5-==E_1a8KGl(zQK`+OYRkA2ZF&K1tW^v9jHD^mvQ4rx!E-&JMcEs}jARlGKpsB6Hi21hp7ANk%HM6&=J8G6 zLi-qGTlmIsp`+N_vI)>*MV9s6)evkNT>NoNA1F(E;}+FY3CiZZzJHFaSQ=zic0nV2 zNpQ*81*!(tAkGU(+RzpLeL!^i1X{G1XOtpqX->Az>AfH&q*YLF~S%e5;YQ^3`DAlgi&dRM;M66#n)6MYh^j7wj-%TWCFW z?1FVNQil!37Te;lr(W(O8yj;en^+q*q1jpO6wU)+;X>UXi_JD|ji*yu!Zc==1*^o) z+c0?7K;Qx8VmOqLYWrsf8qDQxDQro|6!HZTi zg2vpAspZQzqH-D8has%W=6)J^f6&@FboX#i^^a3uQ0qE`V=EQ0>9Xyk)NTVhCCO)v zl{={jvcp}(1j=2N*pNQnvV1)Oysi6aBxr9b)*fPM?_d)}`Yz1->ffihLeX#t&CKuS zrj@m|ZP#YIwb^EM+pAkl!d-5-7+gAn-*u`{JrjCwber>pcj$P{ z2i2sekv^>i$z&WuI=YqXwnSi8H`s)?ll(~kyLq@=q0j%71E;;yH$Sf21_mw$dnf%9!wR>$#uCMnVM=wmk?q)Nax(G|b%?k$NKH^X97gq~q(x`Ft zc+cT$a?U_iRp){-HG|%N$iaWe9>jK%y&>P-yUEt@yZLBL5`^A=^`Q5@2fu?71xw)R zfw`s2i()pTAE7tsL8~=wN?gL%kfLpCEEju*x-oQFd`Ea}QMcbqm*IWo(8f?nhil4F zIdxpWBY7TwC?`B<(^yWp*4DjMJZufMi zT0z(x;oA?m?!&h$lEL_SDUFt+LAx1O@Q4d|g#R=}phxn&w;TL6g4x^MbzC(MtA-ki zOfB7w@4oHq?VP8tf)4*fJ@~KM=4OKed$l0)CtNpMVMz6uuc%ry0AiBoaC1ZQTvHkU zZs@BB32jvgb*DrHjoD0?<=Jhd83+wvZnmJW0^CfZwJT==ja{);v}s)K?u9UIbK3MA zz8Q6}*yc(+{tZA4^Z#g5J9f>$sNVYR(e~WUEe-$DKKjqR+VNjCdH$hRgWM7SJ=-5O z=YKqT_U!BWkI!<2>%T~z%e~det#HuZ)oGA^5UNZtJwfZo5*0~_BI9y?{T+tUg2|jD zIBpI0%wr4XCcm1@hcPHkoLTA2eg{TbicG7`|E*a@KPH={tvRuLJYcgnWI_M z5jeiGcr~vfb_rJ~gV&n%4!^lt5K+z~*6pr}IaAa4;eDKK!jhx*ux9B7F| z;3{PM23j^SH3+dfTjk}YldNXyxT>u+o%lX%Y&+v_RqS%wafqhAmLin3(52U)nhf-$ zZ-Cz1Ann2F3?4~bu28(-%bW;=-v4?&iud;iLp_WlIhoRoDvC1xshFa(VDS%Bx!c{4 zoE^9zGXzOlf@VR=xNEs+HDm~H^CHXkM#F=H{il_5n)N6_SNX*jTdZaYvdU)4>N=Z^c7T~6Z8d0u2@tun(NR4y>9|&h~baLMpzbzfm@?9tV^f!5^CiNWs(1nq!mpVYdd# z<7fUhmAg~DHwt)%kZ+m-SjX2X@f(X)qCeX2Aok(q|Ig3?Bc1^rYr5dcZkHrVO$<@@hXPG7#iI6nX7DrC(f)ISy1%X;H@a&dX`=KbsA%cJ+_$N%T&uu6)4PklyK*MTR^3GTY)C^yT%P8#9U}avNvWDR+AvajMc8>;ANGq_~qP6=(MXmb$ zMDiex^~>8Hw4PuZMFkbEynEo)y1;?>>~=v9d)Ac1h!Hp#ScvmcQiH&i^cO z^1$1G+>!qoJ$u^R|L5@F>A~0h&*!*Yyh~ULk8a6t*bILy9~5SRc7q&uXW)9Ub>M0~ z-~>6Tik7|Ael5ql8ElG*?1vd#o6-7_3;LV(kl7hek6Z~9f3^G-JZu8XH1g6+2R+A` z#nqMd)6f5C=C2AI?&Mf)S$$ALC~N_YD-3`C~@g{^vYR%gKRL zGsW$m{@~8}Ux!Z`_W#+l(bxGOpXF-kN5{<2rm3}CFjU_OI+j!a)hudg4R6b+e`+?p zD_`El##;jH{Z{t>^L&78>%ZU`K5PJZXZ$y8?*Df9{(p|^`g-s21u7_Vw_(|g z3%8l0%do_7%2l=blYSrUHC9fA3XF)Dk|g{v7FrMUjudL4V=?2a;t${1`9a>GobwE~ zv>>;9$oT7jVH8DX_pT&4H90wHW|+T=!ek4)?Mb)XK)+a_n3{)f;`x;}VEQJbQuW?N zgTdfa*!?|aDP{BjFSyP#baAlf`z>sWd`xVF@{^b%3$u*E^t8owQ3L%ntPkZK+V zPmWfT4jf$l%Rnvt*=dcIDCP){QpEfP&(|%U28DJ%VMO0*j>lVH`C)M|zOG5N0de0@8Uaj~fNZT%am)ILDmB37hdKnoK4MXHt)!%_3i+Uy(GmGZ^dB4F_)Va4Z!UWRCHi^Ld6O zr_#(%GsMUMkKI*N*AYeUFA(8v`R?5#kJ_()Gcy?V5A)x94Yapw5?TpgE(uE^EN zVp9O`O@mHs)BTwUo;Td{Bv>A3EK6(i`AOIM#L2kL8IQ0F-ahoZ{M!ca?7+{AZX&Pn zul7>RP}#jtyJ-nJv4bpEysKnM#|yXjul@R@t6x#P0$Jo{hxjCX4Lr97w#D&2h=O%c zAQ$|~?_k@>haH#%^GPR0^2E{;vp~0nbZbFpA10y7z`%^t-0q_T6C(W^Z{d6iZANgi*N!BH`_Yoj(gFexmHVNB5e3yX%N| z$9j~t*80JAKt^Yntdk6D8;bh_cQkblyNsjgl$-M%H0qS2G`mXMO{JAPs=@l{a6@nn zYs3pvpbVCUR3_c9AghK8J5F_Ait@xJgu>I+6-cn;oEM?Bfdvp_bGZ;+*mNd7ZFM%o>^P0|uoiJ|> zY2j*t!W(UC*_NmlJe5&&5(mTqN1<5jGbIRs%6#aU1etL5H z!`L2h6Zkg1LSZp#9WT-?s@?rfHcsRMG`B z-kr(4nv-=Kv)=`6^?agDK1wt_=r$8@&dx`1arEngW@xnAf6wa!HAnae)G-jURO?`t z8R01;3hBhj3fV@De4R zGfZtnW!ODMsUR05Q8dwE0D~oEDLj&ju#||D{)Xi)_b$Nb``>o=>VCKhzUF~#r_}vj zuoMMMJZIysU?+Y&>DMDWO?lw-$Oj{{+K<}dq}9 z%D#2o`cY|@71z;(ZaHD=s$Sb8WX0{dT>^8oM#?&SWBR-cH=t!BqsMSoOfxDM)^Kp` zNT}9UBho+mNLo_G#ae@3P&UsnH~>(yuq5!&iRD+{xs*N}6RF@=lxo*&k~>696PKW1 zGK&7L(STfXt`?P%@P|0LGbv1KtvXaw&|-5Mn9t(5XhGTt!_4f6BX8DxXl>+a(h+TU zhS{dS{bY7;P&6s24_e9y+Ml*CX^~^k;|M&B**c(B+%MMmMC`N&5r%MWsC3WT!jRjQ z`%(#-=a^bYWg9Fi6|EU>9ksFlR89?bHLe0#9f9Bufiq5I**KAdT6UV)tzwO1$#Olg ztG+6>SbjHo5=~~DKc5oOH!XSIIW)3f*`$$Lh+zlb1XNlUDQEt!#9Iy#2NP;94SQFREK)|giL8Ruh|5&=7Klv)8PiL)(gmI*?r zGTI2;o>NLA8Buf;yjcWqymPgZ?u^RBoxWDujYz={Y)*?eq(f-n*mC@L{F z(W5TiIM>ZYOYZm-o~6F5iP*mzI=Ju50dOaQg*XalRG5!-6x|_20-e9NRarx1zAsrr zIdh-p6pmLNK@?3e6)i}{q${lWFARZRC004 z0E6L`+pdkOwUbZ(bFe?$9}R}X{k_J(&?O+e=QGDARt`>^vJ?}~qpYswQqHFc+(y9=$%kI6HcAJgJgl9ifsFR%dSNCgZ1* z)0Y>|ANdpbs+fK^a&>j8SX5U1yk;&m#TuoKn|j|~8|-iY_q&_k|Af@8JpNEjF;N)| z1{Hzdme^o0(292@sKVz;6zD$*Abe}^e(R_*yC}py*XWvNP(Jq{pQk#5@_B{wlWH|~ zr&;A~+i^YDo+;99z?!muIH99+rWL{oxZNf)h#bu6vGxqtf~E0a`BTZ)>+ALP`g;9a SUH>lt0RR8ud=fqYf&c)5n0(s+ diff --git a/istio-ingress/helm/istio-ingress/charts/gateway-1.20.1.tgz b/istio-ingress/helm/istio-ingress/charts/gateway-1.20.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c2275d339ab046b1215d51eb03d81aa60a64aae4 GIT binary patch literal 7298 zcmV-|9DU;-iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBha~rp^U_Q^U=%sS&+PUP2lw>=HTi#m5)=5-}Wv%2Sb;{*3 z!I>tB>lt7UfT7HzXn*?_UNe{nCD~H!+`F2p#1y8{Xf*nT9z2#r;RV_3zE}~V;tk2O zZ|?mWkH_Pu2M6Zg@p#<+cYH9Jd^0(CvVZV&a`0rb_sw{+_jG^%8yMd|Dcz@(iimH< zcW$fQx&I;$Dd=w~B;{-h>%E8+MfK+--W$i0C`FkFS}0TY6J|LiT2^4e1*BMHd_&n1 zj-{d;oHWUZCK`IBR3WFkyHvl7Dc{YALaBBaWUT?@E@7$QG#yR;w)b)Jx4pPv%jg4c zF1SeLG#Y`a7>#PYjN~}=e@2p*B0&S`n_5z}D(7*+bK9!@f21}APJt9fMiZjD60KX^ z{MrNYl^(DEYm${H{~QBwgZ@8zHhI?4|NY5i@}U1;;@N={k|U5T;};V68ik;#R%o?C z5SSs62wLl6_z@Wjl4ToED=I;*c$uZZxPm!?MCFuoFoZMJS{hj?G4>tNJTjeW%WgnpC8JTn(||tBjY9Ao)e1|geO1AQn!;f6WV|;X zbl%ED5baV1y0hKa1yQRh40fd=O77P0G$dvJiHV9Ur>HP5jANX_z>T5?lQhMIh#Jn; ztD1~<;3Y07L&ut=6jW^>;Y{I2Rp~^*Q!V|+3n-am4z0zKl#1s>(ZuMrMCAu4r;O%h z4uzm=n&A>92>fSBg_YqsW#(VaB=~*|gr#tBuy6E?g-SJv_xAq7HOg7G@mQ=n&lswh z7VCqU7Vk?|HI}~Dh~I0|tY#oLGErF^`98j|U7W)IjdX7bWhltdqG>REY8Zt!%W}67Wh7iASlKwz4!V(mE)VWYbc1BLJ^njOgq{|}! z3or#OL=*eB;EE?ao5GtHr=~;^u|##+fb-b2Ztn$nz8~KLi2({R$NY7!2(nnv94;kn$dq5KAxgTkSVf6GfdGAobnWq zt*PM5c%C&8RJSA}WNX9qXa{~FbIhy>Eeh>_xpvr4u_4L~fCq1z-Tpf5(Tx~S@f5U1Ydye>s*NW^JC_0zx}e%2YQ6Fv-`F3L zC?MMPGgKE`e5l@f+qI-?Wd3a&xgX9s`uO17w6Fo1lO;k?W*HPlc(m{LPHK)TvZh=B zmF(ZOf0x>l#ny&4Af{j^DHdOCDGxL4kO4D^aJ)F->QtcA?%%+jmRS~vY+ZPci9pYv z9qZ0btnGc09+-r)1znZ`frPg6l&3GL6s4Ja{ZOV$tj)S(RUGX^JMhECchquuR&;C5 zbc4>srSQm^`q|~x?C~(#ap75xM9a*IC}6y|eJ?+q@W2rAriyMf89nufL0_qY`Nj#z z#)X{G4$N}O4%dWc8qW;4fLTsH{>n&I7Q^4U0Q^YuBGbVLw~ouy_I`_%`5c8d_*Ffq z;zq?`GK38;At4OPA|(o~i?TyQBrLdzh^MAoJ?xxDJ7BCpMXELf8u+ysI%VS*K(t*j z1n~t-pky6tYC5FBdTnzJKKKUz;p&r2a?egH1|?e|$<%6d%G0AYO^gXLQaXbL#Vj2f z$E{)4B%`VAz62r=X2*-4Y-KM$8gypW;81sNrqyT5NL=5x7Q7JApEDK!u$_o01O#~5 z4I_YF;q_!@NY+MxwfSOzd7(DI=Q=(!Dz%+dZ5el>ZEqrlBB#ul+#dx=@Dv5*={Y8x zrE&`U#%CNtMx~xB!R$All{w0pj;%2T%3S#7XF{hul{(bXs^L>4A1Vu@qso*gayQ{D z!9vMhskk6Z++AC|yK&@xc>~sI`<0Hw|9k>$GoFeUl@T$LqSXynbh$#I16FPW;fzQL zlmQnh3JsH!4+v7%+VD~|Q&xJgq_%_FthqVu2byVHImd*Q(gcrMrJD_C9XP{kw-Wx1ZqjrYR1z_Zafs5s?{kbz3 zYH&Rh(y-Rx*)o!*R7)<&P6aPeD2j40g$2nZ8h|1!zBD2CV43kb$*RA*s7>+J&_es@ z^0x4;>0(c{w^bKlz{)HeylWuXHo5$COdlvq2h$GKQVGhIgP|`+R^|p-on6uhUlPnY zJ4e;R8bt6RNn3`(zYmD6N}xlFDWgo`62+h@d*^;#4R1AI^%UxwF{@DZNQmQ#iCG(k z0h&4I84^|#c~$pe5X{Q9)$eq&QNNz%eOCSJCxN#|8HN9P{vuo7Ru}99@wU*6h`n1%4*RF1nG5hW2 zw#Gx0>`fn`?4CxyN-`lqQs$#PpqqIc~_SLzKgK;JLo=C zy&}|`IsF`C(oEal6+@Wg-G++@VZUN@QPs)Z0kmpUg?W$YZwZ%L13EZ9T_5N%KR#VQ z9lYyEYA+Qo&)lKpnkMT8bz|q0Ei*hABKJQaE___8EfRdi-Qc+_R@`VBr8+l_@~ z=kODF)ni_+H!xkdznvW|fR>$cow*)UC&bx`%6+J~AHwR79G^$tCprO#?hanN`OWq# z8lxWJxRvFw`Qh6K@BMydPLeM=h3KUs_#DzlOknfs8e6`X+_HZ2i^pxfYU_){HPyN^ zPi?VmX4II{;6sQ0`vli0T7I(qsbhQBs@A%;YrEarZnOIB)ioyJrs$<7D|;8A3lq{? zB=2n)b320j-9t0=e`j>t6XQ4N_;yd&`d&~Al1Z`mIOLXcU6=Xp8wUG@rz!a^YkV&v z*h^)YjQ;al>Ew2A)ci>Qcl8;I7=8Y?nmF&Cynb_Z9;=V)-g1mLt^a*GIq2kn5B47N zzhB}RTwVfYNmiy+rvD>~-f+l}2xdP^kU1|^ zxbSKSN^GVPz_+l%EO!fI;PMjUGYb)$m4{bXHOvx~S)|Yh6rJEl1yW&Q)^B|0R^S0) z@Y9<&r%)z$P{>#n_p}uF2L0bZIB4ttlfC_C5BmQlp3BP-q;?r$OZ`VzSCM{8 z7l8k4>Eqz+=$E6z^P|zp;j1GH3ZQ}G-|Tlpv+DAXYWdB;D2SJIzsRv_!Yrz}5lNGT z+aqUbAH(dzI z)B*t!;yc1)i@N(>x(xp>4s8szbhxe@R$E8(J5m&J^D}t0 z;X+&YPL)64pCwn=>RK0zHKXZhzL_@M#JO9r*;~mjg}mO=nPvrHON4Jf;ARNlu1N;d z=an>Cjt2c^T)`tQ;1T}QRDl60ioxUHZzGt4$B!LXO<~8vzw`Y+dq=zA=`X>6 zf6@s4SM77VLxH_o5&1K2+PyHOddwG8ty%yvDGIo{B1NI8jQ=q7)r5q$s)D*vqJqwB zC(QEfI?@b;1~5NvL0=8HokVL_P6ZmfVy$S~xZFGnVSehQ?KylmnqaX_3VHlnfLiAN z(YAg(HZ!1R?{ANG;C@`w@vrTp|IDWw|J9pk?rS&Ljr+g$_S*5^v!@3S@!ywt!u_A5 zDCF*X;&wP`@9H#27lbMkEKkw;k)t9hQDj=}uerf6S}<9V1gD+Jo+-9aZdtoYaTtTr z#+g;l>0evajuU8n*m>U9Hha{bY?!-MsfHY^ud@x4-bJPWDzv1g=B2Z=q!iQ-ctzw^v?X zddX_%$m`ZR8wKvd#;!B&SH(W39fxR|d#OTM3tf5xs?9)8`WEQz9nv10F5r>Ge2wA- z&kG_D2LJ2%B;MN_jrBB&6l6{_swm3%=W>qDg2g{l<$gX6$=QK(vOtiOC1^IJP5ZWs z*Heb@XHjO^?qs~bzxTA3PO~2^7%IQn>K41%g7mprayx~=c(83eJ96am+ckt=ogJ|L zQ-!8l<=E398xt0Sf7}Fw@3{36)gF+77iDI)w-N=SWQykKC(e1P4Fp@l15&*{G?Th_$^rAE7^W|w17x?Mf(Cy-Ef0uA*W z2ig{-*M@A>q8?4!w$8MPuUD)n={VU-)V+&BNgV=p1=UGWQX!siDC+q z{rzX%cRvbV7TaE)aHd=6;0-4@_sb#xlBQj-lcP89e>gsQ`TqRq?6>0=N89>1{@f0B zS-gF)x=g;^X!I&4vUOV_8y2DY;k{Yc8^`1GH^;BvzdCwz`2OtZ|NMG%{^scA`;((L zzrQ~F`TcLlN540y_16CKGQPSR+(h3^i5X<;exiKJr6nS+^`7L*4TMx1oa=@vn^Wys z{@b{vMD4xB{;BsQkC3hTM!S|g3Wqe<*xRJ6W%w${8!TOq`?Ozgo1l$NMy!fS2#-7`|gnpg&{BDULSogbg@3oy^QA`aLZXCYn*0wCD3ESSbNBJ(4+^{iE zD^^A0b)eVut@G8thV9wx)r>+uJ6qMw|Evmf&&L4WkpG!Hd)hw#>tX-bmwH?%N>~by zuE}rM41XgZ6lQ@Q2RZKEm~#KtF{Sx{6Xc|7T6WiajU4ZGusJHS7iMs6M(Zao=)bh{ z%1(KD=xU(&tL3lYeiK-xlW)wr*E3vLTzy$TUH++=zuKqY$g#$O89@u7umv!#Qh2Dw zwn{aOtAt9>BxL)dx8n7CvwZhP?%)k?==##hB3zPIaxyg@nR8Q#)@T=OC0um6Qnl$kxdmK4;a%cNOK|1JviAn!JhBeuqpB}u@TD8 zVu~!yN`Eub7T0+L^z*RZmv`vee}6#Y{kedf*8h(8#+~)Qdk^v77kR>UeZdUh3xS?l zxFa$jw@rCvL7Y7Q)uO&I;<`n0-{%eMMF$S9nY3?Y279ehj$(=MC`Bw@@M6>9X;A6$ zXUyn3-SK#vySyFe+6Q*JwBevR^4a4b)U7Cigx&BxD~45 zHACAY&B3X*&EYi1+-{fWPCYBq@ijBU_JsD6XRz%qeQkgA@O;^4Yy9WVSig@j@TUCV zlTQBc>C?%RhxqSHJhxq^e_i0`Co+HO+2fW>U8}>Sy~?#W!t2T39ekzy-CZBA|7S;s zFJB$SdHN@`alQUe_Mbd!-~Y0=H-5c@k_7HI}7w`N*tqf9h=7<%~zz2X71gEibmiJ3H_zquawa2-LF^&RRqv}=(eWZY)z~z@rg#CeEX)ldjYE%t7uLXbI6eeXvK|WL zieLD%$$R;*1Fs8Y=PSBUQS|!?S#UF1c!&wodqkKXGYOP?s>mLcNaou|MC!Kros?% zvVl1o8Brxwbd9l9cl=1DlGT~l?gkmNyJ5?vF@1}_hwg47bCrtLfgF<+VN~WoB)mPh zE4ks=FWG+g=uQj4A3NgREml>l4Y9NGmeB0unFBFL z*BEOs1OiE>HM~JI)fPdEx`^Q?et~Q4F6?zy3x%w{&nlFi<5NeX#$c~jag--3l4Z!2 zlr7^Z`u*_i0Vj0KqV}Xfgqd-|^O2$r{f59b5HqDsOaW%3dwW2yga~^;%7HIAT(=<`@2UD&B zj9``%Mi(fRbn%<_b8@%g3*8MPH$huHpJ|hi63qy@vooBt^FeDI{l3y}n+2b*hd|AZ zbpmzBhb+}Pm}N$IN{K=`aq>9q1u4}iSP&QW2ICk@h(}40%o4GabHXle>WR816fUZ;Pl7`BeU9%+S#+!(K!0fEk(o1wAbEi zXtl}R_)`{3K~fz%5znW}E-S912^+F)>UQmjkTtj0R0=H68Y%1Sjp_3)+<;b{jJ|`@ za-LDSvWA0eM?$r>8j=3VPaGswTx>MBJ=`_8?^d(0BJk0%<=4=;lp!1uso-~%>ao`( zcV{M;>pujOQS^6>24v2;TGd9v-&yD`S2De|>QJw^jLqejKAG#H1!*G;vydr{yjk{heJ zu_WJ&?Eb@=EtcPHoJr<6uAqUbPqvkKmL=V~S08I_s4Y_zh;^G$nJ(!AfcJ@Q0L+?w)I zMh&65AUbGd2pRow>xmxR(h0(dxr%l>o0D=qg)Xzy#ErIl)>(90cdu{Rdb>Fo>4}12 z$n)Nbs(oJ{m~#uLKB2eW((|iYpw0Bm8WHWXoY1AnYEiGIUH(ScUbWYO6%mZG<3vEbU@ z+or4`GM^c(A##@~SJ$6m4rwW@uu=(y;EDDy5f|Y1Jp0MHuooHE4AK<)D~|1CQkTB1 zZipr6no2INnP4!yaHkVewQ=(4{~Ya&_a>w9cyG5gF?0zC@A=Ga!L@^vm2Z-WfI@H~ zjRL_;=rByjkCl-6Ervj9muT2XGJz!BxGcrY^C%pA%TFEWni-wqn#zRE^+cb1K;Rb) zggwrpfsE_~hmJ^GE)|**d0w9J#i7RV=ESe%>$_nqrMo$4!H8FAes$|NGt5;D17D z_rQNB=a{GrMx&a*Z!2st8fnG55LDrFB}(*PKoGt)c)xX2nL|TjpIUWYGbo>XkT27m zLHWE!`B|+RyVGv+y3^;LYtIyEH(*WKKb+9fCDRJw1l*pA8bl7}VmW(ddCAiF>wg*Y z>5|@j<2|);)A!%KC!O_wDc zVQyr3R8em|NM&qo0POv5ciT9UFOKhHzY6@)_nhvzCz9h%Pxp?WxgDqD9mm#4a{BJw zyFUjaAqf+T;1Hl}@0@w>-vfZ8NQoq>D9W+ZtOqk43j_-PstSdw4`x)dXA4|K{y4Z~yJ&r=NcL>FqDS{P^~#e|vNCG3hw#fMxR z2UIbsj^}i(3&>*{`mx~t;N&kqKAimJ$6*vMj=r$RdlCEc^k_iLhesh@u~VYg?ory1 z{w=F~!PPRE4Lz~4?b!c4T5omiYY+XiAhZA1G)R~{m;i9>|C3+d{99B&SDmNjHo4- zTWt2+Y9*_R6FpAsL9sZb!KJMw{eqB~t%PDD9td^j`!SR9l)QRnSsevb z%|*N-_e&PDR1|ZWN@wN|$w)}aX8|L2rxO~pQ}RkgER;(=SFc`^R|_wCWry}GBy1I_ zM_ZVz7!4)iO4mrqnua_GDEVtLV{yn7lf>7f$!Ce~$7?PI~#)c4II(|Se!Td`GS^oXv; z4*B``-8B1aVc5STn;|FnY_=5QOTJv}Uz6Cf`(DI^J(x`W&YQR$Uu|YdS7_FTrvj2lx?q}jpG(cJ{Uv3Ec(HGGgi&x=m&~-Dn*zGy>54h> z*_Cq*$#85-47Io<|N7Ua%z`OGgP^j|*B+8T6m9K)EqOY(1D*T-aF^o2TTrsV~V`eD@8At0S$uTf`w+)ylN^a zA{J96;$q1GVWHn|`maY@`#-fEx)lMA{r}_7C)@h}r$4{x&wo!s>HZIeB0sQyJ|ZNbGZsjDvZ7Ixl{NoPZIRO&vm-s0l|IRRP%&HE?`k^# zuYVn-X9d&vAmwyp=MS^0Oub&fS*UD3EwhAFiP_RQA!C#114xORrm{wW29j<5BJEi@ zYd3GXadNX0!=E&aS||@4a$I6Rm4RoHv^^rem=f9n_iUubUS)i{1c7%Z?Qiw(#{VM-=?)t4R@*R0kd7vjCBuS`vU``V2-BUT2Bxclq9Fpmh70>D_7D2$` zv^L{QNFv=?>nu`&eAZ2THm>K0DsP!Nr9OM~*Cg}<_Lxd=tf%rBDr>|#D=o|32JT7>qmxoFgDpWWw!M*i#7`eeowJ$dz- zyjq{U`tPr90&VI4Yydhv1i0+~Uw+xP|Ns2v=bwB1{}hx;kC-jk!$-4OUj6@n_^&sE zzx?c~ztt8;Kv`^81$W@L^W|Ap$(?o5LSZWXOs7h&7 z4-g@dh*kQb{?Ai#^5-`vKOSvVsq&&hLGMPfP{I?zDVd&+wm$o1>$9RbD}Of_46209 z*8bN*kHv%3ilC{-eNS27-2Z<*+1mfVynXvizyF_tz9UnuHPZ5LP)Sj22$j{bH@ zkch>pQnS}Wc8^=r&N!@5p2+lE5c3Mv}~jZ}&ucTSUB=S^K$K7?kgQ zcI7~39B$uQ{p(*xJNG*2*D(zj3{t_y%-0(`vx2saqQXCG4l;xCh8obkFKBzW`t*}F z;64M@%>UN@Pxg(^U1s({G2B}Kc z=0RHKHMwWRqv7|;Tp6doXEI9f9Bt;ujC#w0tx>+I1{wv`jOdoPcMM@Qd%MOMM14PviYNsQ4pJ*;D3yrmf(;i!ECNO&E=|OrVObXH zvCbjg#?jH;gfa48`EURILsqr^(@-vtec?&-5A#2Fy3p~T(lDsiiiSS%g_o>YsI1|7 zXF7Cg2Z)CY8<&!fpvXqf{MC-72}mkjo?9LA*>+7&!spY{czj7_%u|6il?x$N<**~u zqpYz_UG_hZ&3_KU@+W#cvi)Cqm)G4IYuf)OC%>Hh^7hAV`|sqW_y0TzeMjEikn5W% zxp;RuB?Iys3t3E+-P`90BR3HX&qkMIVSf;@5fwfWVY;u+MwhaDfTIyFxU9Etgw7MG z#A=+1l6P#*L%wqtM8i<1qKE!fwnH-+G>D8h_SGr*!dO&)J~GCqy_eA&F#WUn!;-~Z z(FHptQ=Yq&^Fvft&RRqFRIZ{RS@2K}tNihqg|>)A5}nq#?9J}A9C}o-g@}3f?=-S` zkg`^E`VUIK*g^cA%GJoQWBwR$ss6h4!xfjd-%*gnG$?f;^<9UHB%pEemm@-?C$#O9 z+n?H!To>H_#`|Svj0U5ahl<7LB1l$Y-jhW*ROM8q-iQ8@!nYi1LsuX%w+g4rV4c zF|Ss{K8p$UVj(4wETVet7p{kfvh9*5*Q2?G6bUZcQ!kdlC5UJ zBboC+u~-g?wjWFsoX-^Hfh1H_BsCZ-A`fCdwo#qOrm?%tzCPC5ZeaJ_aH&?o_azRh z2OztSnkcxt;GRCpR_t2GqGPVkW9I8!Nds97mcKc_v=wDx z^Scw!z`{x&%2A8Ni@9PkrzSd?DHgAI$jJSYdrP8XI-hfo@ZDh`B%(5nncpa(U0%6j ztDO~18rOT;6XCP!Uv|bZ?SLLV$pYqC&64tN1ptqU&tv9U_j7fv)r-lJUQ+Ka-d|o{ zysIs7esy_qJ+1wDaxwmNF?M`?cXs{muCZjpSJ&6(t%gsQ)xtrb!NEDox3|YzN9T zyCaQduo_9*v^=$oK5us2=L#NeXv9ocpxLxJ7i9to&ktvn;{5D(`e9d;+rR(cioZ{$ zXVVErkXaQ~j;g8|v+0s;C3TprqAcwsl~el9qM-fi#A?m7J`BF(DKG8TuRdVY*yjt-QI^u5YSn` zDm&4MaR&hgly{j0vDkdCEf;qtt&A2M$JW$5(oR&>|Q6wP||A zJ+t%v$|@FY)3+qSi!ZnXYXcF1hH0FAXY>U=v zBieLbOX?~niAya)lww#ZR0^%TwuB~gu5GHNG%)4{B|k@04NjdAfMe)=ENX2r;;_|- zweGL4F0Xf0SFy;4n@OFy2ISUhN;DY~wIA2~U=yuQAw^s1tDU;cH-4d1>Vq%-C7JC+ zfTnzsfBx&pT%djHzQTfeY~qfGRq?-D4#VmYVT{9YQ$v-*@ZE-|ai(WBUc;?lcU*_t zJ+f216tTMAa5x~o9hQw_aqGM8y^Gq^GdCzkg=P2h^H{8MPon-qmhzo0$by4QPs4C2 zWVTuC41U=BVQ16#{>_wn|K^r|)5cUB)W2Cae5i>$*UKsp)F(3<(9q-I;x!S83OI|6 z1IPF{UTUnHzC)T-fCUz0Fb1O!g3oSWSh);ycTcCh{v#V|Ar|silEC$k{OY z9@Snd+g{c2x7Pe>)cf@cT}u_fNfjZ!P-b`@t_<#{%ft*CPG-2XSvR&+let?O=IeBb z&6t{DsWVF5heqoQtMflsG(JteXT}DxPFAY4)e$^e2LzW6rXZ%jC&JL~^pOx1XFgnQ znzS5fF0s|o57X(Wzz2zh2(&uU0;=NHpdD9+vmbAxMNECxJPWmq+QZx<;d9f;li^8` zZE2#G0d*2{l((E1ZLBN%F+U4YDTT+40xU=-*EkTsStg?ad3W*t?DneZ%u*gTbPn2l0xt_X$Yo>({Ud!CvC!w?V$A-LFj?=SE|NAhw36bXdix`oFP8(j z$k>k`=>vwN(#rZsANVR+rM_t+)jh@6T7uge>pcTyqS!Ta*n#1Gz_eu~k_wHsOFKGF ze{bwvkyyBmn1OC2nQd<{evqYBe+B?u)m z>V08hh2^qKhg}Y4kW>s3)`#XLk<1=pMp=9^cBU@p_Ru4Y7vpuBzn#ZB8?P-?9b}Fb zUmK>{1P!_3CjGsrV)V%kK9_bpWgI|Dl0AM;gtI%)#D}(GVOv;ORMzt$!~f- z%6GN1Q-~dmF$~gbTT80*lKqm(t3!yGja+$`p5R#S3dTiQOPcf6*O!gTi~h=3L<7EV^rB}}DT!tTun;j<%T?oqi;&&So3DpL;Zztjd~B}8)}-w`9y8xPi31|}DyqEoEf>RWMuV#< z6${k|Dl3A&s)z=GyKfmg&fzQ<2MleA7057`TYwLF`8$2!`(P4i(-g6%Y4Ti%FZ^km zOC+0^JFv^>$-4KqgvE~|8q*b1sF7{cY|BY(-xO-{+BJipwD#R;Ia%M35YWm~3(6;H zY(*CVTOV{*k^O1c2%;ZYOOlWk5A``=%)`Zm{|_^f1Fml{TDPnq8_fb(wE#tqQQ}wy z4piQVJ&W3}sJ+_Dc=9r2Jhr(Olhm#W@Z{jD$4yE*_FGKG3*NZTOBvy348cFXavH>T?ddmH5|aOqO&mzaBJBfi*TEg@sBO2cL$Oo*jzux^Xl0n;zFo;Il2+?Ze|&6` ze1sYB@(KhE{brSZtrgf}cF3VuOyT6Pr=&AMil(Xz|Zt-UujZU;P9)12}^tXWJ%od5SI&9pSAe>TE?_&uOD zM^cYhov+FF$KU4(0X}T7EU_V2Mz=8G2vHTG;B|zH zIj&<5b303RV;Um8@bZARbc9WyFD%wCWhD(0F21Hm?ipV!VM4UnA)w4^@j-JQe3?=J zP4w1ILl&~7x|7?WmX(41yTs*oV$&dCYZjPzC6kM*w|mTeMpg{yqPW+kv!G_eL&8GE zW2P!%^LNRSQoTzUk-iaTy)bn#+Kn)c*#a13W$D1e5Pw`g+}_`we)N*uSwHsi0F%$g ze3J|W>Z6#aX)Afsy%e#^ANnvkM83$;6+m@bQ>`qPAgcherd#J`oiNY2U`pF&oaJd+EGJuADLypC>vpYIAj6>LlqMs- z%W@IB$WGFG@Z#^bz9}GLu57c}10-Q-1^EDVG%D6N!@NZCHT(0!!-WA(L$P?Bhsgf< z;UPs{BR090P;<04c=$ zcZ6Xe1ILth|7C9l)Pi1C4S@Tg2GW<2h}D%osAe(H;GpT9T;u%GL%?43Do3BRLBi!5?Wuv~Ifm86h)j?5^x)M7Ug zbar{MDQpx2F4Mf&60%c=jY&WhhUTGLYLSf&=p8Iy-4ZbA1CjE9Ncg~KVgR$*v%+lz zM4QZZONjjTj6qa_YxWT`%{65Xo9vpk)-DS*`?_`Zdw0#FGvT{wx?NU$H*N2gA-^vR zdrkVj&9<2AeVS}L$@_M5ugU!bh@BSs_T4m$%DvyW$(H@xr$Kc8+S%ys^7Ad>Z3=MO zVfF#039!k6H&@!3Dkw7rEh}2ci54=V*G`ZxU!Zns*L3Si-KRO^WVUUp%_Q#Atv!&H zzBy6x+|_H_c}DlEZ9}O3v@sRhnF%=kjWiDq52V*3CkCJzGK~idt&x$i*c>TY_OrpdIuZED9XLgr%0oG%mr~(!Q7zX}c|BHV7Pl z0?(7^2!$f84lglVe}>6Tw}e2au!O;=z;t)XB?74eqa>MJ?uS=l35{Bjb_}g3yT9hSPm@34eiB5kldDwuX7dH`2R2T&1~S{QcNV+$JT!xBCL zV-Lnq*dLZ~2p~}Ze;L%}MNMuCWRNFg6PHthMhpSYE)-Y95>iCrF-9yMexG4cN1lqW z{cuPu;m}Bc>%_PeI>98dggb^K?1V_ffZ4>^1~vr{Hu}hCSrJcP1`z1tl9;%fkeCJL zt^eHDG8ZxOO>E#gUr3<8yeT>Efzb=K+a&TZztY+(Mr^8u9=`nD%c-_?k`w^nAAest> zOAOOaK)nRiNGM$do*cOTdHVGT&^A~-lWGvB07YpSc!zLW1*lIDngpgpKuSR+VaOU? zBT#`G0WqH{pbWV=G;?p6SE8pokv3w{vIz2WFB$R0eYk@{)Y;T48ZVgoAf)r?Thq-H zyIF~}!)2D8JuJ8axlBjK9k7V(-Ux8AukBtW;;+*^wUpY8S|;FgbxjK!u~8R$!UB7EL|UDI7`CZDzo5N>SLPFg#M=o^ORa3U|*! zwS38U%~J4VVIBwlt+-4ABF>oILbru9x=C_ zFkDCYp%COpa20YCaAPyJz+-fxEjEB+H~=slU>7h<1}FRw9Cio?RRDq+0%L|e9{|c0 zNHcAlK_JYuX#$HZ)3zHe5M{6sTgXXiQ$27puvKFwp$*&U!GD2U5(Q_|rU4*~4R(IO zd}AvH@r#M*!NKgn^b!D8$KCHn^#)UIaJA-CX`sCW+&92I(@V;(*hWf9coV2W$5sm% zY)qBVLB_I)8r&DKjlQPn#*96PPfUeQ{-A0Fu2S4O0H8|TY(ez^@Dd7$xYh;A8eEgZ z(A4%uP{TMUKuBqwp`&3UARs7cogkle>n6dWn!yphK=@>cD?uy{8G=(3q8Qls>qZX4 zqJ~h9SDoD|B9N_M(*i}XLc*KmFcFR^-V4$M6wiopU_jwYV8~MiBq@*&35Yg@ zOScDsn6yWd!e%=H5u*wSP#`wiqC{bm@o*^+u9#R5>JtX(sTse?(YYOTr@b(n5aIUF zV0#!IQ!k_n)B%pt0YnWtxV*C+hr>TYU>% z5_hKny3!=b&~Pk3g$yy~5I8!ppfY5mK#Uw5F3t-ad=$=2hb*|`-q5%;07M$V#>61c zbhk3$s50HP*%mPdhZ0l5e{q;qEs$Z{hQC9*L?TvK`e>6y-~od5rYWd!Bm(Z~V`lCU zR)X-*=WFgKG%$77@ZM-<0Rst~Syb@ah%=+gQWtquIIajb$Et!+NTwCYKTycV>L%aH z5)^<0mV1?#g=b)8pTNtaj&!YZvMgbNvv7_iT$Yw4bgmX?Wg+spEFE@Wz!_ea4w2_& z3773v>?&|=w#)pg=yq56Uuhq}Szwk9yBwf-VNbyeGE>YFI$sQ`4)UC`PO`>|;{iju zf;+dG^2jV5B%90#p*Hd;J~uminW88 z@BUsARLq_GX6XvlhTg;R)_>IcH=%TWrUwG1poNTfqdf>C{}qwH5^!J9tP3{bwLcwf3(y^ z79^fW0?vr6;Id6#q$Rw&3zQ>S!Q(!ek}Y`!WldJF+BSEx6`QEnHZj?h6&>3@r?N#C z+vHcGc{f>>zy%D-#B9+~NLFS=#{jvRppNaGVP^>|v=G^vmb%W_OxZv>)=}FIol)2_ zm$OY*V0oPtOu4f=K|^1eLHwjEu*K|w$PBfFnM`PwXj=LJ zPvLj@2tMLnCA>=v_vHOyGD$4~^GPkCO*q^G`Ry}Ii|k=;X9+6X6vIjyMBFy#wAdlU zqyNYcFt2-oa#1azGg4uiswQi-CNC9KXUp7GOXz0~agQ9rvRN(l!gPOO3eR}8bYNlF z@~OUq?0sBTtR-x2EU1rp{wyp*7E~ubi`EiiO}FwXK&A#f=dK)EOR#t7Ao;dgSwPlp zR@9Mun-zm(;O12V@^H(Xy0URCf#(yGnQN)*{9F{npydS1*tG-|=J4!YOZ(>V7P||1 zqY{7|xhyl@FIrV-h`DgTI&-BxS>^M5V1$O3lG&}K59@noU0gAd9S zG}`zOS;IwM0ipntL2T(Ts~w(Gd`K?ZW*J**lWXkUdNvoiZN_nN0Ne*PkiLu@?^8l` zq)oGMjcJFkOZKm8_pfW$Q2)BNt62ZKb|v+%Yd_o9wSjM9)wNWsE81!aSN>_EegI&! z19buf?g_33I@oa#hJaEZP!&efqY#9erF*kncOk;LWVus{JLNY}asvh!BCVfh)ilcH zmQq=7_y(~AkjD_lp)%MheL-^9C2<{s)V>p6&4pWRMNV9Vnz!!l3->t;f)XT=He$yz z7Z^UTrt@@$kvI(R40s zT(%8A-i!E4AgDiK0rQloIH5ML>J?Sq^2*%mR1Y5}EMPx4%Gw`mevpc)WQ&*DIvxgJ zk{OFbrkEUL$RdLz{1S@$a4_dA@a2}~+^Nf=krYZvC1ScLYFwGjVrCyluTyFfQHTY! zkz_?5O#>Daf=jZdLBg`8^F9|Z`7BW)md8F@v*4IUeBg<2t;bt;aOHouVv71y(eHPsKl^FuZO>w9J)A9A zX*u{**+1By*C#Wk=!sq7-jc0owzfsY!n4ukr?->RpX;QKUXA4qyS3ItIOmJ(hK>6x4sDdePNG6Ptl^$uIDar#$sM?G-mx>EL+P?7Qam?l{W}(OQ zkk9$zIAltTRvs>n3%DqQI0@Krsa8Qb?xJ4CvInhVrWK(FrJkSV2-SMTWkfxTu%GEA zE=%w%nhjDJxntX_(nYoASEJOfH@B9RhQmJ6YnSH+)?_l1tO{1Hwx2HZE@;q#*zh=r z-Qqg&H)XWcX0X^{sk21f3fe}_HG@Gm19qwmfM}^^lxE zzIsT`9qJ)DtEq?N>>)XONKQjNBxeuF*~EGe$yr&thvWoN56M~gMGwi@Lvn5v>mfOt zTj(J<>%QwDIlFGEhifC>mJsM6IeSRX+M+!qr<;06&Tmo1_mG^2VZVpu?7Wd4lCwZP zBxeuFSx-GAX9cT0Bxjdh>>)XuJJv&T_K=)=bft&n>>)WD`0XJ%dlb1Ik`u*V56Rg> za`up%y)dnz9+IF@IeSRXjCx4UI{M>4 za$f0!Y8C?x4w~M{HO?-xwuH*;2KKL*|BaU@cvA|W z>usr{jBiWrgkZbu?<)2?$^q}DGu;^io2>9wQe3vr4Y%}k5)+#(ZV8+-ju^f?@?`JK zaZC6eOqrI&4e=qA)ZM-BOEe zbU^Q5`RbN{Ngs%m4@ANTJ`)3&&7Ku*BOuyjwp&8vw`UBZ5?r&7kZG}A3*H1$hYsN zVN~w@zD>65=ROUh``6A!Z7QDIA&Qw8}DQH>ILQb@h5xsVT zeE9;kQ@f^HPwGC+At$qKQ*9=3pKk4etn|%^is!Cg+s-q(Uu_#g^{0)g(9TT2>2IWY zaCjiS7C|8>v;s@rVHULInjrBDD)?@XVqmGQixq)rP{H;7xCVQ1kH9#nV17TOgFP5W zJAvC^A6SB;2q3x*$4ao&G6bj{Zi1zQ^xNPp;4l;{wYp7&;we}<2&#gmjxyUVwG*yr zoCQlTv<0N`gT!V?JJ9M{s)e9vi3hM3WBb%R5&u+)q7D%QIc>sXWvOHU|}+d5L7M$WWB!mxzE z!$5R9dq&rVih-!IfS=JC8^aQMhwR~tf=?oHrNEFgEWwlBFen;n*@MphV( ztC3d^M%T!`z+h}xLaqor-i9R{>IQIW0G1mui#qaDeC>xrVhM*v0$eA?rO*i`i6z`I9API!A_mMR z&Ni?qfUwa=KFf-D`Z9n(7nj7u)r7<>FmL_mzLvR&k#E{6VZ?pz%9BuY5E<1%&voHB z_oxDcz9UU0ldxTArj1d3@weN{@x?pB=VT>(rd8wTkGIp?v#ZaCvGZc)vrusw!0+9W zO>mbE1qfad6bD%q*wU>-}Df7e`bAmIXV0F3YLdDAd}0FBXD866o7>X}r7 zI0Yz5!@xU)(<(rHg3u%|9RgAcDhWf@=o*0v+z5#IQ~_nk&7qll%e)dj-HEgjiOeo6cNhdc)xAfXQBu1=Muo`<6ap$7^|S)Z)U{~p zkxt=Al5R5thEs~dCWYaV0{46?+)=oD7P>WYn4&lwQ6xHO_niYHf5Oo|;i!c;giqkA zX@}&AK<|Y2502Q`{lr4iIJ<8diL{A9*WAU-bj&~lq9zz86L$K8DDWl>Ocd^A3DL5F zdC=a1DMt*Z<=!}!@U4!;tLzw~vJIpADUc2RB;p3A1?FV;asiGf3C55tBSX3ep#^Rv z{Qe4lmk+~)ETBAsy!~HZ6K$~p6vF|4 z;Q+gUVKO-3hv2Y7IH&>;%n%qercD!AWSO?zXn`n$h1fz)N}K9| zlYy-oGYM_jMi2fA+>$6bn>GyqVQjGT1LhlBF^FGGL=O&T2d0+*usZI3H>x+7YJ;ma zr%D6u9pJtJ?wMXvcEvVQQo@@+4LY`3z+hvlgbp&6P1NANfNk_OMK@;bL40B=bn*vP zD{z(K)&T%j;${n~2Y{DQK*Y5!P}bm@9EPU0H-Z|*IRQdS>kJ(Y69EB1LF)whtXnq; z4%G~f=mo+jLtF`BamWyyq7cQvzF#+T7#1z8Aafjxq#Z&STrePzz+mWKa6B)#+Yz|@ zQOHfL@VTHY!*IBe*jsS4xxEqQ;OhsCmeu*JgORYhMZfCoRuO@01)CNqf)x_pB!`J` zOz~cjCZKpmi~|D-R{}$xDj-RLd`LjFDO|ce2*jj4k`y-E5r`O7K!5_V(H12NlZ=N; zfpEpdf>56@NKei9O^(j(pgZk_*@OtUhX&ij@R)ibRiF-Vlnx+j(81-M?Km9%5d!mQ z3(3gQt6H3+J<*Fm>kN5@bR=lG=f{OW)Eu@7LmC313po*mU?@T`fd!Qz8wFzI z;BawX;NYWhZaQSa9ruRDtpOm?05&EDd8WIS2}hObuFbZHF*uZ%68?+BtZIP_<2L*q z+9eXPy3$9RECLS@tT#mS3HdZ(JR+gXuB(U78yevEeEBgdq7Ima+m6K%&3!H^> zB;m5OETMC?Kr0K8&t>Vb0|U!ly#CdRvZr)(iPmf)s#nO=^)u;mJmA_V;Era%PRWVCdWX4&Z?N*JMU~?*1J%TtuoP4#_{=RmJTbA;2CO`uz6~rv9Y;qEwj}uVc%xJq0k;C ze=X-6l*MKV4R8j{Xe(Bac?SoU-Bzp}%zXFvlAvPl+&4>y$bhrt4Cw_0^n${9F)_Em z=lQXZ^S61{7x6GZ@~v(3OWWvow%a~>y~lI>`!$Jviobnx?VjP^uX}sE;*M{&D$dJvOnz_LG%Ov%2%6*^)Xr({HQ*3YygTJ zqr|Za9H_hzdlt1{QG2zQ@#JO5cx-bmCaGN$;K{*PkDHWs?6*QBc(EJzc_}0Oj3M~P zR}SPGr$DjF6RP3BO7k#~E~pD)VE&_}F0vr;JQ8q5WCfRP@**wa-Cdv@$qF9#$&_r# zD=2HSg4MRUldaf9y|#(TrmX1L{yCK`y4WVa63x5GvIH(*P$p)JjzY3BD>??q%>;F9 z?+iOjSfPc;*0j`h&SuI6(y@-(cIb@4mbsj5x&q7VtYFHW-3c1{$_(NsU4boTha7sv zfHOcXb(;rT{N>VOnGlb302=*`^p)(jeltIj6-AAs+olet>!13zUm$37wG&(^NHCt2KG4pgLRT zu3ADrbBKH75SGnqsTZdE3sZQ;tEB@A!m=G2vqYY9A`n9N*D zUFYYb7zQmTSjMg;s4$0T?^@b7hqu^W$QzZYeBKHcyUOadgikNE)Z&Fph%t@G_D%Um zgzUCr1DOA7sYMpBbA~pP`HUwEl^uLgrl8TrhsYW(@(K_Im<(b|hgt3LoZ>@r(KgH2 zQkz_3=hm~i$Za!@iv!?3sDbolyN3GLwOz&f*R?CD ze_i|8zOD^?6RWPJT3yjrOStk+8}$PKqaCOdAaGA`JguBGkNfZ(q32VGxuciL?2@9B~M8yfUc~!5d@|IWT zR;POSFku1v!BN)!So4EaR3%%y)YkDZ_>#<695Th^AVU@zB;l7(+=qiXXMr!bH0MrT z7LBA(N-7c41v@2k8p!ld$t-3z_M?m8vKqg z|1O7I9IsD~zVOgLCFhA$Vl_@He8=Vn14V>KE2gMV71d49FcgXwP$XV0S+E+)<#EQz zz@Vu;zB)A!07oRf#Q(uvY0E=*C`KzbP>laU{tbA zITM6UShyCCa~>!b%VEfrUZXr*3{9ya7e_K;o^E^*izGTFRYh!FDT~^wTZj!t&LHJC z4X;Xk7Z~h!E)sy-PO=5Y~2n4ZnkQSk@;rh?exNt;}1p70p(Nh*)?wy8QHZQu=e<=FP@$L*)t>zkq%t!Q=f!d8q}p^W zYe&mnkF%e!O2GYtRoC1v5ZI}$0esVtuU%#pi~XEXm4>%9UhjZ!TLA9zop^lqKs{wX z&2x`Z=9I9TvopV=J~mu~ZiIHYOdV(T zz1ZzRmfU64Nw!k7;g?pIZ-~a8G>7oG?sW#_?D{_&f1g~wyEs1^-(6n+dUJc-6wS6N zdviN=7yj*Rdhz>NQ{$j1%H(}p(U^VTv23)~^!buTjlTcbAqD_MimnvzD;t_(qg?Rte%p#n}#-u4cm1 zAs~x{4kwq%>^*o!NUOko+=!3^j0$NP$KNK@9#|YYB-NXMO34?Y4UJcu@iCjYb5RAj z%&+8ha(!8rNITL7G!LyM67;RIn1)h|&(>Jf+e+i}mcj8kGlx3n9i9)Gs$1AjZ&v2H zv5`94y0W6tC$W0YW{-p`X=?2DAl7AU75rq^X{=uqi-*R5p=v{OBlUL;ZGYzY*?s`gi`lrsiRf=j#Po9u;I-r(0^wlH+aP*YRHeLEul)iX(IlefDJjz7U z*fU-HZhSEr-CR$g4WSPqn3K~>z?F9viNJST)50;{p8g39M7Y?vQT66&%n*d^uha_` zPzg_xC?vTQPG>xnx-pR^MDOSGgk|Rr$l2}mLsM3)E%ASweWKH|X;XL~XyN6P(Pk8v z;=bUvv5&ox8M8jW=9>xkP&VI^+cF<7#=kXf@&P$}*IdK+;^WPy<|;0)Cl}-C-LDt# zZ^odKXYcE8kxK>NUyd8Ioi%%-tF!Z_Rzb6D&iklKg#Vb_TxS;u>1~=74`jx8xJUyn z8mAa2o?1j^q1pk&oK;1WMzv@QWn{(-Q^9BRT(THJLU@>kecJ88lq59HcSi-Qsog^B z?aJmv!X~3|-$22jj}hE2MsV|&K147(cRq{oz%*ao{ACjwnErJqEHLBTPUSK^QRXc# z?(GkGtl%QA{TapymOTseIr9t{5AzpWZv&b5z*0ou*4AtnAD9jfDl|~m3NWY`Y7{{Y z;>YGzxWW<7%p%fCGtI@w4s5jRAjFwosBOip&*n4<)I|#3)4CpmObI#}6yr3_SA;!8 zBE5q!@h{nOsHx47Kmy4Xa3qg3o$Jbz91@Y@e3c@O?3BMI_t~p+t3+y(sg~&^k!arUCa!D8fO= z7SucyoSH&5*veMu=F8<&b0+~+9f`BlpKQ&i=%k$t6(j`));o6^YJK#^_LFmZPZTpw z?S|17GF4v zTC#YOa15IT(80@jrf``5+Ip;I64^YbO>me4=g2Z)6j>v}ARwU{b-mJ@NDYTm05xjN zl`->q%sjxxaRDN%=tFi@4Y+x#o4)K>SG{p^nUPwFjZ@)vs7$XWcW1ZL8&{!ECwFfE zWljKPny_xNGH>^t#}yB|82A*&tRHv+9(V`*hkImTaDo8X4*=wcajD+iL7N0(gAB-) z2H1B{VfZ0#C1r=qDygn?lhxEf$epjmA{-IqX_eR7z&8}e&h_rVS7vV#eQAs@drI~W z;o<#u9EL^D(Tpj2(mRfN$5HP%Dp2n@>K#Y5ob-;P-f`4Bj(W!tywToqR9)!B`7e6M z(N3A(aa2*HcO31>Tkkk(D%LxW4#nOd({a?J(G^3@OfH!9AU%t4vytY?nB+AUSs?3-hx~>5ngrAasmoV-Q#Uuifp0Z%t?8;r-DsvsTg`66&BuN7 z(NyzRsZ4gJ+LSk)$r`U|);YS3p5r>7b=gCjo<^{J?$KZS$nK8SZ3>dbLZvn2b5OYH zD}5KCinoKji$CqC+;UIs1nc(F&xzvZVh{h@t zj-^+DfB1MY`EYmff2J4X>$59e)coP{+Wz5BHOvRXD?%n({;$e^baf#eBciuQU|)td z=gLfJ+0p&s`sVuLwMntNJb$eje0M#mV{21YiLvqapIxkde;zZ_l__5_spu*)FSQbt z|1-{>q%`3F8@PX6A|G6Hg=DV9(u}QpDv777X8w>|n#T@9p~xbkF%1>7*Dv-xVZuYQ zq*25|Ik1oJ<<+g7RZwKxwx*$QC<-gw-Q5dFv?v@3cXxNEaCdiim&74)_d*MIcXw#^ zKD+Nd9rr}{OGjkPm}{<;D>5H4*Eh!a$3K?}if%fnJx)F2`Kf|;R@(cBhrAL2i02xbv9@^UfvexbD&|eyS;0K8z*KE7J>Q z<|raCJkA2Vtu#2v8;?M9$TA_Miy#pQ-&p) zhEn%K4WnZcJq9pGmnLbA+aJn41Xcw26@=4C+!H5)(QfDwUedbqDXFz}52o! z>WMgO4OEq(MCN8pgjwrjo~xC0Pdyd_62|tc=c#j=z2fBQ?8{!9PX)hZjXAvUk6`em z0+C4UM}H4&tcGtG+E#4KBFe@6WlLB!E`bHm;vfkGaPLkTPPC8Jc}BJ_8JJXZBi*NwImu>9n((`#OD4m`~wr4TWB`c zTl`g#$H1HWY16*`Ei@!WGisjyz4QR_&q?YHb=VSk1~UtqxazZeHzxyOo6yA})an;P zP>zSQUlodb(GQ7F#GrRg`>^VNKIT~7Ow8aaeKU@a|6*J^_Sh?9Kw(d*3{*=oQc;0yqPod6Jp zqHQKfqhht=8Zrc~%`WG5mdbBggsrMu(r&y#dxSBU{Wi(*hY$Sc)>YMI*?0so!1D6+ z_4A`FGVAc(-LO>O#;n+94TG1=_;Cs+D2owcBb9`rejSe zl-AoBtHOm59;W z!yU>75FZvipH(9UgKOhzE^T-eC5BOk<9yc(bsSsnzEf76ZD!tAiTwqG2KemS>?&kNzRoeB1vk5``f(ekTSCxa@!<~ zH#BW-wvR(0$$~sW|SpH&D` z)!_+$O*$qrkOLi+?+i5Jm3C*ZQ`ji)2doXDUE-V0X(NKP0!o(WEN$Sf&1iN_$HM$k zYgN-RBDH=Wr}v!@!j%WKE>5Z7Vmy$fQnfji%F|5@^tHz(MN53s^l(-TI5A$+G|U-pntj&`8fBApkC^Cfl3c30P?HomxcdbL=B!s^9{lEUM78NehlsmcXl8*+fsU(2naoNYJ$bXw(>}SIw@NMEY=@wS!NiDq;A0>>rify|e z+Q3zOu|iR?ky{$h)hMru8=0+ntneHTno&+{^{z}XYb`&e3Yirnj^XvJmP92uDr<&i z{Sg4zPQ(3#lJr7(OG$<6e25Lxa2a&E+n>TMWR+c6Fb%!kH|AD6$FMcTBhZkxOvt#U zI=jAS(1%%aeQ_j^IbgScLZ{ec?J69)xIU17Ek$A4UB;*o_%DoO=u^sQ3JN> z*iK3;0nZwF)PX`?b>=NcV_&7Ufn|gf8hm7>P(cO$qscT(^`v%c#oNH0e}tda`e+s* z=?Hq}oo%kqD?yW`=O$q3XM}$3-Y=jwamfszmNN`FT7sjmL(Ew4+K$+0Edm(H`AHh? zg6xE959q^zGdrnVJoX52y>52LQIZ2VnXuT+I3*}@ zU3&?g4mwAo;$p;P(#!}1RFRQ1^OVLM3-yH7#M~c1V6YJ1^TO7v)+bS44@?}CJa7&1qS1pOz#ZZmsu?yG)^!ZvZ+UO08C=$~rRg6Y`P zLZ^F;^aU8U-d?j}OUc##*<2!f6*|UTLJN^{z*Qb>H^9(6j;AoE-U zL52?3t05YY;B02HR$!GQYARi#FTIE&xM$ihhjb!TAum`?QJ|L-%QvLalp`&Nf+>f;*O&L$ng=@(gCmwDkLwoB>`V5$J%^^bH{$Vqd7ZZ+D2&khKK-zM zj!R~sEiudQ#hl>;=aTd_nbW$ZH5qz2o8k^lo;iwcZT1{^quGIsZ=ahMVlvXK{O9)^ zZQ@LMQ6$h62#j?}22@T8t9hEo`nYrF(JDp092z3?MCfHSO@|&bpevDfv8;2;(Z!=9 zijS4Znt)3-Nnp&I*~{5h zP~&Jtl_P>yAJDtH&2GED(5@vcLaObL>-Gfup#^Of@MIhXgP}t|&E&E`exm<;Ki|#W!$iNv=J*@D&}RqP0xOG~ z;3H$y@o zM=`Xyn+dWj?T%=181y%Zv=xHQiq3h`Tc;3F z`oJt4FcMp@bpXm4ullO-{q{WTyvE*&t!_Mz6MslfK|V)o9G@Ja!+1O%229+C1hxyq ztZ&Qgg=?3V0yTiYCuu>)#6ampe?D>{AXq!*L59?7IK+)62)Zv{P#5{w>>&klZw*0Z z;o21nnb@;?fG^Q=m91RFsCTE9QVD`PVj70z|Hj7+6V;A?1qg z%<~L5t!O447;aMO)#I-N_(TE`vykw}w0e;%AC^-~#i$c3(%D8Or{v;9#=RKRo1!QC z6?ooLlyak!q7|GIa}FqvMN!NeHNke*voS@nAtmYa{ zcYC2#wq2A4gQBG;{(!#4GRgChzOf;$N=ryKn@~d_HD~iH+myr7Po%akbS9G-Ovj)T zP}p(V&21?WT5!NJvvjFfW= zo@BkNAZhP#EYEb6c1w&`gKGTQ(RRNe4WyKqRfd1RVG)Nj7a+OiAZ{WEqTf|@iu5Ww zkG%Tk$|omsLkLGYb1mFX?CPr7(DN;W3>d@ytl1Q_|3U2H+3^fNjDSU4+yt(H#o#clZudyzieG`(n&H~h_$MK)} z*D8GTeVXwl2=W+g%s!`YZ?IGrNa;A+YWDlXV(8AOdJc6A(q$Y#m?sP}mpCO3SkB@t zi->qjm=b%X&gCcfyj2hy;)e}Ye~mwuyz)rQd8y5V^YLNdq?n094 ztk-uKK2d`>pT{ZH=0%9QR7481UrymK6>NjUgxUz@<9=rpEOx>P4By&i3v8TH3I?H~ zO;laKl<+z)&B<@oB%$pS+J5t4!?eQ$@uE&il#iz4thik5tlo;U8)@Sf)y-Tv!`P{mps>YPu8-V<)z!a@UQYZ2 zKh&}kk$Li$@ceBO~sXOezWBq)9(B%_{-=8*WW+b@a660bh*i! zS!0#%v-L^!^5J7lgh&Ep+AAAh+R*<^E^7sv?5Cy<2>-{9>?CxK2Cl`O_fDilA0V0V zU&#bQR}#(R%Xxgw$MwpTJb=>8^D0!#E89(@No_sR1V%+Yo@dz!;mPE2JhsA3pS6(9 zurk~7FB1LD#e=JvW%0vFCwS%R!8)l$bqkV=>+kxM(Nm9_=^wUgkWUA?qW*y+mH+|< z?PFHOw`h9b!30h+w1FWBq=vuEUDP#AASMd8gpisTdEM}U+~H~m%&Q|Aj8Vcx_2c8c z{g-KjG`ZbG3Q3X;@Ewc|DmF4TFqO$gJx)9sI`I3(UUp6Cx8^NFryUZ#LmVnb;B!me zk!c|9%~=o1yQEqrDU5=%&F97nK*~9N&R+q_H&_uWK<~O9tRJO5Hw(3Pj>A?9#*sfR znvBdq=@w-?IlJJoS=Aq;ea>xhD>6Q+N>bRqSGO_GXE~c~-<+A3iylEOW7Iu*d^JTA@2L>Q&d*50d<(y8EliIKg# zU_FGyi?;ltMkRWhIl<6$cm60{-dn7;NNV+9>wSLXdJmZ%&{s=pvW;CNETp_9^>DFr zg0Bg-tuD5pHIJ=eG?T%Fh!~R!&cb5b)lT#;!ngY$gkPC(*Mmc>h*}Bl{T5m?h1PKi zulz(alCVnr!T0#EUtyh0!yO%MzD!ptEkGHW|M4_q`SC5Iv26C)qEPBOl3>TVe-Vx} zP~hqUG|mS1o~5l&90lt&z>Wz?LiZ?pBr7)}L9m_8u~q|W$6_74Jq9K!F6m~ZaG%#N zeaCZyDN%NK-u{jkUeu=5{P4+%KpVeghU+XNGf?6Wq74=E^RlaB)-WW!DiB8J=GTk` zU~WOCg4_=!Cq2pq!?QlsOz}RF%FgNCUq061^wS{huky%HCm%n14wA1X+BKhJER3tZ zNpblCbDBN|pWP%F5+-J#c930r#oXfAfIc%j1L& z<^a*~08D^$3LA{bzuv!4pn1I8E}aPyndlBCO^|a9hN$4Cvm5PJSsVP4(Q3}v zNQSZ=OqS!i&_w(zmf6TP%-spA7EB$fN->KQ#k^Ox`F^-|wA$3Vc2rqp(|hF9Pa#Cm zn%|h8xiNJbX-txhkTJ}UioqXcDy1drVFS3|W9=AN^E_)@;xBmAJQ`iE?;?p!QkAOx zLjf?xU=X2bwF}6IhQ4z)Z<_lUeBF6&cb7`}beC9Rq<|>r{~3gJ{~d&Zt)o67DN=7T zPy4R)H7Z&kU%I^N({0)DZdsK_RT9ZhAIPOO%&EG)kKy^#w~EGls02d{HTh$mL<-K; z8aR)1E`v5n!!rxDim0m`lO()lmI zF)p*$SYoVAJ`tn~0d?Ee+MBq}RCK$2xLINTXjM)1K*x?l9 zw+9h$;Cu|X#YRL!ah-L#KJUtJe2SFCuH1?5Ql1==7zqAqDSfdqw>}ILhm%v$0u_8n zV}+tB;WPbPj+I>wX$>341ti)1p5vmobAn~&J21+=@kq!!2xQ=}WJw$+Y)bt-hI72x z=YyPt=c3!`hvSdqbE|FP_a;p$3ip`X;hn46QbjKL>2?Z-XGq?h?u_QvbRMTWGEto`t`))sM-amG@3FacmMlS=74B;WwvMutyrPNWSZ8i+9l zt@urfT6oL`MO#5$s?K4|=={bZay;h==Yi)1A3!@k8JGxkiV$s7yD5UeHkW{}FK@{= z>|UsFy8Sq5>79de6#oHQ$*u|MJnsHcONgh!;9nk+&2HvmGh!l&^ayu?S>zC{ zG(!T0ULGFPfs@V5+wFCnvW|fe0Bjx(2_wQA;t6Ff_a9`&q620|q&aRMelXH4-KWLA zSu;`Yf1s+sUQ+w_?f(BG?cMpAa`MvgggCoLISro@&sp~Z8G9LAa^HU3grB>{NbM2M zv*J4LuG58kPRId2s%X)Eu&eOJMYDOJ6PLI#vBh1BHR9y1>1#ZIQtKnTj7G4_QOhll zVeWi_u`P@oi!Q!o{W%q)=+2^x{1!_dz1~IQ-C_9P++ixq`%9YMszm8)V8R}smtg~$ z_X>l&^WixoahUaS3fP_;%wH`+C82=gA@+7Xx){GaC%mV{xO z_}mn+u|GI9_DMm=TjJrUI3UIw8MWbwav^yKhW=X3a_$q7*V#|(`Jbpn%d2c_WS2({L$`G0-4jE*2LM4!-rp9~khUCB8d;O`52Soo7FG0kk z(=-W*x*V~rKLpClho&(6p-!C%X*1?~?zgX>39UrF`fdSLFqM zdU~@F3c=rGrpPJSD@O&yn#R!iZ}F07W#>0?9jx#uSU7m+FOhi)J%wBP$d>|ts@x@U z%5Nt3kR&l2;%h{Ucwwi>QGq@`hdFkoekohS)=Uj31WO(AU)nOWL4ByE4yE&!b^1s` zWyFYUT3xA+%ghe z!;&cF$A}IP_Sq8vBusIE?JJX3!4DBrnti-9E}}&ntQ5I_oL1?*p6B0nLg@sN@%w#d zRt3OE{E4ph{V76V+^F!?WNeHENy&JjQ2E0ig3%5_+*qFDgoW~65mi=Y{DruM4JKNS zs!q&QO1QrQHtldEq46q-EliaP<}PxeUELvEtOOH*I@Ay)vQ%HBoV88ruj*U`{Xf;Y zz}eXP!*(P~1B1($i1qAFuje~P(biNfb8D%If5U3hjQ@z$3e`}5IVe^j(K*;jz@yYH z7TxrjCkANp5qJny2dd?X&_#PS8h0~CK6IgN{_pbKa^8CJ_={GUt;pO}!sq`oQ3QPZ z%S7>etSoxD`e&2U=xhmUUKyZ^gY^B3m7wau55M3Rq};B^wXohWH{Ys52iF>G%C@Bg(%2aR!yL^+$E*bCG%4!3 zO6j*Q2$H>6{y@C`H`CGxyn#rcbBJYmVz{{nvlXXO>H5q~WY}x~z5^5OQrYFmucG*1 z9B2RTj`NZQHN{vslL)Xgx+39unTS#Y@RJ( z3kJfrm<>f(Bq=+L_>&pW7>(`7L$Z6(jk*wADb=wEin~uerWwr{B5g9!8dgLq@Ra24 zaKuV`k9!L3kK}Y#H|WNM?lbQ#NT)qduQ;h?oh2Q8Xz9Y}IWRPZTp3wO$vuIY`nkr^-?4o;E_VQ>Sy{+TFKZ4TM5aP>DM;J;Zx^ zXz^QKX)!-N!$uHku9-(jPCt))NAeDX5Gz)i};Gdya+<&=W+g#&WX)1AP#)QB9a?e8euhVL0e_z-ka&EhRDE8m) z>xI6A;#qmm@xj^KSEwwE;}Tvk6JHn0c7G=9E!GQWodgjxP{2#cwENx;box4M_+4S|F z3-SZlw~z4I5Q)sNQ<8t`q*6_^&Gl%T$*t`fh0Qyx@5K;*FKndY_V($thuiIh^bUv;w$Gj$Xd8_gK^c za7-bbT6#Y=3o|yRdq=P@>j38Ey&qG4ek>_8cY2;M5{};Z@jM{v=-wtr2Yr0(r_mpr zlCQhl%H1FLR+sjEd^ptx2whUW*DThe7%)rE#s!9XP^<2$j7Q=#V`L{{vG7~V8@M2x z7!D{qjxhLT7Eh3vdk>)*yYQdBfmngs(+=0>?(D?0o0v>AYzPHo!mApEwCF>*Z{J>5 zCk_Y437t89A(f}eBb7hRp3k3IYiHve^hfH2FE4>|abL-E78=PSu(-E@irJ1zq`T@sMOl|K@6$62>ETs_9kRvs6 zeVMoId$X|k{oiuwb{06c>sZr@>3d2{@ygn)-lRF5O>&X=1D~e*_USBPvFy33z!+$g zf#wWb9yrgO%sLk_&p6O zK$NZMRzb6+>g}Tj7%TE5Z1se%tK~!l)0`l#wBh=_lfjGr^qL6a*$Dcb5p6G>|9$X$ zW{-ZQ>umk}*gsjK;$?7WFYRT*c&GY=875WA82o++^UhT2NNN^s7?W5@y!S{FV)B0X zg(1|ab|8S>;l)&4*toV4<(NbgahuRjo72qi^%$9)*o zVx*ukGcmx@{eM`k9wfc&S*?YtvePxRx6?YA4LH8D&$yGikeHu>opx)|JS&{Z6Yc|% z)0_pP4)Pmw>&O@F-R_h1*Ux;PuuXPuO>*Dp>ZM=RO8604xDF?U{+|84YB-q3kMQ?w zR)>K@hk*v823^5!`&3^!7OoPaa2|3W6LZixKCQgNxx{&x*ED5pm@n! z>ez@xX+5TJRlcG6k3!hnDLstQ(ObNwsI=8*NW9Wsad|l~BW;!Bk27l{*#ouU0HGXz z5(ct9MP8~Qhj@tJFrd`BO?qX~L;h_b-t(tV?L>oqI}5gQzQl_TgGEdFGQ1DPQjG3p zZf>{#_U7#5X?1l+|K(8sGu5hUpPD2lT9Tep_m?!;IAG9CZlr=^!@jMdx!VwPW8%Jj z6rq52ID5Fk*}~-D%w&gTVEx7@s#v6|JuRAK(uvGmUn8$V0}3 zE&S-FLCcE%*3HuFron9u?74(zNsZ;L*XDcb8 z%mxq+x{jRGsfW;2kmdO z+8;VeLX%#9>~rAg=>`B#Ao!FxgtyP;5(bT4Q!MAu|n; zI}Fr!k}=6B4+#k`QAyV?D&iHVx%QU2S(_?dbFFz;mx(L80m8JHE$lE`C{(G`dh+#; zMfWDYK+|P3v0BF(5=h)BA?OcM9?2dNULtahTzHj_QG#e&Zl}brzNSzJ1$r`X!S}=G z$?PlzA8J!e4W^)ObdENb-ywb&cr2T=LH*uPM_rNdlQi3w{hliX{?p_ordlZW0_#!F z%A!{x_!0>=vS(yPiH1-Dv$XxQR{r6Zs6U~l|Z`%`l zPqODt%L%9^_>ObB;8KBQ@;m29Ui^fZS4G0>@AF#ErB5sj1U%+Q&bEpOMVMH^k#OC| zgZaz1V1a5T*kONnFZ#t*_Gd?HQmlJ^g+;>G%OTiM5ru94`cTgjd-`eOv1V@XmUb{x z79sQuKJbos60q~g`dHfKPj*KnlOMxKLFKsvrFwRAA7*lSP0-64ubSn61NBa>Pti44 zhKN7g{vHV!5q=wI%78%S^Y4??fn<4isA^h5wY&WEq0SH>8nnyMSfKxfKe+e;>Hyh6 zt5kXHudS?Vtv5sLk2qCZ!;BqPK*3PO!}oP@w^WT!ypr5tUIX}7fwK9F?{v@v6YP#= za6;mU-WsxDl7V(OzCw%a096R6kA|+1o$o`1epKc?7U?+~h{!g9h;&ntc|nfi@@BhyP8j{4uUE!8!OYF)-aSgrKWGaS9|T9 zN*bST3~<1IP}ri6d_Wy5`2K(upZ?6G?q(WBo#v9PjO3LN*cV){Ns@+N_ y?-sYC?zf{NgF&*s6z7^x^vPbm@Ul7}kE7D!tf*o_@Q;nt-nX-EKwu0|VE+p`sp6sl diff --git a/istio/helm/istio/charts/base-1.20.1.tgz b/istio/helm/istio/charts/base-1.20.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..b492f715751cd56bca97d6cf2de621940dbc0508 GIT binary patch literal 36806 zcmZU418`Z`6mz>uRP7`(w7Bf{&YaP`eT#6bRT=JTBHpUKS zUTVsY0#fF7_8=EMz@HmD$<&=f=XL!Z&pBP!9TWklSF6fHG1z$84$HRMm1%!-*R!*m zNYN_)WQf;GD>YiUe?4Oh2QxHAQ?O|>v~>N##pkofgr(}GM2q_HbsA)McI`Z<5cJ)t zIx&1Aoyijl_}YKoUI+SpeY_q41p^)M3aH+K^7`!AJq3O+&JbG@zMl`*BmbrzCGs*I$Q;VkK4mv*a5y?8ACB4Gkd!RCC2W)EXGg6AsKZ;tn8-G z{eEK~8W_Ea-kIA3P&Sa;LBIf~HsuDxuG2oahI?SVWXIT(1qlB=@NhzifBQGEt`|7S z10)v1O6uI5yBz>E-L5~4W*%ZlD6~Z_7PWMbho)Pqh}J^8)vC8m+8P)B4H5L$^fOkR zZ9#6cak7WhwDec7xi4i#W{LJ6aAWx8=)=r_R?Q^O==s_ zYC}Or-n30|jznwoTZfqz+`;Bx3`w+=^@2gsj)!E5;$v4O28|SH9(wRtl{-zG3h}0uh=^H6G9q8) zDHKeI1kBj@EZX@0hI+xMee{##y3|+mPRa8{G3ykwCX^~g`-C*8Ri|RHzHH)BsTzoSA!u;AUV;IU9tBipm1b$m>*ycj2w z$`xM79g?d?`vgI5O51TBDdwVdaUV6s761MDdpnW?OUI0XqlVVeMK!^)^jX!pN@c)g zxDf!6EIA9T*zu+`nYuE^$n0f@G7KlfY}H5CjB)F!4Vy-9ReP?Lj|np3(0;xp?ZPT- z{>+o@nLI~2h<=`IIei}H263-sh#~?mAhHy53BVoQlaX-QAdk< zO#Y}t6uTHko-zCwU_dU_V@J6DtJvMgYxtZ>JIf`SPo8e+OB#DsFd5r>6QddiX>DcM zrQaPxw@T_`L(GEd(X>l~(Z-+fkk+13?;_+J;KjzY1s5Pcmvk?`wG?q6UgedGL-up`C$O*n@7qI{bs+diNwi19HF6q4wDTmWYolJA9K?! zFG-Y;q4A^7WGE2F3cPFDj%by3OtU{F1k?}Gd+yCL{JO{k>IpTWWZlx(_?|2~Bm-3% zS%GnGM83p3IY4HvPoQSN%V3Q2mr(e}J~29#zQ~RYwhP8F+89r{*#SL}A zDmuH$q*LY%4X8E-z`%>MF2JbBtbA2r>tT}bY2Gb@d13EvOH!%tPzqq?@JAIsQv`2QG zJE)_u1Hu`{t=%MD>d~?y^nUIO3M(N$si2qj583mmdG~7#IRa7#rn9J}Z>vAs?#1JE zH;~#G>v~j1NK~DnuUpi<@__tK@3il?Q46j;*t`tUjfYT47!Bdx!Huz;nX79Cl}ag@ z@;dU_wU#xYacm7=G3$d^+l+l1s~y9&XI*YT9CAk^tqHvnEB+1mRRBDa>@{|5kClV|p1oRPFBJA1_*_WY)8U8& z2^wEj)b??C)s-n!G_&F;52Gp=AmCd}@+PSTSBoM-&yBPpD1{(D6uk%}_RzZw;a;-o zSJJ5VSd`h8&g<5R9Xev~)G$PHPRTSX>if*tFf7~J$YxhryOdZzS~%h?E@Ivr=T;1J zH+tGpv-&*mVg)*UZV&4EI^mlezOWHlPN@2ifk0#WFW}%kaWC;Qa1_N-K&1i2aBFq^ z?f~ff{_8kJ=<6}y;~MDqvMFTniT-t4r^sc0=iWYxu;(aejY6>Urfm^BYR7BJkFXFD zmm=weJso|kd5^#)r)L7^)`el2Z)1z%`)2gBWld|=2Fk(ov4R)nFgfLrJ9GA_I7uun z^d8!5zS)YC8^ttArp0IO=-qM zizVW42wA`x7AFr@=ntgY9K@5Kt%)9FObWY5y~fM3X_BN}s0_^0Ka3RG7euj&!9I>H zOqGP5*IU8Eeztqryv_s=+2x#fw5bv?LzD)#WIIy1??T%1h^Ga#+L=*3!gB7K>yLdo z++U6Q_4h&BoC4!s4GDq}@jz}afq4Nym!Cl3eu7Z^J&?87ONNtKUq2y*$g?>3 z?q#tZ`YO}%!k|8IRIx?C&aDrd>+dAN{!v*l^h9)>@{F1=FXU8o2D9S{TLx8+UIGAO z6uc8@I{^6itJbR%#d~QmhlX!eA|A?_xR2hucp-#iTh}M4)kALPcSn=wf*o}1X#{}4 z@k?3lOWJvbZu4Iw*gu8O-I6J}Kq&IQN316?6|ud{3~JQmW6$<75VVOUTv|5)IYwvQ zvzlB+X2y;Dgh3ol;{hJQOQ^Df*beWVn_0mFTndU;mW7X^IbaSf%^YrVk zth(hJNtQc;O>0X8q*_VV^eA8Js%QI(o>MRghB8XhLG?k`B7ml^OU+Oi?* zrSc?jq-kS!L~HpY;Pwoexfgi*E)N6_#~lAB&|brPdd;wZ{d9lw=CwqBN{JNz%Q<7Ybhl&qjSH1Gvk^%!}rV``6ZYiG4p@&-vFJ-0zp9rm33o`<>50_6 z>yulPOk+64!)M2vK+FFiUU_%WemFKVZ7|ESqr;#^7Zbo|HaJwFA@Gp7=pQ8U!9JtG zUKRgoO2PhlKZ1PB7UE5pU{?pQ$)lM`+z5)B z%;ilY`{wFzC;@`pG@bM2K<(Huyb(Hu9gu?Vk0W1o6w>{ za~SbI^t?&TSzFkMt$7Lg45XboGj1x1QT*kGa^9qZ+f>C}R%g)jM&7i#YVlY{@D!1rBhWD=ks~h163Fgdv`bGsOyi zXo!Hj*ycshPm}gGfZ;(s=w=#nDWmc@{K2RGYNAb_-XIi{ox*@#m3WubI%3vp`+KWOH_ZH=o{_`a^T6$WL&L(WK?I*u~+& zBS(Bhmz+r9t*n|ndo-R=Gj5ad>tdM+VJ4b^KYA=Rtuh>ji~J^J^6FWH4xdbWzAZJQ zp*=q`a|8GV`nm;e-)~*q-5Vb95enqW*bMAGv?OdcYdgE{eyTQYm>}Bu-7l^}5ud2_lSoqgl3~rf^ z$qaDrZ|@>B*M%n9UtS@_KQWgFk~!8w)NGPu9137WV_Yds2d;jxX|d(pt?S~lbZmyk zQu6=Y$$PZv)K{z+wz0KooQ^uTDHNUin9v|@hs#Kx0Z@Qxk>y+&jhp=y&5Q<_R?d>O zCyFGo;OQ0gVejGb*?b#1eSNqv*?PNwT>Tf(L_f1mtjJ^#aN*lnbT9Jv#4_c<_D7O6 zt{9!p&xV_St>N~B;8*H1QXo z)a_4R9q+3*t{||Q2L(%HPEXGjx4o8*iJ^7#Qq(HdZ1NN}aIf62%_kc>YvM02R1pCm z;|hg}>yMH5G<)1hRu>@-?@;u?HuW7-RZ?@kH$*2;wGu|pA!kd$zY+wyZC$9<^mqs@ zu)2`ykhiNRQ=Mv0-QBvD(as5TG|5P^RW_U6u_&)a^=wNfR(SuoYeKN%WW=!{m4qqW zPmS2T+RcTYL+v93^JhF6^RREen6@4;2fWN3>-7qFy$&WYXhrY*Os_kmD#Ic5AWLgQ z&aDZ(FPb{~J)u>Mm^0OaW$ioJ`zZu`%L5)W`?|dQ-i`Ks?T=mqU+cD&sVIM68${_U zZZe_c;4d0O&oKdU8fI28ZD==yFbM8~!w<(rHTznTr0~)1>5Yllc~^jhH}}p(CEIV^ zoVT^G7XirCUa*8GUhwTl{}tpNikS;ZK`SU(iQ=Q7u%EY5|n(I)6wb=NzchtZj|_4pa?g7Ec)1_<)qe)DAo*#YApWw* z`MJ%~LTyLcI5{$M&tX!=)}U$Yfa(ET!ocw+-cm;Fi@ZiDwGhY?_oY_F)O}0f%az%0x4+WN z5=&@38*#Q#Nq&9W$sqLX`gACt7aw-vRHo;}I2@?O?Zv9gvlt>$&9Aa#kN8`E z!-VPk_1TA5_?E5KGE&>R*w-p+RraMAlad|J*0pDjP}qchybyEwSoAiwK5^cfh&$L4 z$ov9^`!`3y*K!52j{swv9ve~;afmn&Yc!{6)zf>`cBJp7IYk$vSO0F32|VI(!osZ_ z7)Ho$>egopyaXC6=4CDUby|y6-Q@wtzjS+67*pUI_Y6yyLYoz23_YXqexIFi%V<@$ zL}ZUn4b1^P;X%IQO(%*p=E;mQNO$X`rH{og|?U8ovq9%ajGUu|Uol8Y861Azr1V^KIu{;m_+M!QMDWgv)$8#!4g5x#Sbh_rP{!}%*n8um@4Kd+NnK!Cs@_V z09pwddroYa!BUu1Ro*DYY_Sb2|%{B1~5NKPa&~riN0I zjGpy$+Q39p(gRD_M3uzX2KxM=7cNI)IEW%+AFFb=#_0>Jegp z|GOtErqB)HIYaxn6z%Lj7&1fV@I$d~!apL!o+76Ziww}TlH5-KNw7@B{pZ4vZK}qt zc?w;8DaZW-3$m}8WrNd1>E{oj|+r*>sJv@Ie@!02WO=oD_3yZ^6Y_)a>S9ti5VQPS+ZX&KqW z8jJxtWr81?c8=#hI``Z;h+7e>dh36enOU)tW!eCOv5FPj44;$gaiD7>#)d6*uf#2IEG~# z|Bx#3qIjU&ZBJ!~z?TrV-(Ix1=Ddadh!bk8GlpssCEYYcNF*n`IEffGsU)@zt3MaW znDRL~`3&lN_{FqBd9-DR@|x8Jzn5;Gfz_m#7f*gE~6UVqszY^w(1N__-KO5Y{m_DwQv0X zCrpqsci@1f84H&*4yvIi=6M6sRBP1pHvV;h(-SRL0c9^uv-^s8u|a+td=bn-*w(EI zeap0dZyE6 z)3M5v$uZ0gNL(as{j-SN)=d{W6?}#(J&&+V3bMh%a$+8f-!rw`%Na-O*>Dm%vFVR> zLxfWXYj}^S$Mr=O{yWKeK^>slIeWTg`FlyC+qu&l!ypzIK%B00pDm>~(RW?%*Tz~Q z_eH3(rmx%1dqIC7oaG*Gw<9wGZzs>a(=Sa2wv~a?VyhnA(zD#o&P=Q=mEMSGKpfOA zW%xrTpaylN$V1EYgWzw)(EgQK8&6$S^U^56IF?jfp2;4Fym)I%SVfw@v)ksD2 z$93jDS$+3rVzuu|7$)tI*s%)cnVK0_58C^MMXMPd_S3^i>4vC>ps8X)ZhFT*(%J^$ zAyV&=M<=Z*j?v|mbjj6HBFg;fRz-XUydF7XXGXhwXs1k01&XJsNLMKN6df*We7J)2K+i0508F>gMBabsCh?LS@U@2Doe1jpeveshsQf zwdI!c-w711eAi4GyKQ4hw=8F76l#x&6`7e^U+1`pdw4rM{a&ZvS1u0TyuY5#?miVA zKgA7t`#e8y&+ZgefyW{XRZRf_0ZXt7mZ@Le$ES3P(GWGZsGiVr_G@~WPQ*rjLGv~h zI?MJexdw1W;VIyaJxoq^Vjz5z1pM##soaugZi_i;ZIIZtfsH{>HkgsgQ6$TE3LiIz z6Pbr^log)J643rHcf(1L*sEk4P(Lm(6@{O6xkn-K?7>&}s+h;c2Cs?eYC>%BWS;bx zIX5wVA>m+x&@lAChOXprl*J?^m@7b{pD@x;nNt_t5jGn9Ac|3Kcpu!-0?6F z^%X2IA-vF=-1VOpbyi}Byt~HIXto)eP$uBapG7HRNBOIE3~^|N5PpLuRMJTjPm+6*!8qRsK-OHBaJC2x$g%&W zNZ5}M{wKW!qjBo3nYX|NuAVjUtU>{*Y2ZXrAUo5f_STx{5e9!ri~tZWo5uqUn$OzD<@W{}ooZipbKP5eJ;EAA5K}jVS zk)YY2U#E64lu;hOhKoSA{RD%Sa&;J#ZP&o0L#jja1JA>r##puZRdi&$!-Yk97(&({F^hplFHy%L$|+ zkDo$fwTgWSC}(r~JSh;}(6~tc+nTl#p?lmXo5YF8^B&~VAjjNRJ$!%w>PuLsPpCr= z@XPCb&phpj&|A$GGP{O1;Wv?+9Z%7&Jz5Z9@7(z3B5;sZ*&aqekT^V$VofD1S#*#_ z>_(8pAdq#E&uZ>WK@bQ@GU3>96k2FKNN>mvZ=C2{mgk&un99HNl~M(iR!TofT)2(~l_-Cv`H~0%`PU9e=ZOL@LO$|!LIiR-Q%+HYPxezK;&!%H z!Ar5tq|BIMK=EMa9V=BEdP#WRAWRCXMcahQl|fEBO7e{(Mchl&owhH%sFqs(x>apD$vr>4%5=~ph zZ;2K;G6x`ckx;lIm%`j((@1YHL}QSAN*hKT$O@aes4b(cEq*7&!Y~vlp*Gmh@o(iM zFyb0gNEqkH2hw^gr8Py8}sZ=dU@R4MzK}DO3T$2$KKb7nQ5fs`%8w1|OOLjmCP@RpS5og_YPI&5D>qXas zNDupSPe{x8grBxUx{|yCXK4fynze8SROQv8ah?$`kOPftYB@Ks!u$3b z;7aJK!!m_saT!P}t+fFcT$`duDCTz*Q4}M8W2-_wNww)OI`eqW7BEYUJ{c z*jswt`lX0lJ!bur)(Hj-KYrpHtp7O8k*cC3FZ#1+pE1m@nbk2P z@p-Ymtynj0!0u(c48|@X)Z-%*5a9AMo{%}Zt5r2gdhYew(2u1`@n{b z)+A>}$JhYQQ3bxU-S|F>?%m9L z&zPo`8GLBB3W-Dy|8OiZ_e+xr7F*6wYo3v6X|M3$e)C1U0+N_$#$N%7wB3WRFGonb z1}cQI$86q`DB~qVnvq8mDuhz0@;Lo&0NywV57c9tLVlr~(S{R#=xWaMif=_i;U71s zYh7Ds-jGQF$Our{1opaDWmCm&r&PmMK;{Zch8tX$NJae@4ch9n!i>UZ|63h?}~OdR0INQ>Q7ywoV~PGxIkEl z25t+D(sGV@tFGWLiH(t^t*M^6 zG)^((i}e~YGu4eI2Y=R`qF({nt4(Bi_I{I}n@=DoTrxOt{(ai#rEA2&2E>*+(j0G| zXCF|azT5n^WfP<5uJ4=r1gip3J4BK;2^=XsW9PJ?kN6x9xdzsh71#0t35q5CItF+( z{Bbh5QYb>chqDLQo_{>}amnKj2!H%}PwGI2*|>ciOld{lZqO2S2ZQwiZ{aNj#fw_D zc0C(xLrS8{5l!fo_l|E2ic3AQD*UOJ54%6-mXwhaIboZ6K=`-lNN9RBKQZ}Q4iL{R zsrKhKNP6U*rZam^3q2D3uFN|z9N7{3CUnON?S{9dtq;{3C1Ag4^d@SXN97t$v9S#h zPIX5W`lmj0Q!Dw3^OCDjP=9E{UTr!abbw0eq?FGN3ZG4=B370oY_a~x^% zizK@KX%_8y7v(+uu~}I2U`ZNc4rV=N`YtKy7EV{O}1pE=EW*^ZYe2 zp@ZkI9zQIT|Ia9bFN)3ugW}ecCRYqE#-w^I#kp>FMt1*?L|Tj6=0-|o29v?96dCs$ z(#X;%!gM_M`V;=3CroaM`iEM;RbR63h5QYaA;9dZb9c_7mKtOS~pT0u{w==hI~5L^trTk4>TpCNx1RI4ATN-x&FF^IbGmWB?JfW7JWhDVVJTOkxs8q<}Yk9K$qWlBfv*Qhy9-Bx&-{4@54( zsGTHvj644YvC*J#13USk@Ji0lDRZvY;pN!Uew z5$6X-q+sx1EqV~*nHX}#u9N-Rulhs@6|ExTp%rjE)`Eb5^INuWUhZd82=iSKN`;v2 zN$DMm1U=Qh($+W2mc-a4{;c4E-=sSnm~m6W%A5~t2BU>8PcIS1!$}hj%1hc-O^IWJ z(~b_4?giVcS&Icx4N^2* zqaZ6Bqz`P>aWEfLo8&#vJZQFG`(Gv5vA$5ghFD8Pux$r#zKAZ#J0X%54mJ$xWLS#? zX8$kf`7k;DN7n9 zY#9sWC#4$cDFzn%1mua~B4$G1V)1DI^Z2GQz*5md+5Xno%RF-+wuRzhLYA9yKcK@lZGw~M)^Nvzy`D`-o&wJ-J&gO~A8;cP_pkwt zs+bNyDnyjMk~57F0}NpS?EL;kg4=;yRqT2WdkB62ee%Xfs8%!dbZi0rXh2AfNb{_%v+L+oS-xoK8k@I| zqnEzg+}uB^z@5MPlJyC3r2y};4p~(5(YJk`9QO9lXNms@?d%4Bh80nsjnrT9^ap&4Tqyc|Cl)dwmn%e6Z^Yt3uscY7Od=_38mh#h5ww z2$c%jWL><90@<8QijgNYTbvYbz-n@)PIrPa~bw{{uw&v3+v^7Fr# z6+Dt_Nyr}ireX|2yN+-Ri$z^d*QVnPbchuJC0`a;+;co0j!s_JvMy<@0 zLVZth;(9yhj}LDLipPRiLH|Xqq(tC+yMA{6MXdmV*j$zWL9Os>YTg(>e+?%?(f4F@ znoK!4S4lKvb^O3QDxa;=zWl|H)IR|BWQKmIe^Q$nHAJI-`Zay{1|)eB0aTG8DObSE&+PS;l-Q$l%Kn9=cSP8m%jv z&?Lkl{0#PZ!u#D3@8ax06h4M>y@qIX$O1=7*x}Da&~8PD$QOGbUQRu1e7;{*ot_`Cz1ns zW87UvR2DY#hL_Bsh=;zYM!85GP0eux4L=Y!0eVX`^#ZS$+bR*Hr+3@Kvq+=lElM3$*;^+Di3J+ ziH4WDc|UnU!blP;Z~sTBnnU-$avdXZ64+Iu$2$sCXRaXM=tiw)0wekw|K_t7Ffj69}urSZ!|)-La#Z)g9igw_U4yV{bUHeNqJ9ulY2 zlEq#QM!am1GqI|~+$lYIl${@(#+dHLERa*p@%otg%&sSk)4tVVt+TTiFDF){kGsbK z6G$bzaEmto74B#!<9Mamrddc9w4=|VDjrZM-R4+3st%~XOvzXgxlH9bcm&)o7}u}H zwA?y1qO|OyU^Sqi?i?e+Gl%ARXx7ocs_<{zrjSSP7B;F{9 zCpwG^J|h-eGHvik+D5Ox#6bL!(D|K=v=>Lxcq<3@L_QRXwc&RS zTF^p|9xo9Kk*32xJnzx%G^lfQSTe7i8q+xB%g%ezke zem|axy|^cT|ERV3HUjrGGRq@gJzh66%X3t6`*!ec+ei9s+xA`SKW(*rx79~W{?0G4 z{cTJkN3?n@eHQm$58s`@Tfo9yJ(hg(df32UJ*NMz|LyeK`IumWva?xU-RXCy0}yjK z|L^~8vhU)$alrtlD}dU8U||YnTVT&&P??7MSo^D}We!RW6=v{NfMT!d-~@{Fd|(OC}AN} zOEcB)^zw6z8;M3a{1Z80U~S^64KWkt+p=AsGmv_raAATG=Vun5Lrl3VgivUFGX5f1 zdM>kE8rZ5Y5mzJLd19r&Z9|EKw8KtmQf*u!96}Y$SS^7sAqIncq(qyokLmetYWJ-U zjX61@Fq~wsfaFIbzsWN+!(nWLf*{Q^+r~jbF)tDkp&_yHvk(+B^Ai*=pKLl#6Yd%_ zcoGythY~3B5sVQWa7U;DL}uTy6QF#bUm@wb*Oqqeizp-W0s* zH~S4QU~VfI*N=fM$hXp9Lw?IM%DY!x{&mz3JwQtzcN3su5^vqM>bMWgsA@Uc6fg-vi40*!lpD#j1||#zW*73%v}N`NfXk5r3tc0iv0#aaS0U z2WOcg38(7|&;@ulibm{E5JZSm?tc|phA0GnU=2zd1-ki3G=UErDzhv@Bwh1#?blEI zr6!)ykev!PB!!Tg1e+#L{&B$)P^2gP`ZG40YYN)-Se|WEusA&kPm_hX&hLxpvxR)BG>ja)&w7rNg&W* zL|bBfB>mJ-LdochQF~xXg~udJBAO9=snI0i;+eo864ncpBrzQGVJV`ql{nCb2R+%M z8a+8m0Jl(KT413(WG58pBpj8n2eSY)mB2(g8Js^D(QqhhGV&!=Ah_Yp-&Fu_C|Vpe zmt_sY@yVbssKVYat&2JMnOk6?xsKf-CKP|*QSdGypMIB4o84ufZ4kNQkZ`CVn90^w zu)CLxfOv(r79V=0(6T2YMo=z+kgh57jzf+4mvae2QEz~(_I(zrI0eo|^3;bwo$xxj z5@_jakzV#Ex)>=wpez!Syk8G&j`0gyr4o%vG`6~{F*FvRXuP|=CUzC%4h_t$GI z<2k?&8s2J!sbDVsk;^YZNJshC%s}Rz?LZ10$>x;|Kr=PA`r=Yc{?iiKYm?%HZV*cP zSzBXsyv%@^)Ix3!v#e#aCQzcone|kF|6`}@Xjd24X>;Q7|6t|;cp1Ic%(+hui6!Vo zy^)tRMy>Nf&)Q#1uDWxLJj&@SAdfjxhnFD@2fsTI>n?vkC=~xoPEs~Ll69`Y|iU3r4vQ99Vhpl{?{t2C!O(qkU__ZoIAz{ z!z85sNT0n#j@$ekLZUxuf+zA0E!5pxl-T6`7N=wrqOavs=FJ0Q)LKwVJj>)9X>+vE)m79KOTAXgI~KBP&>c-#gpiMb-a z;&{`qwe?{csB&hzWTd}^3;zHA+H5kzb?di5zUyP!H`RsQOgvCh@;D2kYp|HjgM_eP^)ZxhKhGjpGzXe zYphdX@Mh#IOa3s3eKZG;DtY&fNZGE?inB*8i|0*_z?>?b3VjYAgI5j@vNUgFzAD!eWG9mT zGo4UTse_)DvQW(GAO-Me9B$p{7b*EY3fU)OY@G~A;?Q9(icmB~L@}!97ZiRT;6{qv zt$LQzJAJ_b5D(rOA*2~0HyN3)2hf6rYcXNw6({!CX2FOaoHF7UAd5q55OrUf!}G@j z5DyqHNA*KJ7DOyMwR2s{YDtmPR?i`uT!6-9%=Yy?dg4aOJa()OV804SE*3Dls(Qf` zVWv3KT$^RwkEL%G`jmCWt=5HWs+`1dv?Ofg&aGWD+$JH3c0Vh771mFjBE9C3&$x z!=Q^c*Oc+%f-4RH8sA(XfJoHK=?WfdMO$#di#A?&J&T zTn(Feu!^8WX~Bj-P82dbM1AS(>llc-0{9yAogET81;RVb9v&Wi7|_M=+A7FC<9z!Q zG?_0WPvu#Ca5}lF`~8+R1e~!XTtpb zouabWp0q@OSiEQB$rW0eVGoa6C|LKlbxS3b?ytQ5!P~ch5QM4ods>&W2U?<4+{HrL zoLNbGmwg~q83o$OG7#Kg)-bOS)>{=`;#8K`R|E`PBs>s$-p$Oa+$bd74EbBMMfGYG!3rq#A;QcEp7-_ti!5F0KRi~#?;`i$=e77J7cRutDeyhS=I`EvI%l5imr)z1wGU^f%+0lk>CT}jH9#*UzHz#VKy_8 z2!coXA0^qxtg>hnXQH(b2(8piHukc!|P2bV!%jTlSR{(pPQ$i6L}2;e4+F#uuh^Q#S<@JTe6E%VQ0n z1-7(7IEM=_$ONm`AN~{7q6DYk>*!CYH&=!?wPR+=2y=?eLv%RY@!6d5c4kZ#Cu33` z*Mw0rxb{aRXklyUi8^8%0lgoFoU_gg;X+hcX{VZuJG!nn?XbefOKke>wk|Fs>vnZK z!xzd}$!r22v0Oc%N^3CX?x5qrYA^Cs;)0n`3NY~cCi9Sk^jVLNmrHDQ^~QkLHq2jC z!itS;y^F`*Ge)D9xX*uMRuB=~^Xw+LXJzAnie*GQxD*gx4<*c>7<&c-rr1D zuH(n+8iK2#2L-o@U&mXY9G9*4Hbla3{ovu@eOv5E_|)@n)QTMKpLxy4{%_QpM<6Cw z`d`!vVM7B5YaKWI8JMUmty62-(xQ^DKDm(r>!^IPSn()D5WE`aOF&aJq@JYZdq6ff z^#PAi_2Nl+oM%afh24k;(7sD7T{%3-f?mAQ(y%ikN)`%fc`MjpS8{C?nL!`D;!FL3aE8 zjiD34aNZ$V-jaGTO;=+07%@|ah3B&qWGVwJ(0pva!pN>r5&8i_UU`5}qzw^t#b~_8 zTl%+XxUF&FgR=uFBc_}b7TR7C`GYK5ZJT*;RhBj^#y`mmj8?@8)&C_g)HLLrpSA28 zq^E&{tYSd4LwX;bZK2nTsu?X|XW3T%(a|O-$I;2%vlUq?nA6BanpiuMIp)25zR@kr zCLQdzLJ1Wp|C8h9omQ+Eu6*lEli-a6)c1EB``wrp3R|C#bd}c8?@{n~ehB!XEc;8> zAdi(n;2c}vX+hT>pKjU)QO)s9sV=KixXH&76V7N>l?GiDBlRJ#@Gi3K`GLXwLac|gLyyeZNYP`t5(B5A9#2cc+s z4IwO2?+-8Abzd4Cm%4afN%n3NvUk$ui;1*XjV+A_7Bqb7Fq6VntuLU_MuqM{K4+s} zDhvJA?#fim{##xS)}`8rDYy*Rta5Qi6fE?MWU;XUX^>J`mQQAH!G#iqO)8n=R1Qg0 z=&?Jg>ilLXz0w1&XS=F6(-b@rLF|77hQfv47IKxLOx4q(85I*LhbvA|sK!gp#qNYE zVZbP5^@`UE6#EJu;TrZ*XOANnhd&peb@}Z+9dr+@DgL3L>cX99VE;owZOs0cf;trX z@E4U}LI|_lVH}H#fatCm9e(~{nyt%*Ko4hZ6Qlq>(HF-1R zm#&^jy5CRhg8On5s!juw25$zOLn7{>JTA!do9dE4Ma1=&1*Wx zD^Oofs;oR@9M+Q4CO&!H4Lh&G4AUT#6fmnzFjDhFpda#EnmsH^ZemkIK%t&>+1NE z{`-3NNrjf>nubn7K~=OwA;AY)B$l?V$*39BFIbt?1`#lr%sLGV43 zx9J=w1QrXN>@EcI@3QXoQL7(}ap-=D{f0V+yuE5^h#bYvsO!SwwOJ>3d~Oy8`zsU{ zS;@TP2PA)Tx^$bP8)*Zz^+XLtJNTch^@mYZ@?k`U8zl=vnWsoFi`)T%00k zcj_Y9BTHfEoe(B4(!R@{%}J+J*5yQj&EdI!?rd(QHk>;_ym5P0DxZ9BWJogca3oga z$6x~EB_Nk{h}=K)Tu_ziH(S7|7feUw`McMYSy4AXs7dJ2XpjlNu#J)q{V^jXl<_A` z-NY6?N_|im=k-hoBVxo!jMayht=-2zAY`rw?;i`)NfdF z2F<3mpG_vWzvQ&(@WU^-B_kkNKs|<}?+!b*Z8ZfUdsX{p% zQeWG4+@ee=u`cE=GqLTCR;>LSbo=CoC&JCke0yqm-l^19t#i)qY5npS2SI59FgLLaJ+V(%Jym6vjJdpm6uU3RBT8maxXsMF0?m@( zK7J>$JQ@AAe|6gQtzW zw%L)<7z){?OJ1gyO4!m>fvmRcvof`_fBVA878U@Z7XI z9w_)McUPAOrR1B`n)u~Sa_!8{_V*c`f&0BzpylU{oS7X%wY*%`7kekR4Df8~u{i2u zzL1`oo#En*zBtbAB+X6o_iq&=W7xiZGA-y)?_dj2Vr_kR>`|%s8Ote82=Iy`L4Izm zOS3zqct;&!(8fZef|%(tOL(~F9+|ryE;JnRDU_N6(Bg%QC7RVz|nW@4BV#UC~;=v z+Azvm^M%XVZU5kGxE$&Or61qWl%_IEkmi)J$at$<_y$G>8V%2?0|xaq;L^IS|*rhvIX{ES!{U58zJP~@ny~%ImpcBw#uw};YixEpdyHRtc zMg4-)Q&7NkQ&tE0)(_m8e-69IJkBILJf6M4CACejL(Eqkij|)AJxAOC9cQ@(088F~ zPNB87rjF}nw`B3CPs4nvnfXyhf7;Yn=nr#r>Q>R(_Ahf8y$c?`ygUqlJt$J!!i2hB zUQupG5PPW%>`!~CYVC+qi4no(Zm!MaE7$Ow*95RzONj%*D9Zo~j+6bgpL;InKQ<=i zpkH;sAF2QsZSNr;WO4bfeeCbSI&V0``{%CqIio#;*kkn|{9ow!leRR(>}c~lz78d^ zP7vF}QEr`&%i^284r_^3VYGL0ShE;f7^F@Z<98G&8Z_c|A5Z3gc<+zQ*3&9$Q)-SG z4ZfHLy$)f{Ek1`X?XrBXeZM*`T>4pV_Mg&amNf{?m-0@l%=qOl_aa5#h1jQfHx}oPm1F&lzKkT3DHu^f_iyoU(_MsAR{nvNfiqZSlDy?6L|( z$hc!X*hjoHf-$SFSXM?tmoE7sHU%*6nI8EPF~vpdggXnjs@zSPT3W=OqGmLlH7Nz| zU{za=2&QTU3IndpDmRh?uV8Y8)P=p0NWOb6ib?7!{+sCB37Gqh@`27+I<3s{ZEtty zRtmsP3tQ!uMMR;`CM+7w#V%HkHZ}&Cbu)t_cdgXDefsQ&Cfj2RV%YE6z{er25rQj> zy6SBNtl3s8#vUd>sCs(Po7FWKUi_j)#k@?8?L#rWT#oMdlWqD5+uhGZS)oIEykE`S zcayL2S!GmugNK++K;n!*j!i(ViqgeARi`TLwlj6QKinSqkImG+ko%FsTkt8w`))hN zAt}1DT|daj^ttc7N^c_y%RK2=Ww5a@*`kyw%j3o1;ovIEI3o+d+Z4^q+kUfXsjVc< zP%Yi}vGnmPzod!Au@yD-sCjgRja(7vm5!u~e z0spGO0LYm<)GrhF=1uTv%q*Er)$C;TIz1l5rLGLPK8;O3-+g>MMoei&Np)fNjsNcq z6DnrLWRoYsQ&3c|wQk+6)BmzQ&y`1)e^?Q8 zbPAU@KRL=>vfT{A|1N^F)TMgE`NM_+ z5}@7}y=S-~QA<`L?v;NZPL=$ezwDfI$xKIjrmSd6wtVYc(QIt^X%yI~-hUx7>k_YG z4IliZFk`WN@1^%QZaMXs$2_Xq7yIV$5ixH0+y>Q`&u+hldjHveaz#~Qa&wWn5-xnQ zv7Ko>@p9bM3t`oJXEjY|BMpCJ{<7K#hEM5tsL@X3$k(6NWoUW;LIB6d&AWE8-Rke_ z7k%?%@H|>A+1IkgrNaozUFm0&!;fW+_H!^89-J|7)T(m9xG`!kquYjgeNu7=p{Gag zDmKIXXI2q*DyrP9^Y5{34X2+GYs~Uk2at>6WwYJ{rmX3yMFXMR)3w7`hXnZ>MhTt~ z4)u}=Z)#%B(Snz05rUWW*nu07^h}Vgooip#W7C&u6yr(%b;3K?jbI&AjbR<=ax7pS z5d2#K@9@=*X+-DE;P*2?*MT2s(-qa=Gc)*E7&nXLyD59*`W2^C)jy02`S5U9qk|MH zU+a(B6-0WJj4e4j(%AiBe}iPvIZgOcq|Q3LV#x-mM@oc~UDB@#V;jAwEJwLc!|@-X z)A%#iXv70P9ky9y2?6a|>0ZP7*{)@i62UULpEKL7AiWBZuZ=^~dO4aL-~S~nYql+G z=DMBUXvp3EcGK=sH1gOY^F8n&MmiQm&M7O*6~LhP#pvm+^L4!l0z@@)Cm%9^LoHSK#F6 z+g;PTEu}SgdiMM2d&Py&KE_{kW4Vmi>fx22 zhV2cwEk!oI3U9G34rEn8mG(?5PDt{#A1sS$@AGjrmPKhe-YiLW?X$|L$iSL2&MTAdbY{!uem?WmQI0&S&K$1^9W@x zdvZMaDqeIxudv`&uUv znf9GTLDjbvCrp&)FJ%bVrq>Tev4BlS3vWlMJ#*f>YXd94%DS(6;wdYBOLJOI=F%+ta;M9B^+uglLeWY#`|4G&x$yB1 zMJx*5)+572ALtB2R@&ELG;?a}`MkdXtz8`WK7OeJ1;*fbxy#@zgk3@sX`CtmDK-@K zjWSnm$9!c5@~Qrv1PUBN+i)oB@^=GgCS5-BlNKRGbiebUVQr(Ur$s$m`zA(i=YG|b z7(^G6NGWH)Kyvlcq50FfkJ8TTn9`wLSnw`tzCAWiu;0jbDrO$gVSsYZa91IL)K0~g zpQr}cN#7~gr`Vt%6`7zPA85qbRnE$|Bdr{e?MKi|J!n23`D z6a4&-Jg68EpigW|j5K2XgB6r!M)^z--yah+p2FP2Py}rEEG}L{oEoyWGe@3 z#HS7Cdlu-bR?Jvwhi3__G5>`Kw66a>jKRyXD9YX%SBy$!_th=wKvj@)P!kT$Z?v7W z3h+5e{Y+eIqKaJEgvwFjwA49x;Oq`#ElgsZ7PHUGXaEo zynz}VXqU?$P9c@KSt$azdD4Gihx~JfnS~*baLNvmrgLcyh1?d1@XM@~iKa{a39jJL z7r=;vA8TY>NUuTolv6*6a^Bc|jB}Gz7mT*VV=&b?1}2xx@e^G(2RAQqTb>uV6ZcgM zpLm1l-}g6Gc#mpqteB5#078iCzn%!!y@hK3WH&=7V9%52p!3P?l2-J;oL`hl9`^BJ zG7{-qxLDVb*0%u8ag95a-8+<98TJduz7Be3-Lj643AfVQtG3-?sl>0t>dUoJwC7e@ zcU60%co+$Z&8T9Vxcyo<20+n)0QEq;DQ=2L)WpoP)xooR)rXTp$N*Ee#t`VeSZtr{ z^!HOQjR^Q#GePk!!u7`zGn+;D-+J%uD?(hI+LkFEl}f98KgD z%acAr)_$>8WP>%j?op9x#D?m%9uvW^6|p82wUYe(Hd7;zTI(naXSK%7MVluIO5ho= z`1IlZjGym|xcXOooQ3lEINA5p&0+SPC&0N_!Hnc$%7Ug*f}G=R7dgso!gH}lwpUJx zd6xA=YqzL23Jv^}Z`Q(6j3)c$R_8f9JLr?vAe#VNTMRNewzp8@-@?TB*Q#yA&HWpP z>nnh{B?6v-G;n-mXKsy~G*C($@O2FZ_WxQ?{8x27F|xz_ze}6a{&m*T|5sPK@zwVF zd1OZj4$1%D&ZIgmzk1TR{9haN|8@5@a_QK}j^S7NzC7=L zu(fU76LP7vDdI;#t%y?t>!ZGYkS*ZB_YPnD?&Tf85W-}v3ul^?ndDw~3%)T!& z2t}LgKGIm|x@%v-TAgvnuMuYMoI)QBD@swL&d1ec_6zC(WHkODMFTYHCkZJ88$uHA z;^p)sl2ojuO*wb6!h!TJ8j@a?TA!)d`4Q#gB0;~ZgI_Y+4(iCAcxW9g;mU`jOjaJ? zVUC(NE`9vn}iz(+v@4 zx14lSI2%r`Ec4P*?Mh?dQYuyBI{n+s=+iB_1ogu6)WM<(mu4q(*=N2R%pwSFHWWU_ ziC(_P{phlP04p{M#bZq0+Bz!V2a8AM=atpb{}Y}JJ#?%U-?*MuZmBdz2??5P_0DSm zf9ioJWidlo0Zgmwhhgjzr)#=WtESOAWZkNVGgoe}s9@KV%b}u}edmN>3|FzBQXC3Y zHo+bj=~FUFnxy$Q{}LlOr!}Pd-s|(tLBV+F(k&tUU#t;~{r_W)bVVbmKMkecSI5P{ z)?XZ7*_Mq@F3*t$b^JQo-u}?A{9s|1SaAgeU&A74moF57E;`g~DYMfM)AmExU$gR7 z{VbR?eV)hsLh2~1ay%(ARPSeG5VMEgb+f6OKI)4Eo|L%lk{b*<-kU=M6!}(jg zpAfd{3kyjh&i3mC(T%5Rt>c+ao111wU{0%JjNcOChUd=o?#d@@`*M591UCD^xf1{ zPjYFRiOz8+oinBFGny!Z9%nLJPb_pNW5#8y(Wt0`1Pj;%O*Gw1Nsput8><^F1nijw z!3|d>Z#0C$>DAcDF;-V;)#|2PutbwM`)X!E?UOdH2jleEnRf8BOQZ#~Ym8zY7zZKi z!vo)4MiGEo_1de?LNvCdt?Fl28}`Gm*KI7u7{>|&b|kgC33hOo4fCqUl{>i-H#Sa} zVk!6vQf{qDhIY-_Lp&$eq{|dR!3r&hdQv?zY*ReB$uz)KPFlBCW=lF$#(E|SxqYw1 zN|5i(-={vUsDrNZtPqC&Skcdsgj)fjj=$5N%Z@KU@Ga**+6DAHLb;ad0 zT#l?B&F{fIWw1X`FRrk^m|Pnw)go^e?nwGAo zGrcc?qPA&UuMxDRb~e$y;%r(rmD)`!dz*LTbaS{SEI?w>W7lKNK*?G42v7i#=q5nKA|CWl&{btEUv_xneKf?CQ(Wkp z&7pt)@S#@Rb%xTiH2zZy?>Ytl5G|Bm=YDt%D5-S=r5FM7Up%ACT^1?k-m#i)pug1i zz}x)sSW={jC~N33tFgnkJZOJJpoca+*epTLMsV&NRWJ%vv)!l!k*5K2Hj8oop=w4x zL{sdjfU&JDLU+H*;c>LDDI`wl$2?SmJ=a}zkeC@=!!qD?4CSnl7^o#T+|A)&KC*aI zgb8rb+d7=G&_Pj)DTho z-?j>^UpSg#NZYFnacix%q-Kt@P9Ku3Gi2+HmXq4`ePf5(E)z76q!t?8NHD z(FP!n<@puz=qK{1qTl8pRcS?M%KpoTWR#zHz*Rm9MRivDlG}7>;puM|@GnUv4A`Jp zc27=t-8XJFS-MZLMo7PKNj!fssJa^~)Mq-k?3XIHYRnlY6q6Wf5YR;uYHsL|*VAFH zvJ_p4;82g71@CoGFYD%NH5&n~bgAtQF;Uh`2^!RI$Q76}fG@DajQCVKH-jin1G1}= zBvAGD=VkHMn?JFb5gGd@*0Y4RsNnn8-JP5>P6_&Kmr)gj2Lw#XWdPQ6A|qYieC{{z ztsGRJTIxfP=27+^XL7(gAYXeAYv%b_m017dH>A#?v^dAEq+JbX=}xt=>5(8#m(xQ1 zryIC>sZL+-Pf48b59((y*7f!|kzf}n(nWxFu^_PRRi#UTLHQTM=_GsldM)ZcRATdK zy|(I^2B)45qsF^?ep^${gpx-$n}-F1b^t&1)^G9!0^NE)GsC!0&iJ+I-r@b3%Ce!s zUF>!hg@Vg^BX)yqBK`nCZ4iI0nttA`q5k!kND$21K^@5%L@!}^Da=;qAmvC>i68ScND>*a5;n7CR7f5XwpPV!D%8w# zzu{^(gDB$18hkzi(_-6hqVi7n?j98kqSp>_% zfMM*=>oW85+v=LlZd#9i?ere8(U;uk&_nb>r$i*Jjm`n@oyPv5a2;ChO%BL+%i2^L z@1cQRP)DRxHM`aj6`HN$+XPp;VUBrHlCBa{9@So+tLmZ|o6jYk{fCQBp`k-WFeRS9 zi4cBJ#8-ab0_VCum^y=DR}`E0TW%yaKPxymvjT=MrXT0`AI);+hAyUUML(0*KA)NA z*H>c8l+W;JxF>8XvNCuWt5uf5SHgBjDzSD4u9CG2kXW)Dwl8fq#3SFRJVN*RELRMN zy%)N10|zIn%*Y!g{MB<;wBYMN>ZIus4v$J#x7716m~4@U5c*mKu?iaO18cNm{}!@C z_bk|N37Tn05b|SG(tmMKkowP9=NnjL8}qd8SATb-4Y@ncpyeiEJl|6t2F4 z(t2{06-&=prv%MgI{6Ep*xJVAFjz_0u8KkYE^%e4Odn+DTt2UcuS1_;U1k{oZX!Y+ z(-N$&S6wv9=!3vs2Od6rr!DOqJ;?E&Xn0v|aw za{`Z`uyz7}p?cs;Z8o9<8LnT2-R}XABIx%pQn%|d9InxwG_5s>-O~U0ry}jJYUs{= zq}FZ7*1;xR;b$ImDTEdb0n&F8k>k{6%9=`J%=@-1Gh4z+1*sl;jOav}nv%N1F~lqd zv(w3O=N=sd7wZ=sL;Ag$y!){{*WHqnu2fS!*LnRbqx@?#cqd_mTP!52s~=AbJJI0w z4NO_N$1__Z3!e6!OEYHKbGbrt@I*7bV@>y)rgO6WzNfwlC!z#E z6Gxy)xll_Zk^(W&r8q_1kG$<@9R$Ja9yc+28>aIwUV6E)io$?^z#Um*b^0QsM>?bw zz2CpSvo4F^k7N@e4!<5Y*fjgluMQc|X1kV*8k)gtmM-d)kbH;V~dm z%Y+p_ML4(IX-_^DtYyG8LC~9#kB!dI>II?F~!&=kUq7V};OnEC*!_z(` zkNcq)eP%h&Qr7{P|9;f@|&{oh%Qb`G`VE54~JhU4Vo`pFsUp{{J z$x2miH8^G9c2=_5wUgb%evJ3ukMi4H9lIX8h1tJDi>uw;{Owu389KVo0D#x;e8&Tg zVmm-ln_7O?{^W5a`dDVu7TI~VDp;gVP(V$)?k}M$?YcQ@Obnl=*Oxn_8+=F;be$!Q zYCsya93n^;H%nErC!ufqO+&FzF@Crpz>m@CRsI?}8S^*#>`JD(KYl4=+bUy)C(MCP z6DR~kVS7-Y`7jEMD6}m*ojtZ~6B$WnG1Au#01f2;>8|^o%dF}m4aTC|&_Cqu6F^F% zpkpa{G*HyU1%3BMcs7M+nn-D?-^7f!FrBoUsC0B+z91@L5@St=@l(T?E|hmv@tH9g*FUsRjajLy06DN15q$t5fAIEQy+DAkSfgX0v_M1;jSh6jv zCW7IZns{>Jx2h^ogeprAKL!~GGd;lPn$jXKlhkB$R3A)~cXvKLVBWhTU(JxXOWPR< z#kaGm2|{V(#u6n3VRyhiq`q9XuX1ROcdnL$_|MTrWF_}Rq#YzsWzkAg$-t&k;~ov; zho0>%-KrG!g|9Cge#sxe9271o>-wB4UVFM$CTa<=~BRmaG zh$ALnFdb?Oe#O17cGbjM#)pMyc_pR7homrxL|O&ks9gPG$t?9W7}PWO15iF&%C`ugKi@@@A`)%i#9CYu;K zr(d-nQsUJ4mI|OJ7zs!$>|rF)AUYItf`y7Noc9$8I&EOvjjGkNT(%?F+`e6}%eU8u ztMJZ}=%jLo#Y|3Dp3HA)_pUaw zBIDAj*V1AV5kg%f>j4qq+0uIIw%ZLS8AS3!y;xzo{sD;nd5yQTv*VSWQ|w`=;zxMD zkW<_Qcy_o~4)D$Iz)|?p)l;w+%y(G<8 ziATS`UW4{roJS}b-|?*soPM)ZWR!dM33AjybVD_5-zr|;T`GH-@jpNricSYh$az|Bnsh- zK-qtcBk$&uYbrEls$wU8i@-YEVBZ#AcVO{?rzpeYfTHeDBb<4e5QPnSaq<@~wS=J1 ze;hyfczg0yix5MBRAqi#G-QTUN;?d#Q%M!Vc+Y}Mi0Xy!brbpNzz>P(9ygL4&h>o) zf-q1{5u(pnG+K~a(9r9SgKy}bD$gSAJKbgB2sxJSQ2?_KTE12SUN3w!iKOkJhZOky z^E5T;k3XQF>XhH!itQWP!_fmcHS%G(2INl&@3ZZ;>0|w_?ujGVse&G#XW?VxPgjqh z?#8BV90Cf4Y2;RO*(6onGS4T$el^D3QfOEq$W}s<2;uWdFWD8WDZCp6?-HX#_Tmv& z+6+kuWc(sxglpePfs;OT7-roQhp$8yCKI})rS0G&k&x(wjenS>Hzf%k9oc%pjip#5 zyLTyt_D*cx3upu82Wd3OZ;ln~%$EPjL)ODRIYpCSt1fj>TJ7a+f*CNv@VsJQT3bwXFI`*tguI5>K^L=zdJekHHc4A@>=?J%Eu0cBK z@qF~qdMl0RC{aF@?B2F7Mls!>xv|0$d$~wpfOfPRMH+Qr0pCKgkw^QR01O}5(qpzn zrd_^m;PP!#-Dp%OTBk24S8|ECmOdf9%u+?XIKufDP9`p_5}HXIal|YVs(a@#-k>Ds zuQRc;iq+SWG_1Coryp&PW6kI6EoFnV0E;JWyiKTPX|``-D0>^J;IATT!h{=Dc0MdQ z@6F~_jzTO{;D!S+RZXw!k#pEtnUu3&voqX=BNoEvA#>1`q*-?7(1b%2CO%QGTN7H5 z`92)uJT9Xr_{rS@OWt3~4Hd6Z2AATEsW$v(bfupGnf$9tre05 z&zEVo_YRR1XOfIrsOk899(`m$T|$Fhp*${{T&NE!?hcCmT!B8_+Ao#&kX5HnNfj~+ z`(4?u$lPXW5pFzKqqR+Ld5^`#dTFVu+GY~6jwT5z8IqWfVb6mo^cH?Ocd;AOpFFc+ zIUttI2#-+vbwnnpY@~l8_UHv%O8QxTD{ko1+0~LQJK<(*CR0>QX0?%0ws%H~?j9BP zjVR6lwF5KL$MUa3q3q6ku>;5cI#x~@xhWIh4FcFA3Z=))#sWn{^{zlkq0fAZ# ze&;b0q_=}`c_NL(lOV}DVHq!308ihC}BeloG-c@j?q7^Oh z0py|>&~x1}V=p-_(oAN-q-k?M#!Cagy{~p)-hR%z6K^7MQ`U8H%wja@F3(oipB88* zE~{=OMu_4sE7q*&4{kJtAYsI}ZJz3$Tw##gis(7eQC@gd#rir)W$#dLMzGJf*J2 z6JN13rYk)(U$rLZZb#^zJf+V;UGNRT%Ta9B_cSx+UvgDa)_hY@J-$eg!~@B@=t4Yyx{@C zk5Yd8g=~LQxU*>kr7o(6Vf553RbxnpsO14N1#=Oo(jxC)r+lBvmQNo%;y@o*Y$ppl z!Dv_y<-gd01Z=2^oD`3Ytu`i3Ibsm_UMz<1 z#+-gKKJq3X@?k+NDcZt*tvx6l#FQ!LV@iQL$t)XcXf&`bPzF@c!h%>hhD}89`0R(_ zsDBPVDrkO;$02$kD==?<%RfQ)OGSePd% zL_vU32N+|0-~A?|rnr&lp%clX7Og5NW$ubWrVOE;P=2@<#hw3WemuDx#x=3QXmeeJ z2(_FJU^e_Mo8{D!zD`^Tr8_L}oK$O}oV&)8_I|kN3z9}nOh-k?wFWO7GMX`&*jX zLnqstx_X#7dl)-6(v41?86HPyiBuxRh|dX3yTHyi-r*{ zdV5*83}19ycUpL6g$S%J(fP+yucEWx!*-yQc)Dyj-l)~CUc=uo$a3KXH<{?19(7|Q zz3C>0|lk9XSrz-IaPZpd@K09=X?SMWTf{b01KL$~x<2>iZrN=RccYIw8pT>c= z^U0?`2Yaqo-oLju_sQ|)cZ0RswrN5NSup|Ko%EX5PP9j4kc504j09P(uRF-2^Oy1S z(D`qXtEc?cvd7_!^Wz%J^ZiqJ z&}KV=0gC*L+f7y~VzYTSkou_P?m(vrntUz{EQ&IP)HYF~*5+{cYnZsZ4Lz4Nr8cXB zbrLqNP!tx?)rEphw_e-H@otO6j&H2`?#&Ta={!y`rsCEGxNx-H`N_kqw1hk7cZD-*B&#yb=J>gT$v3g8`YPTD;|XlYL< zC(s>+f17~%}&cN^iSiWLFIp@_wU9j2O z7JRbycoQt^Gn-$}2AP6=5YRyIit;BIlNMo_R4#;;iOEM9Z!Uqy9Xn)?2n<&RB&Mk_ z{#fm%Z{;tzawWZx-B!!7a#@S4UH%O=0{dAsC#up`hV%T6;F(3ysgG)d-Ajfeo!3kD zYAll{$Wj$anU8%{{)c_k`_r;y4hT(7>aR{?FT$jrF^#+PM#v4$dQzIDj=lp0U^^+b zLF&Q-B<^feU5S3&g|l31ZncJ-T4BdyiOb7B&No#gowq$>q+>YU=ENiA$G<^SJ{m&+ zI@kjU2=1>h#RCbd#Af;fzl>iTMEOfat)3QF^o*y#cB5=@kZ10;(c};mGGsy%cxr$5 zgm_$`s}YI9`@2lz$TjV=%$9pJ%!FPxZb;gc6b5TvJ>~+@8cY?5PElOQb z%Z0_6{c9|N!iA#h#DSCNm6!8Ng;|q4-JAx>H6~C(Hgb=NQ%UkiE@*}02oZ|JT{pQR z%v_2e!UVI(vw5g$f=#iCDeE^qgc`wNt9#UW|FSgo(%HbkSyT)DCDCbSlS0aN%R_e`w4a$xFi21~dPE@HB?{{{>GUL)Mh9`8mnI-m=5`)_+-}TwG^)%co~Y z*BDBVM3~S@La}5U%)yC{S^HpLgxXn$L5Wb!(Bk{DR06~Z25V8O%eJfERllR&3pZcs z$Jy+7%KV*$ES#wWq!BwX1K!?!bYEI!1nTJwcw8j1;?Q-Ezl2=1D+_YumUiwa5vep3 zz4^;ou~hD1ZYHrNW~(MDl;5ymLcSv&OjQBUy?R6{qbQj=h`1-nDTj2$f z8bs^a>X?cY*-kr=YN8l&d4M|lKp93y;6H_#^`IACe8C=w+!)DA`MY+wsNzTEB1x&e z1&c(L7JQu5U8jBwe88Q4z@1S#D1VtReQZHZ2t}y<%e=~|Wi1ngqGrX!UvUyb)2)>i$z()%(v;=pO?1m9a*$&0Z9Y8C?L$^s1#4h{ zy_yVJlVGSi8GRpZPVUbXrZ#Kn$5O?!M&6?oqN(EB8>_qH!=^FapD%IU2OYC7=||cl zj9Yu^!z6ad(gPH0ITCUCFqJ*lw8V>2Gfm1~mn9Dy3WuvYu=Pcd#Moox|Z4>RZ=GKY~S z!n%hIt>%^C(Or8>62DwmB45-!PlO=uLm?tTlUzkKIEB?bjdz_3_FWyz(FcA`%^3D0 zZ_gA!3};g4fET-$1<)Pl?Q0nq?~3|$88T}QS?DN}JdjgVLxg-s18YGoBV4OAhUbkY z`MuX9;}~4r(x*6KaU<|NY;^~0oC6}q6E34>ROV``>#@o-?N+G7k}iU4$m24$lH1#^ z7)jyVaum8iU8~4p9df5M!iVOF9tPzJYl^k!p-dNDpj`^~IGAKk^0;yZdaWt0E_>1& z8pk;1fGH}u1&+-oLg5KsRT<-7-~+FtRPQV+nY0CkvumED$JTw`^3PPq^HD@ctbZ!F zXj{la%}Tinn4u$oZ)=TgqL;M@uxlUNc@=4BrAg+oKg9s$UgP3yT39gs3_*3{|C;9Q z;VzmM2993w`y(T3D2XVF)W|Vo8uc19{Z%Tr67NeGK{qjVgqJ*!2&d*)27W|-#C}F@ zfwZB9_${ZX52)OR8r-gz19Jsbm+_8+x4KQ!yczZHUTNgYl54tB2w|UuE_nqA2Fm9| z{kT?IHJ=in+pcBdET$rw!E04nQX!OUcXpVJA{8bfHh@dkgR>u2DGZ^fqmA-TeLZh1FQYm)ZYA!RMOA+kZ`Ur*o?*TdU z9MBu!f6XbP4L*W;`cvl5I4b-d{jO%fo>U195u&zy29hRgMzONGM3C?_y~6YvX-*BZ zgkLcI(*?ABhHyB&y(4Yf^A*h=uQ@=U_?%6uc|)#HfYYDpSECB{)E&1ehcNEU!hY)4 zj)0u(^H`yJ7x0`t8fF9=I)58Vj#R&t3M+sR+;B?5Vp0Mu1J=X>15R@Qi4pC_XtB#d z^JWtaUNNV?H0sgU+R%A4mDGuMSV#*4`HqVJdXfLOA#_zS>lQj3J-8R%hDD+?%w@xl zEZik)HAf&%CCL3h-y1M8{!aj54W9CYJFNzAaHrKqaHj=#T5zYeVjkRS!JQV|X~CUV z{3*E8f;%m^(}Fv#c|C$Vtp%sxPBY^Pxzk=|c{BCrV<}+d%$B=t$uBe=@Bg2IQ-OmK zAKN!ulML$*^h+_c?>8kFo|HkFsufay-KH5fJW)$FY(z{`LXlcnf5xxknf0dW=^n4f zfpYg~Gl23a(nRUw)-|@OEonN8w#tAXZ&)Q?p{NT_--$~te(x$5G)ta?>7E?prWiR#zPGOn-BcaiaM{(p{i&y%9 zZ`mA7qOF5hDn4o=<0$2o;8*;lv06S0@cnmzkUJR zntlH$vX?=&?1j*556AOi-P`HYkw}a9-yTBgrF~~dE-mJI5YcqwZhh4N>GPmG6{xzQ zZQiZ&c&7LfDm;3ZfoF~2r|*9cr%-IZZv@*NKIQRD5zM~p?dx#XmB+Kh?y+Q(yA5g; z1s-2Ixj`*%>_(6(J+FxIB156mf`)1DPpJ3|liVe(>_KARqRHm%_kxN~MYios+}(S4-=re}*&2x%YVf3WFS~Z&y4OfYw_vS2>3c+#9ljH^q8DRxN*CvIkkYtR*Ghr_sxa6yTPoBpw`81(gpcLhueKcH z7<}6PP&?M4Sic#eSpTCJ>z~#Mdnb}alK;cTD#^q3W#@49>P#(~WYKDw$6Vwv0rFsT zB;>i_6~uZ=!8G=f0QTo9)zKWL1QhSMx|pBVV~_OTKAz1_{&9ZV^4ICed>9g};is=CUXezaWPyIh-171)+4o4y$)8%PLB8ibbW=pPgp^k1;I{u@-2 z=dPL<|Lc>|PE7bqr-IV>Oif2=#;!$8VY_NdIB&WND367Os0Yyu{34Q&bc)Kn?>N42_h84p+ z#&WeZdVi4abkca(=v~(N6=ipj#g`1PF@ec~-gx?#&Q@9(rHaqL z(E%oA79iv_MTe~$l(qZBY^CcwG~9a8S-+)=^g-0b{Dy`xGc zD_*50GIzS93f0UfQ>6Q#PBnMSjvDc*CKd*M`T8Kfw2Yw@{@N1~{gNj2t^6aum1QUf zI|h)pNh2CtbBrRT0r2s0LCK|a9JYg;x00Zykim8uX(Y^l=ZM{dOui@u_6H!$0T>D9 zJa0<1X~63&miJTp0QZl(_HfS%DE~3Pya2zWCHPNtUliod zmkEx*4Z2r~kiF3W$7=#b-a)>`6LBcyUvh@Mpud`(+i%*WpdWb&e#@aP3ax+_s11d} z)w9Nc<|50*B!M_x&^}kmVuLwQdQ&O%5*D(>*0QTRfn*&X?+pTx1VBDnV(&`Ngr&YH z$-NYS<(J}aUOC9!q(Is;+9*z5KbZ#0c4b?_=mwG2g>x)fcLuD!D*9U8LVU+Fv~Pv@ zju77w;ya#nWrkn?3kI-Y01F1N(g+5yU;qmSFc)6I02T~jPa1<@0Bak;0M;L}U;yi} zWWfLy3}E(8!2lKvU@zSO_L8Fr1xiqg1nUeVv=3p#$Hfb+!GjG?^ot%WCTI#DTvPzw zh71gj5+Saja(aQ&*^%N$$D>jac_fmj5%B;?dGe>_b0kEGzW3QijMOs?)SFQ0SpE6cwE{TL_bN()gRmWENm5bc1 zD0-XMI+R4EOL(pENs`bz4&*7J@{3Y{GK2t@XajFCRZ6av|62i%DABh@tAE00ySnnH zYOpJHwUn20w?Sfqm{esXCod=FbncF+k#5nha+W3JD3-;fx)Qs9F7thUc6zb+a&qzU%lvfq`E=&-bmt?^S%x4^YrFHa zl08aoo}ONmnXx;37oLVatszPfja**f2e{nmEn*DEp5EF=As^R$y9Zo)c-^^rxNlxP zI^VeWU&XC=yhrppSHs#80evziG2BVx|p3!<{nSaPXBpzI$wO5TwZlb z3A@jKyqcXX&Mq%{yfQ!g-)#xy)yL=4%ZvG`@AHev^vmV+^y2j6m&xVD#py(X<%7C> zadLh+-|NM>6v6)Suf?hF3$xS7>DlMgkKQl+I-5?u*tPp~I-j5X+UGs9h~6*uIW7)y zU5{FiBCT&~2Z5@4Kv!0t0Bb~yamM4wU|s}>9UJ);KoTEOW<=TXkAt12KEihO9ghb+ zXY5&M&{1L&00GyRE^$haKF%jQ{4Wac+TD7zRPc_rl(nM>ddvwxp2bk0BN)d3%9VKo zwCc-HN^cRsj_Tif_)(Lp%rTvx&fK)28R4hP))E}$(W_jmGH~`@ZdEc=9z04CWrgEX zmqRhYt7_qNuQkUUTLgTe!j?yAz@sLR3S;ADd~B!RVW~skC`u0oSd3p`X<0ur7I6mOQLVeM~9| z7Kp)Qu=xQH^AmVV0QHc2PPcDKBG%_w z3EZZjzwcH`F`Z$!Oq2@=!Ds_`1|2yL{)$(ORxnR=AAr7AFYj&>J*0NGcv*wvqTKkk zwCu&Ytr$%`bPFv2$VL7tIifIkz}f_YJi2b)J3`r{80vW6W~y_X2t8E7h`w%g&SD_E zMmR3&(cq1%QVXtcwuw~QGty`%T z7nO=`P9a_aLP5qPgW(1=5TgjI0KyIAV2Ka`DQu6A=)omPo-SL2xSS&+1)jyfP_|$& zLUyg%R%j6ZyqAsg`$?$y;X4}g5;=-k%;o=#v^$5g@jXnF!M^eK?c29MfB2yO`}XbI z-T(gO=l5@ac=zG2??3$f?!#Z-{pE+Z?>>BZ`{4)hb}$G!M$QFfKfFEoTf4|TlksOT z|JTI?{C>9h4Wy9Zm5y}YKqk13mM@6nNT4)Jpg?@+bRwNspuT25#>bd&0h6ShjZ@Ac z+R6E`sRSw+f^8$fxsaTHeSZutC_&q7pN82>xjq_p71MKR08+ni^L8qKtL5%gQPF@D z={c1@>c7=edoaz4|2KRVj}BHc4s?(ukVy6aR$X9*-R<@p+WE8Iv03%Unpm;>*~=-2 za>fu5ik+f{Zz(Qo{!{tZy!?~vOCe3^C8sGl>wz7T$Dc zVQyr3R8em|NM&qo0POwyavQg@FpBTL^%VFh?~0WYhoUUoS=?WC{TNDixRx#~k&btM z`EqD*1|$&;2NM88iOX@-d580c=SfbX0nA`7q%M|Z%b8iVVsQqS2GHmmx*JqT%7RvJ zj=A(!coF``{XctqdwZ`A4&dLty}jbUdk1^%|7af^ygqpG`t|;cga6oT?;pH=^&e>O z0bnUTiIAB8$KGf6RUF(Cd2mdBAzV-vbB79C`3GaR;;R5*z zS)R6o)t>Thvzt=TgR^(`rEpkFr*XB@wbU#Y@Bhbmw!L5U(#JGpdQ+!c z4B;q13nJ#|k_JR=^C_KeZEbI(!?ehdNJ*oa*n;|Nzg%(C&c}5 zLe=)my}?%<^wNFv6Pe>BWxRtve%eBalQ^V4?y)42x-Ms7NTb;az8WTcMmngyxA&j9 z_wORS#57bubkP3G|J>R_Xr4?usL|L$NaC6KYl%65T9H9w87)_HfR8?AZ zfoG&6@oWnr{WpT~s&+W`$q+AM)vKZ^d%BTxVrUY~DMn&}!%){kG!hbrA&e`fTnMS3 zeW+p)BFWGPxr#{#ohOl`3vx)NI0@wk z^(7Gm$vHuReurYtrZgmoPEk5R-WEcF_&!_21N|8$9y;g-0aer=hd}8ujR;4W&yod+ zq}W1;TuF|5_EVS7L1P4793CS_df%Yp)kdGr+n?Eiugu<3^N%)bP%5%nKud85F5F#-xpo(M?-G+7zUyHp=IbVj2Y zH1f~){~Drq=Y64YU=1wU-he)+P=E&tLZPs4PLM`p#HNN!Bpl{M!3OnI87u_zDOLdC zAmBs@H3D6J2=#XrQbtV9X*5&4h?w|vN=cBmVUhTxH&6wz5XpiB3Us#}jcFp8DA8p? zf^;+56^O%RMk8lIMstFuEDYJD>Dmr3qzfw1oL!=jMKiULX+V6;VfiLN6(izH3nD{U zPql~o5>0T3BSiyPB2mb2fUwV*5H1~n?^w^G&xAy5Y8Kb$1PcX@SP4m#+?DW14fTSM z7>9JJ=;n~{CE+~{1!YlJ5vLb>i_#Vd@q~o118^LNE4vi}5{GQ1wz6tD`*jS(Q!22H zP81{1ldM)9ugMuSw{S`=aJ-9VBqAKve9GAZIf90#D^JlBhl1={45cCL3cJv{ z0(w4K*;hM=aaDvjMH0s$C4p@<#ex$Y8@6-ZEU*Z`j#+?0vLqo;>jjIbWL! z&D7sH%=R>0aHq*&MnC!kh{t;}nKO3LDQ$Sw;gpgvKt2vbwHv}qyb`*eB|Xq{M3#gX z-e1nCKiAt_*FzKv=xu0_)9gA^KwQvR(>*Au_9crH^a9B_mS};cKi7Z4{2*aE+eMtr zFb_htSJ@QWn1yVDLlm=+`YX?{AW|0i1LljCATo(t7s-V1h)5z@I9-aS{$?OAY0Z(yn9~L3RBttfs*FoC7!KS%JoJWfM6Q(lpsC-AB?{4Lr0@cYUs5^O z^wVKAswcg~g_j5^%*K4dxF?98a4J{cgh=dVtDu$#D_Tba!|hKoa6qo5hnCrCw`tE* zaoVeFE+w{VWM+*+!qFv5LSPHXXPgrevnbH}&smSch!^MQmRP>VrmRL(F0NFBi%Uuc{Caf6ud5zACW~2 zMkYf(g_6~X1d%imk}Vv>lxbO5Pb11Hk*_e<(3Dc_QreYPwflBX!jN^)U*@M$(j*SB z#GUjFGGd4OCarkMco?{(F+xIO4%3c-*rl7~gC2pG^4JU*-P#9dKkQbmkk)v%&BCOp zllB0u{0JZ!n7tfNqmd+$VuYa721_Nq1_hB{;qQN;g%V|zlqT%{v!c%=p#~rWy;7O7 zfmoVi_Mx*@RvU0uHYgQ>1y%bG1b7-1kkUwQ+vq2EOQ!YF2UGk5Xct<1GFn)$Yh*7& zSoJi!*kel#pL@Qkum{jFgprLl_|P^a-b=o_Vizi(;n{G2S9)F7i_k+5jm5zWx0 z7P1Q{=!cXXeuXD zMRXaUBp3t~xr_Af(mGwJba4J(fd5V@RgpwKQOv=}2v#N6)tn*NN?L1BY9qnGzEY%q zcYd5H>9?J(7|XeyBG}iPyVtXLwj`X>fPj?(3&m5H+LESZfL$${*;zJ|*fLYm(v#ha zh*bZ-Wc*^^9m@dAc?UI2t;UulAz2W~L53m)tKxEBEBkt3Pm?f2znmZ+3&nviJ@XCd z7Y+qWr4)#+)rwhlxE)}bJb&n<}))F#kDESHHtBp0?p`>fKIAa z92!yy`YcQL|D2$ZT^j32k*;vO5I`Ta?o8Brr|43>#@V`UBSgHJm;Ev$7z?m@jj`_& zA;y(6@03;~dpsvNAbdQUxt=tKr3?cs)(S8z1^YK7PoX&}_{ z3vJM=W@?dylExv)9~KL5i<_=A_j0 zX;UL?Parf?(1+G+5o1X;276oVG9p}CDRjRJBIcUirTT*k_wR!EY+Tb=F8ATJki8aLh^codk(a4K7HCmOlN2bA@gd?dmfO zYa~(aEojuu&PLnDO0Hhh1rDupWlkeWkR4N6!#UM>qmVH>G7v~G(7&L$pBbnBR+>_% zU_xDcvdc4*sv3Y~XqrSCOPU&3vm`B>QXXY1_bTx}$1W-#?J|vi|kTw@1Dg|Pf zQ3klydPC-4SX|^JBugAgB#cpDLKNz%?VB-R)rFuuHwD>YgX#YK28Xz9bB4R^oZ`0k ze>kD$Ei94fq-9K{wY738@;sRUK5GPp18SqUpOcUP@l?neCzFthxn8<}`4@yk)g%fC zN8iD2`c8?9U}P{oEJ0rn40DUQnj%gRi_pwho6sJr>-N%JnOEWQtP(yrgExLSs{Akd zB;K+VC}>WwH8?$u<^78SGOE1WkH`~D5=^a zlO@=Q3boS=0(iL*O;Yy+?bl=mm7;c6TMmd4?)uYHCI_4dbH)Zm2T2%O3zvniZ$Au) z&xsT%y&syRX5VK?BzHl%2bsW>v*tIvAersdo<}ORQ#GVUt1ap)3oUgIfii^@M9O@h zndMrQFAIb!+~LIbA9yXf_5XGlfg5+=?0aQV!F! zwVJkg^Mb7OY8n;DvHhy~USQ}PR6%@27gSq&h)@J4<-CE*3c3*vSAvS1MS8@PQWGZ< z5XAc7rAq_iD2>n`LZ87euym+nvl+747>hA{wyqo?py!TL(ob6;Fm}a1g%Z>pFnVmU zz)eAvq^~w3aFAqyV#1rkXE8|+Pqlu)rb^HffPK;qVb>zC0#p_G-%$0xJO3Lh{r7I+ zcWR8uv*I}xD457I3?Iwr_0hDSdFIAH|imTqXX?4lrVhHOk%GDIJ#noQT3vj)E~Fj%*f#AL6kE*aFi?Xfw4oce~aU zrH$$tvszH$3|Xl{K8t)3OVP66G>wgrMzdBBiDt}#ruo*|RxgZWVru6L7!iQJsiTWA z7in&%58zfvu43wgtR4|KY)^^DmQ|eD6z0#4L2*1ysUk&ELw9HCwx1Jk<|(X!CP3-6 z{6_dB!kjW;#M{%e(NRZjG-L43&H}U_l3pq-CE=<5>0P>jF)lK6C$yf)<^%x(xd;=K%YK&x*a30{3~5N^xr=& z+g`iv?PZY!2p;Zv=WIe9jxq7#BHD7fKFh>w*Z!=_--iVft* zSD;&Y+L-%qg21_L+frz2n{39MC63H~b=~$iAHreaG8}-jlJE#wG;9ZgrfRQ%Rw6;z;xDdC08$6-T5o@=jD zEMo^TAY6$rM!U?oKFG>y3U`gBD;x?Uw0@{3On7ShVn;{SEg0+DcE&=bW(2A8R3l`w zV^y}16BG>iwz*?dsDl~{D*O)NobeR?{#3Uek;`zE9pzfs9D}hBsFW)ewsdxWdgRikXZrG($|*zfhzH1SPc?8w=IElrDXi1Kz zQ|cR&lcJ6--I_O-i*Vc5w#_EFQZyPo+6>3i6A-TQv(!l;9-QN7MijK|*Zba!J#Ww3 zYqekPs$cu|SHslSu2C?Vb`WMv20rb?$b=@i{Q=Ug@527mT-Y9fq*b6%)4{~didI$} zijbS-4Ce3iOOt)bEsH&8$gi2HRQ_mSIlj|AG?kC8VvTE=t*oOR^#20;z+XzH{_7I+ zh(@!&U_1R~S<7E+I^8msakJ}8K?9oJZ}vQ97die?j>eSjI;9!Xkj&JcG;UWt7D;kt zPvz|A!p0j_nf>XKped$`OBqKU?b3#*KC}Zjo79&_l}xxf(M(^z(Qij{PQ;vrK?l9q zb33IGl@y04AR%7C^q0JYXr#u%qCgbd?(4dTs_IaeFm^@TdQ7;I*e66@67WIKH(h9N z0HxEGQf8Kqs&G)%*3Vhu%C@+oVGUK9<512Vm)6?ftE{%Sf1nL=u7L=gJr#`LQh@YP zz?|Sv&XGSS{)O;R*YGhmMMiEiM^?Fl#x4LSkuni#$8=Ep<=%d}c-E?=ZP$SB+?vhM zS)@AXpnuc&f=0V2q_epclEk|xz!C>+wp%{3+Ro%s_kh$i%@V0*9lh-hc41GDXo=pQ zoxMFi8g~bS<9@HJ#Dj6~{OIuLbky%253LR7ZEv82!+=D9YEv2-EY(eSP(#C+i8fz1j(jkq(UT*NLEGca}Wwm>P@kdXObAr@$L%kwV5Hkv@ zLWS#yHR(O*QxUh2(LFQ;a&I*`BYSyhWDk$&l7uU?V1W_Eggs%{)q=Ag0!os> z5S>F(TYqM6$i`u?NTHnTv1Ik&nX*fB5X#JI~Zh?v`R4H`+p zu`ji~98ATqY}%TtHFNC~_h$lUW|EgOoTa3Zo+Tk>P28|L#cNe!m}ACGq7VTx)~9*7tBFQzWRiq zDG5wmlVmfJVsF#Bkl1p@ojN^U(WYnQyBx#pwGXG69CAhB$RzFHyFVC>#CHgn zEpHkeYGQf7*aw)27IbEpP+RrLrCyi*p@$B^_9CpsS(l|OLZhD!wSkjLGvQ!6)MxHX zVr;YE!orYo@>8v=ap>heL@^VxY20Hxciqz%I#~V8lxf)n*3)1O)i5IKSe;6f)-J6Y z`c9w`SCfBeY$%EwPKb~wR(n~=Glmg?qK>eViekcZwV<`shgLP)Kdj;?DfGrnP%Pd(q|o!8PGKs>*#<084u~Xt0i7EX3+5`Ix!slq$7EG2^P7E zVS@d#Yr?Jx{Xb;^QEHnmTWCP@Gb)jg1?uF`L`yVxvc00V*{RtL)?vz`U*@5ou59+I z2}ADDKxtd;f9!khS3h`rUc0q_&`1kean-Gctt8p@;D1gSKnzOh4|{ny_HO{kxj~3cZ~a0%{%gBNC6bCa4zqP#QoRmU9LeXwiX zFHHUbv|tIG%v=yH<|=(cxF&!oK&s)8VNH^t!ifw;kAM*@l`(;NS<%z#_?eJx6x#@5 zelHoyjv&&rI<%zNkTXsc#ELOlt7vYnvO_=c*tGgij(7VIRD=pfO^L$`IKz*WMhpUs zhq_^y0pZA*B6W~Ni_!5=XBJ5^BdlWh7>PLsS1ZP((uGpGxnKbaRbOiU3V!;okNhz0 z(CQ=wLSjc`&WeEjYF43RrIH9~7OA71Qb876-HUNVb{?4FnBmH}#>SjoQ6k*42=~Nh z8yOVKI2*_w`W=8~;na)>NoHVDV=?lQ^@S0c@M2h_k>nRRHtrS~JNCBH&AEN>V^S=-4F)+jn!?P};|x&jF$z{Vk#Q^prss!ih;9c)*^sKTr6 zpl`xS9k+liDryU9Q;ynZ0|Qi=IBE+a5v0c#ihKO?{Rl~RLBMYY4G%T4f*(Z^m32VTABZ+htU%l1EZQ*XipukF3C)-=$QF&GWN1t5}|@3__ivy8p2K14QS*)fsK zs&DJ<;22~~`wHe_be?X^Sl85etThuSfu);1h6#|l39y_EOqf=38yXWf8o|^IEt4FM zhC4|6<7>%13c#sT6-q-~tQFSFh*=ik0NsEKYs8}FzX@kXkhSji!_m<6VC+}KxiDM5n8C%9S_dWe(4_`o$qKv zQJzFOAwUqfX1sT4G;1yQv!F*cs-FklEFp+Jz6M)Cgq3oFX9R3MyReB%vdv_r!$dtN z{S%F5%l+=4Z++G$SeQt_H#X~>FKyeBrFQc)9~~HZxaMW5a_SThyGm2M-ua<$1Bm-m z%T;!*{L#cQ1*t95`;C={1Wur)kT?o34^R>d$q8PhwjdUvkjbQ8K@tTxl1^j7Qm`NpaJC(iD@91a6lhgt93oD|g&D{@H*6TJ&58-Z z;-qAQPPHlHQuPLjy4*E$#xhB)lPbWf&Eci7LeF+>-`eOhBa&@H#vM5QT1CFrQBt2E z*zv`1m&`2NJMC*jrVeWz`w`8BFpJSzu7=(PZ{BI`zU+R6-Iz1a54Lx}!@2`(* z@_)X1^?F z4So8Qm6;LkVpLUV>y%t6otnfT+k9{Q#Sup7=3bYg)Ja@a%2s4(ObePE@f9TYVhKm! zFaiz=MC$wvBrq<=3lb4+)qL&heIwlwve4CgAvdA=Zy4n>obG~YGiSJYl`GraRttN<=mHC9WaSdxjLR0sXSk?{5e-!<4bQ& z{EIi3hG#K}^7X3<Wnwk>mj(yqm~5iKO*Lx1LZHb(NA;g#g_| zvJ)8=y3>w1Ug|dF88h&v=`+Dy6_u`O8n6#647Y6FsaVy8b}G6J=!F_pjk;b_;9hu> zcFUEnYkGmNPQe}UY}%EQ(@9dI?$>u!-Nf=0$u6~ckQi&*vXygwZE&&DT5qwe_dbU5yH2cviAM>~zJPoI>`Vh%f% z+_H(oCC1KbUcuJ7uSi6Iu zkX{h<{JB*x^!)AQ1Q+yu%k=n+6Of~19HQqjr;$XBj~^T8IVUl}5Pk# z_FonB|CjB(gIfQ8jOXLW*7qpO6ym0kqEm24us_Wyh*I7myQMX=Iys$)v|H5Xvuk9@ zry3T+b%57%wWI7#EE8FKP$PD>P+BZ?)w0yB;>&V>^T!MzTh0RWoaumv>#F7R6?w)a zaF?q2j8%7Op^(^W3!$Bz0wvjkB_19^eDp%g;kmTdKr20TVn1c>mI?)ihb~Us4GBch zG#!5>NZ`r`x4{CpUVbHRR;Q4H3+?P|-EFZdW;kTCZ+v>6t4X=GqTLdyDhu=W9L!dY z25KCgpP!u%$7iR+S@-#bMr%LeE0mX@^U}RnJnmJc-3!U`r_K{1aeM26 zMnT6(E;V35mRf4d&06bT5Oz=J8>Us0=AwA+pd;p?RF)|h(&wk{CJ18Eph~&Eu4+=i zc$Bp`S?W?nnEp!r25fkKBdu(lifx97ELk+WjA%4#TD>yYa+(g$Z90iAB6b<2O_!TY zLzO$I0bXv6EfEu6jeCKw&h@2DBG*$jjv%z4(T&Q}NSB9SBe+ZGoJ{RZJGc|aqP1+p zdyO+$jstl4Fz8`;wt}aL%#}=L!gCRd))_}b;m3*jz5aHj(wz8l;;k#LfN3_Hnx%w- zIQ#IqAPcxLW)UkHuJPYLw!Qrq&AkTldN|f8J}D92zmf?tv+2F1()_uzaf{~q+q{$a zU9qR$)b*zR<~MZ~O{|-6wrlzY-^a#B$P9hWblbc2blEJG-N%nevS0Bcytd+BD56n7 zB8d*N4$X9>WT$A;`qH9K{Zu?9`QO--IlDg%V6*(+-hX{i^#6IaxA(f1{~zP|_z^u@ z_@X=LzvV26QRhd*cwzsOXz88whU4y_KYn|D_HKY0?(u_n)x7vYc$77YT%S*{uc*gd zF?Q`Ku1hK!uIaZ4b2w)qSHsNaC5Hy?t_^CYzQX_R6GoFsa{L~u-DzTsvJ z94x3%Fq#M#cc$Q$3^%a_`mJGab1>=Q^1el;!jkX_6rK^;*hP(y3iuZ?_^CgVIKYyq zzhZdxdp-+-W+slCq?3#8-UgCIOy9>)>?LoG53p&;gtaZ$l14MsJ3mA*;RaM4kw4)C zUmz9+gd>yaT%>sh(;Gc7gazuX_gPXc6A|%z^TpFGNMbEo`~P_H!@drBjRAj9%$ZMY z7E&K42I9ip`o=H7NNH-^>1|%_%j^U(_ZsKi19G2Wm%1-9vz7anTuB1Qm?C>!y+G;0 zz)DrD`}d9Cw+bSPu?Uy|{Cwh5y)U2Oe58nJf-BAr&pJ+26pPRwiIC{~mhpC+BoLz< z_?V|D6jGnJ_0yQjsf8)38hRc=RJ~*sb#I~`THw3NJe+uS?`A9nn0f<{nLYk5;V?>`z zOR^O#P>l8P8z^oJ`n~pPaktR5Ll3SY2R9klF0wx$G3DJydT(PhY}|>->~+6$Ga7G_ zO)57f@Q?+LOWkE8*w5VV(oTK&_U2&2pozEXa2b{bw(!fV)3w!bSxM6=g_xAFJHMoH&WbnAo; zIt%4&7sX5nI)OkYBXdAb2YXuqWK_Btr!hBm+;Dxf9ic!x=?!hnGr59j>0B^Sq4%Oe z=hLTZc%1f%V67LvOOo~mSanwD`-4@tchf1fR%pjo^jxx`c1A68(Lw+CY&1SP?f!Ip zG=AG19lh`V3ihtUqrvgnuO~;RqjB%-baZ}pe0+4igBlRF2?q!dV)3%EteHgf6bxS_ z-KZp3J%C>4+&@*RY(6{$sVenFyT|6s|1qAs6R)2%c075jJqw9BYqtA#!%S@1b7z-|f4OlRxz-S04O#vguDhIy-|SGl z@wFKKAozVt?0%wt4rTstZDP$oE-%ErxBy(k z|J!>9FN^2@FJ9K?|Bv!idJ3tPKi9W|@uMrr@i}9%*DX@kjDFhd=qku2vj}`yXZoe$$e|mYaSI2)m z%ACY8tPM_J;Fy&gNTPp0ZbT&%}1xA+yt|U|qk+gn( z#O4|%#^hOz*n6m}y{AjNm%ZD0!=r2V6L=DLk(y%Vd=$Qy? zl&f3O4NqNL@tDm@wRFg3Wfgm1tHE?SwoRFBRt&||0?LN^re4k|T~|>xbn#E0nkbu% zj~`v7JuT@r*>taY%9k(b{06eZC=kMKRAhE0>NHz!&5e6?=0f8~Hm)k)4t)iII~ii$ z4?1wS>AIo~r^UjAG_~{H^Ww2NdiBH45jg#S{Ft8E=K9Y8 zWKxS1rofSsbMTp4xf*FYoJQ6X%I^Ehz=15w=3)VpFZWoL8cGtQA(kWzsU#?7EOhFm z>EFv!ye>zO3kP%xNMce5XLoejOwuIF{=XiIEYr`;Aj!(-7aXFLZZNCnJ~DSG`qjqy z{QpA{=}>2=4XAKFPLGQ&Na?!+W0YFtAv8=Zd~wA+oHyA9stw#kj& zyxTbZLtRE^w!ZDyO$SwjZ#;Yc^Vx7T?hkf4KeYE>HSRVnhbrZU=Dg1j&!(b=2JFTA zk|7}jmPpSj3pt(4_@1p9pwrEcP6Fi)QJXP~TW6GA9&1Z3@Rf5>Bu>*hp_p(aVjQ_} zRVIMC4V;w?xNz_9?cD+DG$9lskd^6L;Ij-;cZEJ{;j_VC=!8-?gguvj>W+!F}av`U(?n z_H2EQihQyy^cOO5XFpVo)mgodYk6z6JW;;GacvEILZPGL(^9F^YuBN1K&z+LwXdmr z@%~eIV(B-kO;w%t%f0sg+M(T`o7=WuoSo}Byw~VT@8icZn4dnW0jz_xlrH5xK@wj$ zw@;a*G>~&_H@#*EgbNx4bV-8*a^VA5E4&D8`b9o7GDsOAEzY*SH<#r~eWNSa_h%^; z&cWU(W9A|@t!8!y{awVdPN_e~5#pptBejWbw(#ztkL>N|8Ym~-8RK+DBOJn2Xs!~X zRdyv(stpL6$<|qzvM{PMvjs_^t%`B#X{|tc-&%R^WCsSU`I1K8CvDS3*IBLgWasX4 zF@%|h*=@OZx|=P3Dbiofa(uC)Y1xA58F6|=RXMu2s@h*ja=OUq{3}OQbm&s#UeZ+5 zBvpd|XaUSTl7sV^nvcIMTxq8VDVcFoClvQwo)i_rp1-tR@1{@5{+qc|-J1b;v;B8} zf3Mvx+J9fQ>->L@@>FG4C}mc73JEx#Jb8!j=DhTJdhaA>y&$Vy^lXVk#qIMfJKN01 zFm;&~52`6~5KLxJ`_rd}OTl!`kBa0?Yw|;7aVq(OTqgkOu_ThZf4)8?NU?CW*rzmg zjwP9`%y}+@TUXwJ2c^~A7x-$J@ENJVmKHZX-q=9PmS z=8cBb_UNPxx?#(bg@k7lsT+4*et!Eg3)yTnj5)zUk41{7z-7=*Z)=L&xNn10Ifup5 z2auqu6|$I9#;IJvEfTJOliE&&PnBn9RSh(%#-|f6^jIXxm6PadDvZx*`^Agb=B>{n ziD{Icbs{(@)M907Y_bC~g#~J~8inN<3TNf%>SHIe$2*E8h52641v}%|Pg9qqsFH0_PR{gCq>~9YYmU zm3^#qjxE=(Aj}A1J`?UaOA}?O0~)#a&E|qdR5DJZSvLsyk6;@-SOdSwmF$INNy2=W zs;Q98#`*|n3?+UnkD$~-7CF1N%dYsRU{Q5yoR8I44FK<2}bC4_fsteuSuLSh`!B~cPOT+i6k z_gzyKb!Q|$mQoMb)K1Aj*`|LbIqq5V)aA3nxYjU|>#FIB70jZ&S8l&b*|87AKjt?~ zN=ygl26niE-Kk>kOX{FeZ?LJR+E1TR_4SRa>cCne#DKF2>E!CnrHtRYNfJ#{Sk61B z1s9bTKUEJI606|wkc4?U`;cQV{T)0d-P4wwLh2w?dXQ(&;)UevAXYNK{2hniQ z?R_b*GS|91Y{R4TU;4eHaktkydv`i|Jm{1r;gzM*3K0MG?x&;P+3B19+bTS1EirHL zBx;%X_Le^3G)}|?(pGVXx-1jG>y_A2H4AH|$gbOnCDpc4Wh_zR66A1nKE#U{F8kfE z(?;jr-qCp2JsBMLPb;Ue%)g3_R|wp0M{tGH;kbKvShJNU=nr3J3)9(wRXOh^={|mDT`DO z747;?2KXXs1f0dicTLniKCWImL42Pr;sIxH1YID?`LFAZQ-xMai*m4bQI;%B7UTqS zB6P~EsO%M$iB1hUr#xuJn9Ei3k4xF8ro2F#nvmltH@1c9Q#0BUgG^H@l^4CV92?0# z1UWPzlEygI3s4iXRZ)rNB#edj&7IL`){;bk-Y#AUw|ajX#)$?;3l-&5`|q=oRc8&bsK{Io0uzTjmbwCcWV?= z|H6*dUV`5+fhl7@q7Bp#d7OH$Z~kbYhMn{Vcw`Sak#Yq`s(HU`@Npk8>$;QOu>x`+ z+Jv^d=yFc|xvi>0Gwj7Cu?dymO5^TzDq{P6nnb>qH>g}GC1Bg+lD)KZXR_uhR929f zS!n7&D1^~>F{ca6SKp<#CPQYcU65aelXO=B2aQXHAT@(bBBGjM99o9>e>q1=b~GDF z0i;_sF8Xj^fJU&9CGI8^MvvQKpIv3uSz@vt$1E^0Edhh^kgGVPK9%7L&JO5wg>YJP z3zaqS>Q(ki5aq+*)AyZS^-)-{7S~I??>g&QJ5Q>z#dgs0>YOn7~BOY=6*j!iFO$Rw^y02(4lW7~- z@lHdZ^{7UjgheH}*8XgLkNQ(2*n+T#sE-0Av5hsS0!8G~p>>l)A{?2!fJ{1a@Mzgp z+h(ORZ(yk^NKF`{0HV66$nOYvG{J#7Q%pnMYh$3=Oz(zLA4t&2+-}XcPP>y*9n=6& z#_jPx#^>e=gt5ihaW@Lah8d4fr~v0<5;S1zn(()V6O=kquo`l+z!#ddOqP@-X4lI( zq1(DB#oH8Fb9^Sm_puf~U@xbivy(JPgrs~gDx=u~o4oJd{(#ELrJG?WX zCeNY^sCl&(P@9_Z3jxeyzbWV<4oME^?DcxUvoencDTYwzBB1bgGn`Q5F~GdUE4U%Y z1=7A-3!*LX7yyFwQGuuK`?Y|&g>C_C&iHXHi23urYEG7qCVq19d!PH1^#8);g7*;w zcwPRt*ZZ%F`9ELP`9B}$G4fH5L29o|JMh_Jp|7oUVu@|2Fb>01EfQn~x%Zv;_#TT_ zTD`nf!o($kvl%5T;U%MiQYJ_w=u-7aVkn)3x?j$hN>U7{FSlHsu&A1EA=F4Y-2lsZ zRz&0UxlXo_E0e4A?)><=I`7VpRTWNXv}F3W8+|I%xQ+;wtEh%j6UCb33@`;Y9iPv* z&I4oC$hnFpiKdLpB*Kz}D|;oDQZbW={+Z}}cWKbKT`3xY46MXm=a$P|B$!$vECiiJ zTWJ$9CsTT*7L8zkZq)tE)5;sb_fMaS_MFsap%l`Pk|>wY%W8@43|r2T@X)x96uvep z^)_>8mA`Yl+S{qhn6y5vdC8I#mHnvoF;yN|gvICxRkBGsH7O{b968lAF8 z=?l&!8ruA$Q{4Q98ol$Q?&!$g{ZMteL}rT9*Q&PH-T- zkceGmuB#Bc$mfCB$!N+N`=&9noxlY(X5WgUWpmS&wppz7iD8w7dL5+$)V!W#RG z@X#B|g+#(w6R3a4vqrg}$QNRdf zc(S(Gbj!8AN2d%d8B;W2(%Iaqw!Zf+ZF*PnpP7;eVorP#kjNxzh4i9OltoVCX(kTM zA)gmA+&oXE3MEYJpyx`KKn=~Xw4FI4>0V<8?G(-rhUG}^qpO$`eP6V_%kP4$IyubT zvZvA-DLSZcofnLaJn!?dVGpGT)9G@##;siRTC+O9U~RTb7w*hbPy+ps5pl}o(G`VM zw0gO3F)wSvXiNQ^GP!1!nrXys4mbBzoeK2Sb~}TX`lUcD$@T$yt}w5FusipPRJ!+v z#HhluJjvyJs=Ft}!&Fqzxtuj`$dl6>09mBCr)7$3a?Ir@Zu-$&y=YD5_lC&#N*Onx z^8JluF~k6 zLNbnL1k~gQL(b2iur)U8yO^&__TQKV0Tny}-^xi6%*baag1heirKdxIjwjzMc!RfFS!tj5$G#|NgP?*HB&$JMI zteVo(M)t*q5?6gQNsnn%SyRn3i6qr0HB}{GIr8swCq&<`xm(}fP_C~mUw_AWt}zk? z;E5vOMspUxzv)fsyQraLaQMUI{8Uh9x60}wsS>3tLyY2GfvlRn8{N%bdFi@pDr7hy zk>qsE)$dM^=@!{dUAsKzv-wytji&IrQRgA8fC0ypTuBmvy0W1kKM|5G>?=5erf>v# z*Xd3(d2Q%4#gPz@;*LEPN!X`PRec%MBUg|`=|+83-N663{nN$G`>$NiSX8xcQ|f-k z{wUCo^{WP9nHdE62Uz0J#c^g8x;{0q4eOYrs*IckOcD60Rif0l{qAJc`_dxN-}? zhlX#MOYZ>FPywV7P@1?<+M8LwG&0xEt)B||uko!Z@l4#$6)@NMfA76~xnK1E z-hc73rvH!eY@=>~V@U#igP+L|Wp%e};sUm|(YeW$6Jt5o9udZ43%qTNMLG3VLxM&= zK{z`Vmw2`X_f6AiPB@8VxI$XoHV|PGa7z8OQtc>SJBrti;$O;9{O)ewCL&nk83XLZYdOHah*v-YojI{vj4SeH7!&WTA3gJ())%V@_XL65_ zv$BLpg^Tr$vie3{;nc}8pCt!=$?a3tR!{u^v;XJgy8Z5taK8{4+6 zjj^$vjcsQ$+1NJcH=pmXZr!?7w`!{YnC_ZB=iRUB>2uEWJWa8j!tcn}fcdhC-~KdO z+xxTdH}_TZCSkkB*eBig&%!WqosBO~Vj|<$qQLTb z&cp0T-(-A8fYz3^n}=6~*pcxGq7`^|-14_F-dz8|GQ&rS%DUxJ!UAMcV$Q!KiHjer z=Yn*12@1S85zF^fgyLJ3Jszd4cVC@NCF6&LeHf6t_ulJ~#l!2Bz! zHXr*hi&uKXa0}Ub#L;imOQa;FS+dSbWI?RnGAAa1Fgtef+S80B{Q=ml{Bb|m3KGIF z$3BCS02b;_fgr_W5pa#*Ls*u}xjhtk7Y+1B`g$6BdB&YkD|`p~7odM~S6Dn(K^TYw zpN$DFuug%1b3Wi!i9ovUU!<~E+mIt6tsUm_2@_Ur7LO&g`hKn78oY%TJ5ylrivx6N#lF)0GhYk(Z)ncm>7p|3z;@=(q#tzR`WOf=SI81Z032A zGXE;YAq>$Ss+XoB_HmEa(jFCvlhW|eC1Nng2=nR6zrt6T{0U54JGJ0E5uiJm6^;9! ztO$YJMn%tL(4ZxgXCti7{;hiCvyb}3d;2|LcDX8{6{PMh$XkTmIwEt~xz|0L;fp_j zgg0(@e4*K3dOTJ#MU7G!5WW_%uVsQ)}8q8T{)1l}Fic+djx{}}yu z%TC;&iy_v(P+}#Sc~t#s`a4GrAv%{v5XvWfrkF{TYPqNgiQbSZJoD>1p_V!XgN*l4 zva<;`2jSDf|Im!9rtW*wcMbX#b$o{{^9qfrX& zZCtbKE;~~Zc}mFzc_I2{;mQ52_WLXa`#2HE#FFxDK9E70^L#1^AktFGKBfw^2@W^#>Lj0=<^c3lir5@d13ko;llcDBMt;IC6urnCyM;{hL5( zRls$>d~BG840`fk&1RoNUsnZ$_SQ3$5qtyAMUJRJT4fwGF6eD_e3Of2nnk=hFL2pp z?~?fl87e0_eB-4a+tq!BWL@>20ZnQ+N62S|$ceMk`-KUBynNy^sE71B{gH%+oNhdf zO6!`eZ)Q8Ug!(tcxQevkdEy}hAM-uq0M7GnSzsSmDvb&Rp>zobz)BH}a;*wAV5f^H;DRbD3 zoecDW7@hup*lACx0R#1wZx~4m#c&7)ZYVnQlOC>9hph!r5Majais!1POaDqJ5U-t7 zIN)t0Mj@V@>iWsHr$w)*V!sgU)`V-bjbPJrH z2m(wNZ5f*^Ga=jF>(xHtRKEEK8$yAz(wC~af4pE zV^}=MY&C(jRd2?j0(U28U7IznlV6PTRPn{uYT+m6=}-K(mDJ8H`s`Ja=4v}_)rQ1_ zLT{w@qZPJTU6vY!GnIV-kghX@wqFmW3V)0tjeP`M9cL141H!lfZqK)7=kE&}ySma= zu)iP_dAdo^499RX3B*9p z?nb&#nW&Xy^Qb(Qh5A&YOISB^4DXYJe4VC?Tn!{j)!EQsqV+A ze|n;^sjGkP@e!;76|Fs-4!?A&vo*s{}cR><++k!Ev2Zgat-Rf943v1lu|(~M=G5|=tX zN++ve#+`~fus?Zk!JdnF__l?MT&Vc{)CwP+o4DhMBIx{g6cp<}JklZth~H>n)$2e9 zB|TSyH@q){e+Fx}NA7vAuCI4Pc@0_(hqf*r_!)jk;(gK{J;C31xasRGhZBb)t_Nl4 z#~PBOg-8$#r$o3L=C)Yo^qXhhFpH-;ZaCLRn=TmVg)OJ?tWu@4>C)^@>d*w*aa?d}Qj>rBmkB-@HnZ$F5vA(;0- zM!fPX0rTd~oQFqhu-@ADKTCqxbU)`|c#$W^U4zpDx+_GDmtK_)^~3N;bK{w9FdL=_ z*!9QwVjtMeo1azQ=QWh-dzgjV1%kcO*rC><`G)3xBAVG1!PlQw3lj?hpWR<~jD@|v zoFEw}<7{%ukmb=}=g@zpWu_2l-6s)v!3wN-qy z0v~b!RUWYFVgNtK&hB9@}qCnGg0nJMa8Hpkt%DX%kHr5 zlFaU~kJ^M{hIo4=pxtmMsgy;aBlxK2xn(MV0N!9*pAYlXpN#XX5DtvVe$)UA+f#qeOQ>mAL z=~v-qoX#9)P~Z4~%Am$a9|2#-GADue#i0J-{`Zak z1n@plZ}FXvvbTE#9% z+VfT=?$!T=3gANoQM3F1QUlxvQ3KrnA2q$2Xt;}Z+HcN>?Szm_~qwVQK)ry-d89X1iIzIyy?m$ zXl|weRJ|ltvT0^oy56?ZW>7x2D{*6jloj#MFt4O z7P7;Wohn?~hqHH)8y;X2Tx{$Wp_FN7s2Bi+T%B_IgI^d_pmCY&Al!dRH3$2!P!i~U zMQEa#u4Kny~$#dAOZ3gW@Rn-Yg_ucpV z3ddk|7YeWCO%{r>sC}gYt)wI!!aw=!x*4dQMAScr|63C@sdAreKoGp4Xc?^5Ytk4* zXCk&M2E3|zx~2I(Iy#^94YK-A>7wJ%!S7MaNzK-Gf9m}@Jm|B^>%VIz7tr+E2|_+_ z&^*w<$j+jg3zkp)E!G@PISFfQ@(_Q`t{R5%2mLCQQ?hLVUqQST3{6c<3f4sVyWFN> zbfrk%zaNLc7V=7+(w_!&aq-TVxVlPBqEd8_w4`-pBZMlMghU!JWmco4=BHqYfoT$= zGD0+XMLXFMigpz6rc&hDkI2O3SrKs5dYI=$Uks)O)S9RqB+^T?w`C_q>e#34wAwt> z@^VZ|vf}-m8JBR$9orxUrA7BGKc*Fiq-O*LMW1=q8<@}1g64EIje<9ZVUi}bv`&8K zYR8Nh%wtLM27NmX^iQq}zz4kErh!CCihEf$hF!jcakbuewr7i%{$${6Vpk-!G=R)2 zN~kUw_=NI=aA)ircs(+u_vIUBh5rZ+IX_2XPy`@w?QG>#!yM5LB*%k`9#SD8*hm47 z7H`u_lJU{k-`cX4F-I?PMQ2}5EVs8iABsc)c_|SlRt;JwSEvcT`J9WbN-o&6wzODD z&@0P~-u^Bvg}@xNk;V{Q8CzZTl7W3={Cs+M-D>eUjP|Dg(HBH~Q`ktiya|3gXcZe? zoCbc6!HLP(7iS{kFK9`LMyqE-bx6%-k+%-_Yr!5TS%xC72xK||lb!S<52ox5$byyS z@j*64Mm58Amv5{=@rm*5sjWq8c6aB@dXuL+zFAU08;36s{wGe&JqJpkdSR0gqK=^~ zRSQR}8j+J}ns2t|U%WgC)H{-H?kuNLcz)vY!C9D`_|BTPu3Q@wCV_6%@dpORhR@;~ zE0!a?gi*YTKfOn&1o~LqRFCerM%-^i8hRIo!>N@JxU5#05e^4bV;=qS33WGQ$k9Q@ z-+651uqCDuz+lPJof+HOx)$I+J&NT{=)U)r3m~~USKVf$((Y2+$;xwE%T+N6m@zoE zdn|&}*#wF$&dLUf`H0Skgafk zPq>Mtv+7mQ=Xj8#IxGQU#nO!G9cAZj9!=jHR6OTR(`~teTv?8o6_bgdSw8~h#L4ue zL>w1SP#hi{^t$J*EP?^kz~^V9c4O=dP@JLr*YTKl8rYkHgPa2SAZfabOn3{G46@uC zJ08@5?HX<6r1wzPixG284W@xM?`({nezXvr_1V%Zq2b@lcj>Tw9oeC)DO2)l?C21U z?5_t}D;bws9;xKHgmpiH#;7+Qd)suQ;2Noj9`<=jrKn*5YfF%jf%S-*E*9~Qw_ zf$6LOSxS&MBHi`h4v)G@&#Wd@8W{GFFR?%>h4RgD=mGXc&$VA$*jEC6L#U2?keVa- zIh)+@B_)X!&IS=1i?aKwUrbz4;ul|?>%^UsxDK#q5qag<6cQblcyU>n_$xnMu8DoK z@l(x(5csW^@v}UAV$!A;!XODbmEYEp?{zmT^93H;k$u^Pb7q1VS>mVXtma^>BKMcB zCjQeW5MF{bTfP=sg+zU5G04Ay87_LOGS9MR5++i@gaMY5;_5atVOw)$vp)7{%~29} zO1*C*n|58y>8`u58}`%a->F>)0C*4rTg%-)&u<5R&z+T^k%n8HlnfH#2#|*RJeqm4 z($hP*)QuON!8$QHKW+5_d+vT6FGx=s5Yg5 zO}4h-4hQf7{e^ou&}R%naa4hEg@GG5#PqFK%&+YKMtb2!p}uv1wzKv zHms$j38Gz>fsGXCFr2Lm_p$AvA=k`hoVh>F+^{@oWX%t?mvtI#_LLm%*N+sxLfq04 zkT9c9Ta2$-pW9V5jriC{A{aUcK&p=2H|rD@9_po@DLA-LZ~|!^-f2j~>S~)JujeJ9 zIL0+upc~Iw!BfKM=b!v;RP-qcFIEHv^0wREg;(ZJz(U8?d44ZH;dU=1B|E;_{G)${ z#6PI?^Yi28-4h~cRx2@VsRiPMH>-WXzwMWfz{MRFc;CF+@?z@u+EB5sA~mmoyaVm` zkBh(n!sl6~orj$x*8YD2cef=+?c`5$yBk#|dz(C}5=uy~6AP96TH_o%{KQBI4%|zl zfm@S4*2PvJ@3sbB?1Aj8rSY=!rrd~b$tI@#i(~7j;RA!#O2KOZ*>&;Br*$I1H!rm8 z1)*5a$wNfZd6K}lmfSPGN|p9%1onC21x#(w455#urQGrxcmFZ=-sQ%`!i2x+TnGcM zG1mLZ{}dnGek6$Q4ORTOG#Z5N?-kO=P-(W9n9Ke1#BoxUjaxFx?sR$=g#Gvl3A1CL zLoRkV$KQop-V6$yLsx!VUHp)GfW*2U>Q{64H&kAyJcpbplo$c&AEP58r!jF_9>~YX zcTI>S_1V01JF&5=>RohY^z@cY@t68XrGN=IYn|n(Om%iWZ~3+eoI<6TUPN-d{cweF^{c_%@wDa2uSXdkagFXIoZYvtHM)p7+7Jw^ic z1vONy$H!B3`olVv>ZnGn25Z*+&;?bjkT#Jt0n5xV{_T%gx~}4P086O=RP|^)6x#jQ zZiFlkFKD3H3Ax6(JU(R~V}KJGkmAjp=tWk#FbU5%d9gHW2-Z{RxJJg8N4G6aJkl6H zyMrXXKh&J+2y8LkS!|^Om(?II_U{^l91Oc#%ls|mw_FI||3H3WEkbJzX`!eWS7y0k0n5<8RX?lv^G@1NW$BixGhZE3sI9qY3DKu?iFq+Xm-6cQL@%y7|eqzwY# zzL7-*F?CT7irm>)tUD;Oc6IrU(;kaSu9Kmbah(R7z>YNTJhllY845bSNR(WP3JA~= zP2RXl<)J+7D3=d)i+T{*iY?bNn{|*3NE)&P=CukzjHH<%rFbsUh)am_$B8_8Sqp4z zfYY@KzX~@xcI4bcbc4LYn3UxYg^xyY>>J*$?ViojPRN>-CTo|G`7>rIz`tr5&qd_KRM?%Ne<~*SbvE=`& z-+7p>j$io=ScQsOGm{u#Dv_TK1sQOC%TpL!zG6r1v%+%D*a%Lo2uG-<(OhIq9520bwMwGD;4J zdx0^dZwdKPVBeazdroN;s|gS}$yY35o%o^LkEP-d+z9H6NHbX;k-vz&fy6}bibYk= z&gZ^Q_D?|X#^*bW?tehvo4d#JP2e#rQMe#@_F`0#6yDIh2(OzJfnbFgYWDs7i6x@h z_MZT!o2#K&!gE^>|KqdXKiy_sMR)A)?G6Wr+syo=w7>Qa=E7i4qi}P20+8($$8N62 zqR%Z|BA;CTpm>)YABW^BMItl`$-f{LDc0cst6L2cf*~gYQ%>f6>ENDjxZI)lIguhJ zkgopGPc6~u@y$Z%a$SeZ+pe^QhdR^VWp3OSbDMn?0Wn;-UsHNMkyw8x(+o?W4U?Lo zp@~wDLaZ206n=q-Y=e7?BWn^6`f{?Hfy z$`;`lmL~{Jl~(XNB+GA$BFm*jqKo1dpI<44-~C|yIlC&%~Ao=$;|MG*&ZHWxaR`Ynz5#J$4T zi3y{j_sxX~qhr!e-Mz+RV^+OatR3b=L`c$~OIMYFT5irkmfZOyD@601U9B(=f-T0r zB0GN|yPg!kBK%YB+5x%UkE=rMt#b~SuKMqPh5F_$xyHX}&?Jg#L@pDsQxHSA1}Q~> z*T7F;QPi&}YaFQex6DZuDxK9KkgRfzFbkY*X3=H@) zimk+zW!=)D##O??1R8aB#q6E%p9}$D9!P}7SACjBVZ3W|3dDA6@pUC*?Vx?M3y->o zGVIRzDzAok->!YBUY!I6LO z{qVX;95<@EuM~K@TrMSBMh*=SwWbnO)x>LQC(y((4!FOfQ7>kM5VDJ|9_S7KjwRC> zZugUEiXEj0rO@#ckIMP62yN$n_6cVr1qu@;NJ|gxpZ;^^`hJxkFTEsencBRxlzPhn zqtzgX$K0q)O}#YXCctAszUV57=-Jcauyb!XbNaE>%qZC~kY2F#tyvH9UavDdUbua? zdF$K*xv214!+0|msj|{3)iChNcFu7 z7oK{eI?ggd2~2?#^POtVXe}yEK1x-+OX2uYA^76jxNLN!!<3B8cUngBGK*4~@3ctP z132DtHOqdd*#dkt6r4tlecky}G8vz|uCA-M4IjjFIy^@%(1BGI{)px_M98yL`i z2>iYOhjfWYjk7?g2K+laVu{K3FQQR50iI zWL8Y5n-$PPdTuJunBm^#&6#|B=t5!A=wFSf3I4&a)96DktrLVB(qy2-KoFjZg)D2s z(oawTG2I%^qECcaQmRe?eN!Id8TzTJVfg3EGzl^2B*ec3*qrk45@@tzR{M1`cmCee zM8x-cUHJ_KSQ>Foo<&f1rWCP%zw70}MfCZ5y7r`)zQB>c{<_L%99&LN0IGCn{RY}s z^i5ZzZ>D!xw5Q_2bROO4AC1_aqL4F^1x^}w{k7|NVt}(BI{gH;74}t9iNIC*az&|$ zq_0e=z{f~*)`43%hp=;U#Q@XC_X*$b^cUa+F*>4HS-H-Wz;q&0yyrsUGm`^*82vAT1ordH?0d;$-eng`WA>ZR zmuI6{df~9IwT7L@hvf4>e*RqjG+^XccWr(^4X}3K=5>b=*nJq-{&AfF{M>upx!GLw z+s9VigNQsk*^1LoZLm#%Sz34nk$j2r480$n;`qtUW;?@Pks_~i0QJ{GR3NXB04IV9 z6+@ze0)|yV{ZCM`Y{}=_>48@kr)mz(7{AjR%HWKVsOm6UbkpCLz9D9KrF4hR8%CTy za2!QO>Mu0cy()Jm+uLl%?}X+ynN)k}sYo?DVY-$k!htt@?Vm~yBa8LLs`zvA0H&VK ze&zDdl7R=vYo6U=%xxoC^xpOHaqQ@Qy=}I^bRbgu1Hk~h4MacLuY!aCQtk$29`M+t zi{d;#?d~o%HzF~8?oeJnxDR>$hNF_DpB?tGH}kS59GC(E8j3ujv%q14+ZB4SH?1-- z*%LM>REob|;EQ~%#r9-(MxvKyr1C9bL~JY) zh5WCCs+wy8@oM1NqL^xa+9PgxB&%XcDGJh@v{nn3neXo}rTR7PlUm!X^+5AzO8HWr z8PC5Qp&W{3{jHBe??mmymbo7vxhHjX#`W%-JJxPip$atwVat|bw5Pb ztZFqa$xSMr8=ut=K94Jo>*ZXjM4OO#*muaado=As-WLyA)THYJ!VRS>&sA#VR|-{T z%FpKN$i|-6dmR3Jux^?!ycOfFsdb%dwhz|%%wWSn!*RQ|{p zvp!5jV`{voKK&v2=AM#;uao7HU!Pa~yy2|D&5~Tro8V17UPX(6bNcG|>oN(k>`4$Q zNrhgHa|z~@)2IVZe22|4+A`;9O?|C{Q^74hqM$BYH8skAhu7xEMH7FZHe*2@?`D|^ zUSBW^Rp<>xKA(HyK_N!R#{RAw*Shee{bcF&Xy}et1p?|%BnKE}Q)e$7@szYz-Zlpy z&X5Ek|F~qt(Vl|=2}1|+dY~233diTA+iVMd|EE}?_qZZtvw)gvIj$`19Q)t8hUg_H zc9RzZF90@vQ%QOkagY|_G^W&ES38NYdunGdB4&+A81lqtJA+yqE^NA9C!SQYkH4N zXL}}+EbeDyb87~|mvfN!H6F*i+nob=FJq>5|G4|Ehnc{KEOl8@P3%y6IAOoGkwT`N zL$j-HI2cDgyujmFl!GGB_B`+!b5T`==$llP6tRXgiaDVHc#uxSPG?DJUS-H1!57`g@Aa4bVvN>jfROdTx5%S#r(xmNU&_Ag&4_^mb6MXS%P z4*J^d<`0;qrZ46Bb9K$KExukH`0)@WW{C!GFqb-XQ8HT!EX5rnmbGP^6(*OxnWOd} z;_}CO{O+qc9fzV^4nKZsRhuqd&Xc5u^S>`E*@|Uqa+J+r26|Mt5dID!$lxvpRx-Q^ zE84w=sE^9ToD{J-v(dlN+OqO5lrs!8g{iUYV6#$2&F-G}pNw9xOYN3qo!O$1&Mg8TKy*TD0-6sW^(k8;uh0=5t!JW%U4L`8`Ro!P>}PsRGt?|?haZj}94WRY>~&{b;>-3PRdB)vVn%HK`2$@jc&r+vTX|Ga#z z{d{&8$T6cJDKqT2?0>V@xi=)qgd4)FKmRnWBF6|fUNe@Uq z`*}K^R7su=_tZf+m5sV{d @s9kwgt~K5K~3lXOG8`aCTM)$>-eRZEY-B#AoH0I zuvEsIUoxB#g+IOJ^}AsLl4}1@EUuT?OxI_dbug;*x5S>Uns=F6f>%k^I9;c$lAKVW z*;l=VmK$yAS-A}^7U58c+LT|QR#KXla~}kvFsZVAyyxb=2>p5|_u9mQm}_wR_BnfG zsgU>J(Ytm2bL`EcIcbMAZ|gE) zcN&7e->x8B&>ow#qhV6^kG){Hrx0wXs-wNDM$0_-JcIF%xkk9-ziQYFxOqOb1*ps9085nGWG|*Vp zCg#P`4Q>w*(A_*aaTCbjatUdqd_Q(tA&EQJ5kl6Hk&?H9rJcw6eutbX&HZIt^;J|o zyWe>oT+n#QG1Vj;SqjnE8xt2y5b%skKbVBfWHu(11a~6x%Ja~P5S~ky{pXtTD@vR) zhbOH#Mt%u%aYR()JI)$QBp1_64t_zulps2MXOWF@ocfNtkIa$!T;{Zjm^ch6R&TPH zX^R_8X}P>h+Jd{N)CLrA9R zxXfyequ}>bJUmh(&y-ADYBdrt#ommx-isFs>-7+ONe%nzmvpaXl6@)5%=C$g>bZz{I*oxQDh#T``Yd~R*hMe*W`@&)mcmkr zCT~|vnb`crEziY zybUD#e?rm_^mWXzs9?RRaZ!NoTzLwS@26>?XLY2&8bRiHg0%+|xK#a@M#v%ia54{i z=kImVsBcIy95tty+BKksbOEXnp%G#4;5zcTp@XshMUI6JeEBo1wehEt%A|r)F%P^- zv;yEKSp?Fu`GyEwxuWVOK^qdsKu7T1@7(G#t8DH87{5@^8-^@)IY{Gw*w##p2h05? zNMd#UHkf|!CnyR5a%F?kzRfQJE}xoAO(()e&7k(%Rv32Jw@x_?86wWmD{}%LXypFH z)RKYO4w(-dNjymoV+P?Hc@$s7B9y712XOr3EKG|t1maf(e66cRh91HfR8QS{Y?1BY z@NS%EHslLJofH1?-D{E!r;Lz4;&3#6j|ws}0t|xqQAM`{p<|E;$&qX<-ZVjz;=COK z8j;hX2X6g3iTkk>4$u#u5=i0c%=5K$9b}Dt^Y!1cYyR^K0qDBffhH6^d%)xL} zOU<-N6a7jVDk1$9M(G^N(;$2#N8zb59$U*^%2RZjA1cDz()vn0v&=x)dD^!<42TEC z{4eziXOlc|?fsN*VI%DiJf;xGn!~OcayI7*22$Sa7`O6|aWV9ZUOWRa_xpYMKZ(MD z0Kk<~`^&Yv0OMEpNML`dsU59ADcdpJ_2^S?J_ z^+qnJUaaUsB@T# zPqEsjg|;FDyP}SLS4cX3e#X7>3!lFt%d)AqHLcfz=TLl;3NaoKVkJD-{UvTCU%D)& zMa*yB3VvbjT}tI4{4SVmvjgX|w5Oq;S6#HusHD-5vMNaqu6XN%Cd>T=u>`7ZIM5U@Mf>e7E+G6X_!gen!x-Y= zC&tOM4?+NZE^)#ghn|8_>_qBXR1!O*TLTznR13qS*7O$^i?6KR%j^3sNn~XVSa>}6 zV2(&2Bg&yIVhklFrMT9@t?Y6fu4lMpecWkP-nhF<43%6Y6esHp8B%_kvIGqRt{VL% z6OUJsmywB(hJ0o?*lzTFUresQ!%ZPUd+OkiN-)Y>VKUrgJp^y^d~!X^S@o_tA6}Zg mChgKW^k{MHuQJo0n-%_`&+6+3H|S+}z}uk>60lN8u>S*xf4&s} diff --git a/istio/helm/istio/charts/istiod-1.20.1.tgz b/istio/helm/istio/charts/istiod-1.20.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..0a2f9414528098b1e729db5cbabf61f5d7f34559 GIT binary patch literal 28942 zcmV)NK)1giiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYcciT3$IC}opr@&9nS&h3a$#R^eqx0)oSCyTNX8h2yl=jS> z)2l!vB%vk=764^y+KF_-N%4uk)A z{AYiEfB((lA^f|)zhC@!|8T$iAKk;(uMXdI4_|j*{l|Xy;PB1s|3Ld+0G85|2#NWB z?0U4`C9Qi0DVu`M( zPt-P_(?z4PvxAP(B4Z*YjTWK-^?MD3a3Y!Ta6pbDJPU~5Ly{-N{cuXv_RGD&*FE&w zee)Ap;uU4Qhi*PK5aJ{bsD}qEiKMQ}SrE`@af+|U315&N>hACVXYT!n2(K^=6c9ah z@cKU+4TP4-tcRM-20{`q%wH?aDOSxko2tkT8sG@c2*PNd1c9p3p&?$7p2Uj=Li%q6 z<5lf&?2$1JW7VsoD*L*T3u0&z%qd19#6h5IAsPvZg8;^rQZ9tl&)*Xwr1^!A7biXR zdVfDOze5r-zV4xe{lgzlsqSb@B$5n$lS2$4MYRsxOHkNG=KT^*a=E zHm3nWbdJ&qYBvxP#Pe7fkMw7lc<7+-`&3bX8~~-qG$I^fzDPn6Nzp)vTuY7z_EVoP zL=XM*S5=urE8C753XDQxz96!{A{;Ns2T23^FRTxjANETfu2_(S z04*u(8%9@`TH1sxEKnB z0~=t;_6GDpg#z4H5DJBTOM)~SBQ`f=BH=J63O1;x%3vXwN3jA3`#vW^s1fM$W2nEU zkTPO&Nu!18Ma0CTb4vWQ4U5F5gOMtLg-Al;E709`G^UAUrdXF5@zc#{S0E0O1&y2q znJfvKvmjtsrfWOEfQD3}CA&faixz4lQ=fR4!}865Dn`VU7DR@yp6WIlN;Ja(juZ`G zi9`XzKEfVnLb!AQzGFR$9upF=xmjF~6D$-sVl5<5d{@FFHPlN&VjR$wqMKvFSA-8V z6qH4MMVwykhovnL;28;E2jDmk)^;oSBo5eGZDrMR_Uij97dz9E6>p!2ZHQb45b0=3cJv{0(v=H+gH1YaaDx3 zL=wjVCBAJn#e!2Dn`7s;Szr->9Wx&VWJLm?)**|iWL!Sg5~qnBCTNp)gH~ z8YeNJi=i=NO(qmd+4{t9qcI^Vr+S&p2#<&)LNUrd^F+sEkw;=FI)=)KRz&0#MdEg`XY+1at*)xi|M!yygUBNk9^Z4Ni{l3LU^*gK4V0|NI8nJpQ+?3IX;nv^*u zfsZ^K1Zu|yS9mRSJxd;8b|SJOyzu^NNxh{eMYDYB1*PdR^6G z733*p29zftlL(i{%u|9yBczV8Na0zGJtFp?Vv5`8{#KQ;Qo2CX4%Rf>^Qi#&r|IAa zw09oCxkD6pOgW3xX^X@X7GjB4M5Bd<6gV6G=ULj}Piw>8_w>=J$9J0KXae)RgqywZ zQeA2&KM<9ONwma~A7~!Y%;X-z0_qGwy;G`51!8IpJkbMEXH|hn;0T?M`h}{BTBPvg z+Xf1zp;-|`<#z%p{w5+qbQBX!)nAGoo)LjKx#Cnx5?RU)%!r;gB?%4ZXN35~|EQbg zL?}jrM%D8$BdRh_B7_&1Mj#et`z=go6(+O|G8>In%!AkVtUXg3x&a>*Y@{E@f1ON5 zBL%R_iA+csgC@+-PoWq}B7tvCgk+(EnKCU43u^dH#g`T)8=6wmXG*-%s&?ZpNf59e z`osKGlBC2wmbjO`L54SS-=r0<7!Q1xHbzKD%wgU!P`h-OeAFXor-y6?jBf3tvmy4X zmPm_bJ7#54+(~RQsWA?yda;e1oYzL%J8$?sv6D30LID$T=-#;Q2>orwu zp*kk1M3R+6w`>{$Dx~h;!RIH#Vgt`4Th)Iy&7?Hbg%n*zx%eMyG;3( zr9x|i(2A&XGFMcW0ZM9dgeOs?cb67CgG5Ne{|oTnDWxis$Rp}>Fie8g8|Z4z5Nsta zHYnMaU^u^0r2cSml4%m|J6$oBOFc!fueW!vXYqVRIHx`VRSFjBP+e(tpJD>`G;?NW z*-T=`Ohrdeb|)gTV`Q%bcPt|;mp#-pwVDk{0umC*fr%mo)#vI!Yb5l-o+Uwmem+GW z7U~GTYMXCBzi=Q}%BEQSR;5h7MssD!m%l56^KeW_d#JK(AAQ_-j=p~^b48w zg&^TfALfdi((-SyTQsMEB)n}}y}}|)wY!=H$#

(U`MPb(jcsR7hdkKpAhNzzhwx(&KRt*a34o2wtlC9FR1_!vN{KgY!-fm7Fd!iyf*qm{m^K} zlE^p6pZmlTS@~@TfvoRyx+2`pqSe4?7@Pv7>2n8XG#UAqnYJVU-l{RpTcDURCu;Wn zwgn*Ny3{J^!yH(+h#@kc6VEb}if7ckGZpG%z@mj3h88(BpQ|3jHJ_WgD6UOmu2GD+ z6lg(L1cXv8?8>NkigbnJPyl_nNDO-(pq5Jc?n0u zuU3f7kp@C7ztCzp2Vpemy2J@v7>;%u76H4!iJy3SW}_sW5e|}60?o{m0Q%ZX&-{Qb z&=rk*c7=R9@l>Sk32npZ9-t*lxM*kS`U_M#GIe^WdHCvJe_u2kJLrO}s4y6%8o&a5 zXRN#586A;gL==ixy^uAxXz5LB!;LXU%~Y5KlEwkaTeL;H!A)2C^m4kEcwy8t0mVWa z7=~q|II<0hw5bWUW)giUXv;baV=Sr0;C6#uMTBcLh3+>bVyTb2RDQ68uE5^Tp)D4X zNQyl~BQHomS25IDNi{KAV8sh1e$I@!t+7o}mU06f-I@8UfNHP0IEa_H+tEyS5M;I` zv++eEgFZVWM=9MuC1A$WvXWNdX};=%)xw7>{}uTX!bVzKcBXlZ3R)I6a=i&lio zmY|DBG5U%P3KTJD;#e`wq=~Q=xC}33oEkJ6fH(_C$}*~k#=0HLV76>YDnvrKXhUZq zj_`u;OlRTY2Fg{}y1*TKb}13cr-CP%NX`;}L1f10xX5HV{LDyU8WIU7mDrb|0^sU` zV?V(`utrI&{?;ckCt%Xmq}Xc8n17T4^%KC<+rWWn&eLe?F(=V?5;!_FI6onp`}7jd z6}nZls|_tyOQPBfY1GdQxLu>lSFdS^11nq^lPU2tTdLLWQ;jzY88f?vK!Sn%1mIlpkk?)&S%~w z;ZQY+e8SOpu$#V9>>?-`Ob;uN*L`!i#avAhCx}I8;i*k%E&sZ`bXVp@c)X~D4;%%I zvydwPvvwD-M+y`)W_AtEKqGmu&bS)|O%MIkC$nU+r}nwpoJ5FUtK1L9MwhEwj+L;W z4H=57w#Z}&Hljl9G=l)`+=ynW4~2HVGJ{G{yRS6|L@{^6`5BWVPJ}T8LeWtY1dcUH z+w1IyG4VK&BBl4n(AD=mmPB$7gnQr#OgXE6!y(C(r`Bky#7@ zVM?fp6A1`nodwgS0d|x|=r^Gq1wt$x>ey-pY%#@R3ZJdN2{7n6drJDL0Sseb{7ooE z%>iS;!VtFvQJlWojBtV^A&Loa36I4jweV{BfXx-7B>?-R9m1YPUrx@t#ced_E%r&^PtQG3p|H+Gz{i8p(A`J>biw%;qqEb`0vo)08SwBsFk%mTvncX)oFeYoG}bdhK~5JQ86}nK10_+4sjb^F{L0_c#Y6x74cH8@!@Ohl5qf}lo zG~$$TD%XPmi=4Qug~^tgo|ea{RLh}IN6)|h9x-n&tNJ!HT$`-E z(>(8Yo9wnmZIwu-&zqi=No|vZ{)fr%{H%wDuo^T}tT;9tgqD@H87>ISv@g@(2H`qX zXqMHWz!4A+jhdz-yLU8QX{YSBwpCDpnx;fMU>**d8uDCwywIAVSNBdcs6oZC~ujsJaECecQ>7P^k}s)O)HKu*Hcg+srWv27KGxi7C`W z&5#POM>uCZg?~8LZAauPSZAhO3!9@b_5hWVFwVI?SoU(jI5|o}mz4ll6)mep3ved& za4Zwh#Rcq2i65qvAw!PfiqHk|DF=IJqy#l^!y-OXI3jw;d0H(^4aiVy?nkP`kIf(U z_kP&_VZW(iye^e6?so`P)b63?_s#qe$o3Ib>*FLAm!cy%p3kXgR8ERIc64j)r3`}| zPwO^Y5$?Y=!|zuIr_xA!~UH+$;Wf&JAqwY6^) zOr{-#8Iyreds;G~3GQ%&bnAPt|MV$r4IpV1Xw-BtGqa+F6^A0^W;uiT`~1>mA9BlL z?F{)fGnL984J;=Q+J~m{@pY_mEz_0tbQHlKpda`{@zj4@VII+F@ds?DKkU)+2b<3u zMl)`9ohfKQ)BDZZWA>2aFy%;0*{)NPAq~hv?MdTzHDHk>*VZa$KNmLMq)P2iR|L&5 zRi~8k)X_d|h-#x9_}Qe+JgQ{EjYTtk{Z7A~EIAQN7Wh4M==Mn?Dk%<-PXfG#*)Mqq z(MS!2MZPFBJ=ArNRMoLA(L?)g>oMVqVV@CsMZix!-*ln95tL3_>b|y39UBvjj-}Cm zW9=`K#Ja7vV-8kqHz+hs0ZBu(FTnDeTG)&=e@2j`nYN(-p`-QF8f!y>fk}e`neo+f zDV%72&FC-yD`0ki+!uR#LVoPN7JKu;!u)ucGh6EuRivytRnh{#1f3-I*NBE8@hO%h zSi4SX?wn{7oIo$NdRs}#7G&V;@Brtf8D`-?+Fq<+F>M&57eg7aO9adqh@fJuqw;Ew|9;ps`=wCFxq|qJ< z=wc~_B=H{dvBW-G?3JytJDJGk+Wt+`ERkx~(fh$@56C@`8pEod=adWSyww4cGPQ^mYZ*U$B9>@)ghGNNVSWL< zom0XgDlp^al8F8eZc}n;)f}LrzgiL#3K9~rv?e>?fv_jFDG00}ux#2;pg9-q?)iHH z=3vRtOgE!N`e5BjB6X4oZT*Md%i%pZT3fWpNSm56Kr!q58NrMi_#g;Hvq`CO!%T$n zlxV?k;)?vBM@FgRB*KdYCkrsqD7qODwHJ(yFkgK}(46=tu28ZCNwK$Oy`yY76Dp8e z4z-oV1S*2LIEVgr+v5mfKco>AQX2vYh;7z&JDni`IIUI8isfCSnc^MwTv-(>%w(d3 z;yq2p4F;rYC^ZjeCO1r?j-wLb#G*I9CIA|9a9)e6n%XmFGW*IH8DEAt(!L*R>m`!y z<`3VD-%T}N7NNC!vY8xmO~D$NcJSSAj7H)+gv&~04GuMNYM{pk%tRqw*d^2oYjUO6 zWq8y^N1#>|)|jHpQWl}fPe)pJPoXAKk`*y#2k_2f$oQ|S*3~%l@*bg>3E489 zUu}2Y(->A*{Y*=5j|r@&!P;P8L^ft12g4EA3&4`WERPAH z4QMbtx%4ow8u9=P)-9(7NS_d?c5gB?}$&k^y?E_Eu|P z{nLz1-$cul=HdY6LLUNVKCGAdMwnnPs;zIsX-!4TfHUiyq>gyk{-)=Q|N2%Q@e489$}G1yLCDn3QK@iFZGq$BBh2^P7Ib#Qgr>t@fS-Z*1EQDU1eTWCO^ zXH+5~3)IP>iI!;YW_v|#voo_BtS_KNzbyD9UD@na3x+(PzLK`Oe>rG(-~7&!k$ zW?xVTK1O1R!HbYFsbry)ZidV!f$B@mUm*m=4gVOY9a@>BKuGL}j2RS;Uwu^QFu){2 z`iRtld?_OfQ5?k(IXe%`oS4Ddczws5T~i`lGn;FS+(8D#vXc#X5B&~6vvBHz2uWsO zQe!dvl6CVE8S`R}M#IU6I5wU{*>T)%q?>co@$HDg_TbZUQpu$^Od?~}uatFc<+8Ms zA*>N}wAj_u&GZElih+#-Ea!}enyXD?a~*6~%&5Yv{%B}Ir5%r#Ea0z!v?@n!vylNR zP2AQ%NcgE`PMscq`(=V8yCmQehQ>!4S;0jp@l9}8rl2BafqyG3_gui-D)QF{52m zry@+fY@8r}9HhaAXwaXIF3x`*9vxroYDH0=L^;uI5Rz#e(`mHmtPZkx zUNx$}j`~?b9_yI_x`GHR;RG)T=zR8I6PI|K*;+?Hx1IEBG+L|<`lF!@$CzPZf?VI( ztdE|wZA+Hw&C`64pyc8DEK`-!cn{cBn&J&Ej)WT>(36|3X`^w6PVb4o!Fv_V5Ll8hQ@WE$q8RWVn3E}1io0{`$MF*yA$7d^M@=dI7e%4 z@B8f#Z1V29dtK|%)46*UZBA*CXwJB&oylOR7i2|=_V%@LJ=oeXvnVICmSPVLem*v8 zAe+KWoi+(aOU!)&Qo|xigXM1l%{JRfdupYxZmA!Ut9#A^i$!Nfglt*$tXsdK*q?dA z;SBSc2XQC%7%PX(qAM~JRFX#H=BB0a)+ez*y&sWJJ-v=iZJ23W*SCpYZf(P8qGlE{ zyP-&~6_?@7SI&LO)d7_ZmFtt4kqYt^%b#<#HNFg%#JhZlX>cBsC||#-K&}OS5KnZZ zRlaWiQ@&r$uGj4}X#E`o59MnYKW?p01G1^M`czTZW06)l7T3vee0JiUVim1Gu7SSo z%Sd(G+N-W`*Otwc`c?CMe6N;IiR9E1cZIl6yrR{ZGs!#_91*D{_z4XOOA3p+u~bEi zOBVS3EcW3;Bxx{GU&e|&i)}F9R#o?=^Sl~;UcNc=(u{Wxl|K#AfTdIBlf5+8cA->& zMPb8+G7!!>Dv~@Rg!dD2H&>of4QJ)ifbI_XocK|ZLeR)KfkUJnIOwZB zUJl2T;raCRc+#I9osFl1{%G>y;&`{&`1DEfEXLTX_?A8Nf)nt^Pz;RbWK5yX_Yk8J zkZY}M0aa?kjYEsnd6XgZD2=qDF$sc}z;l8m$J!kQ1@w}jmoKe&q33Tm$GD*HJEq4M zoB$ss;{d&kIgKQ0-rO|NOHN{fC3-2q$lYu=0aEk_3P`kznlGEX2sLdVx;zX?m2B>s z;=8E1`{`427rijuIg%0d+*IEizw|H8hG*}4=;lV%`s4S6N%HBFw)WaYNjjt2&5fPB ztdz}`!BbQNlZ9j0@2KSH_3OVB%2<`3`C`kjB zczgr_6`|(Cb7}2?R<_Zp{gk1(F}a(-+Qn$F)q6%H?lvxIH;SrTfvnj&>~K@bxMRm$~sRg+z*O<9MNl`d6;>5tTJ!DhZ_rj?CT zvrWE|2i~47JwdVf|p&hA!6dGafkT&LSNb@ zay?b!2tpx^?o^&ex;*@vz+GY&WNv5L!JRl3omCg!Yn;i_hrr7(gC6G0R`9ftxsuIH zcrHTHIs<7ayf`txH{Xs{niDTh+M9|iU|Ow~K2icfoPGFGkPvQ+3S-5?HUIm^Zu{U> zYrl!w103t@xs-_Z-;)_Jv)O)6rTKGr>lV%Rw|yrcxNJ|osq0Psr{C0BG_!8P*{WT&Xp`r52c{Zu?9 z{@>`7IeR<_U_1Y>FZ(U<|8L*Esrmn>cy4aci_jDO(eOQINsM|wBE}2*pG2$n>0mtV zkA~Ct7v~>FsOg#?+SjeiA4Hq7X7SYLGwdnqu~Y}U_Egs;6%E()+k{zMuz+kl=UWa= z-hrs!fu^^<#3|2{z+P2TidAs(Q^FyFV+!*Pm(E~6q(Z@HB5d55f(vNe#2VeEOSs3(T;<#x#X&xVKAX&ur zV+_S!py>D@o0d#iUC356TA;zj5sC>npz4eOGfwa&Vu4RMGIt1wG=*n+Sq_Gz#kNI<`J9V*Tac{xG=Y#@e43qni_X{Q=a=W zvmoYPb~-~6>vU{Q=lz$5_3=M>ia z@)^!YikK$2q4_iN5a`Z^u~zG19(=d78o@^?BPojVYg6n4+qo=OIMZ zOIAT1_E1yj%T#~)Bp{MBQF&=m)5chkNODSqF7yooX69U#)seo5WGx@uiZZ`dpcVRh zJ$tWfk>thHL4?huPUkZ{qNjl;oEqV%1sGpNQmQ7cNs~!8`I%jt21Lv zD&8m7t{pE}NOPf&;vM4-*Q+>gZ9_6qn8?tIrrN9#X=a+cO2+*7eW} zt})9xL>A*OZv{)6k;|v98^^a{HH|W(g>t2Jtf-AdY~H0%M_pn*U@IQj9>xEhe6 zY*__|NZ`T^?IwCxc!0t<>BDWzZGSYZm=lM}rSh=CHIowIPDJqgJ2TW@rt`<)Q7iUd zylI2o3qn(P!*P`D?+O;t?Db!5{6Dc#+WGAFI-!KlBD&Z^F%yE$Adt!M9FSAOUIYRe zo$hwhm`iZ(xW3trP#~TT#x~}fTtl>WE*PlLdr_hD=~Fd4PJ2bLHZ$KPPJ0WiI^p`` z!K&N4>l9iow4*C}DcM*%qn1z6(eUJaGCe-)|8#OZeczuP|I+^l=(~=NM0n^C;vHBq5`$pQN;j^tah`gxtqkB;0= zKl}{GH)8k~!S8!w_cQf#D4+jUC)WDy>QX$43&1Vse|P`zb>aMf^Xjm+|3Ar7=_#aE z{z6~8$B(Zi#}|yrLBB{@Gx}+7daNLu&?4Yci>Rhr9tJ7;YdY`!xt;aw{KIs&V-i-l zkZoGwYIWk*M$-EEV$Wv!|5WiG-R|pB{-@Wk-q!ISPx7c;ZiC1|B92?!&ZsCQBDlI<7Gyrt>+m|I7k5>*#BzJ2so2=!{3hckhl{!=rZS z?;Lbn&|Ay5DbbPc{+25gZE8w$pD;s`6D(~$J}1dPT@gK!taNrCe9oUJmsS+qcLd}j z#3&$m?$mdZ#GA`!Rf|6H0&IMov@#jzI;A{K%nNDm)hQVf_f{F1Yt!hX^RTy3KU$*@ zOK+(_bNbA#rYYAl-BMwPrL$>5C@{JraNDP9h@|!NBR1DSF(%I{*=HvRF;~br^ls&} z!QB|Wh&c;U??-!+Up~~hjs8I7chrB`&H}!H(>AH%lp^Ja|)I!;8+}yZAds@NHz!&5e6?=0f8~Hm)k)4t)iJI~ig*^m}k^@TQ_or^UjAw6ycx%c9vF z@(4lB)<|wfQBz?^A+%~zf27Ok%-Z)IyXl~6@XZ%5 z|9U>2OoyZ0-Vfb_H_e9)%b`lSp*ipK!?UTdp#j7a87GiQSxBEHvh9?GoK9wZFE$L& z>1J0afpUka)tJStGs*5{wk1P+?cBkN)3i<~CLD`DEg<^$B0Z6Bxad${CeIZ%&orL5d_8P7k3D{MdzQTl?z1W_O)~`?f(>QvGSVLs;XZ1^?vtY z4^l=*i?f~Y%|+Bw-zdxV{as3gbFg>Ln7If}i<$k=a1U{; zQ~ED)gg9x@NNr-9t-L=Ps$J#)<)k}foGxgD1GtLK6+*Pgu2@R70bw)QI-w~GqdGTR zkQCag7^j}r3Y7P(miIw=V8EKMsq}r;I$d;|)>=t`Fr)Kt98uAsOObm?R8f*t4FaGAF!M+b&Sz>q{;+VR zogSuS#!a12+;e$SR0w=Nw9g;e*=9b0smru@P))IepfZEnpFTBR z3Z`>@R3vZOkRK|GQ^^u;1|*_YJ-UBTyq`GunjV@FsoE%xCbfXr zpNZO4Jbek(3X*_54a`uS-LIY?H>xUtKO5vPx+B$N0`#+1b)h1jNF-A)f;=I05)R${QRJM1W7ii58Z<+ZGwC7C@XxlM;0TZNineJN;D zNq>jU4P}JKaZGx~=(25Ma5$rinQ<^uU!(~~p1rE;{)kaY>tg1+>ZP2LV{6GOy+&y` zIf|TbE@D0z8v>NI;J&S5z$@zJ0V$B*oM>#0fjLAnuN~wtZ#1N~M<->_9b1+xAUvB$ z-MI7e^V^SEz!vLq%n9}fEK+9*Tt@BmwxP(K`!-0Gb67n40vuGeKo)b#IF)O-MZ)!O zQroHUsnT{<)j+d6K95Bb(5S1K#NXwGI4 z+bd$>75t+l2=ui<6;qXctn_y+*RPswU7nFZtSuz{w7#d-5nOw-vo=Qr$H5R z+*It#stpEr32Da_?Z~ou5m`hE0+BP#E!-^iRVhYo#uali1<8U&qC6n;;l~ofJ2f`W z#w8&!4(N&~rW53Kf zzq?;)4H%v-QN9Iy@xYpgNVy-~yp~+yht)|*fpHcPgovP|sSt7)Uvl;2- z>MW&<-@ADaO;cDdd#D3tpNU_~+qxcz%{^2bA;qGo?bF`Dp(5m}8=|rvLWKWI8%O84mtY)p(gk z{B|X)sJ3lR$H@$iFDB`Y!gp)8oD`zE{qv*gS^xC7+~_;b!s6n>{oHBpPWLHT42qwj z;s{W~3Y=|o-TEeo#-sk=Yk`${%jIDkA7A`D92`&kgTeWSv&qvzr-XxcnbE8O@$Vmg zIv$*#y&Jx-!jsMl^A1mbfjS0heWG$0Fd zEIb^TOvv`GZg)Dce;x(v3&!L-8W8P&ZZ7f86-=VOIAf72Sn=6&GM^V$*yk)RzH6cW z$w~DJ2;zAxj7OY->9s()@?SSAWeTm7=Js&o+^$%Vgya-*0rblBy6g><@fS_Gq}*@C zn9FtRw=3DKCQm?OT9Df(H?~mqsZXQQDUzlVDz9B>IkwV9aPDtG2-%%G*8uyu{%w0E z9BpG;M0%a7G8>`K&(dWwBc-ErJGA=1z57(%Cw#9ACWtz>O+xwm)-}>Y_XJmS4r_J4 zrSdy6c+hOCEySt%vVE?G<99yY)U_VAL;ko9Ry8K@;LFBkJKGScBd$(#eci zq?6Ld%ttNA(nKX%k{}k^Cv`!iMMn|=4o5nfmTqsH=6Zq*xx`0!E(u3uMfh4m@CdkC zSf|DoB4I4oM>OXn8xo%;VGo_=&)rRX_Vb9*HbNA0_8aje@m=T&x!Px4g(jyXhZjHocP5RR}Z<4sn%Dg!sp?ugZ=$dK`j)Q2UNm`9dsV+E9rYE5rnrE zBqAKc_3JFP5pAMw8sB^QqnHz;lP+&_miFcBfLkft_FlFS#>(#85vSW6`H|38G33I0 z2MTlt;QUse{@h^}Hd3C{YtHR4R};6?!WGG+VXsb^PkQL^V1FAp4?6|6o&a0G{_+vs zn4me-=Dfxey4WP}QjJF;k9{8604{r{O@xKTAulKvP z|JPGI75+We+7MD{t`!{`WEgzD2XM<6*i!_nU4p-?OR&CB)MK&skJtX?NHU$)Q?eLo zix{X9h4uzEp}m$U?5X0M_=%_65cFTfTtR9y7{a*QqL_M@cC7Xi^ri_+n0gUyqNd2> z)GzwxhbC&;NpFHj?uZj9*I<9k`{ja<^MqN~jqHvM;D^vQwB18jOX@9cRqdK@FSdwH zsB|NZyVj{_?e}>SdHUR?a;=!*9g|D+%Fdn1nyOG)L1Jd1r2}CQM&HGphM2FvOK;7E z%tm{_#|bCtssaugmkdE@zDy#bnqeGThWKx}M2d$p8%Y7ATQx4)kS|^%*u)Zd6AGcn zZL!a;vg#}`S#M+Jo0tZl!Fb4Z98izSU=509I$tB4)@-1%BwD@7?Gi-!FzEDsuOb)n z9h)>Qn*7LRElJT`pwu<`r|Id}1}byl@kSfDw&mhPG7X}wfrBf&7W&;bZ=4O|tE#@q zO&+00iER(=tD^Sit~BBi*N@3{b=;=)-_U(Uiy3d%%xnQoZ5U9EItgn^{GI*T`5q1D zNU)Hwh^UVOC9#b)rUFIe%As{ibjFdn3&y0Q2KR?OwQbfq^8%Ktg4BdD@*%2+iu{g% zM-v>VGsiU0y*5Xx&Gc>{^?~@k%vel6)j>@FW!jzoWqM&!;7={iPWzERHHY!^ zlnQV@C4LjOt_go?IzfpO1*;)9A->e4WwxR$F}q$a3FY>L({UtJpcw~ISGQxxzvC>b z*5u>O4N9T15Gm+1^ko>QgC+4Ur$e`^PoF*(*Hz{TgJl?&Sp1!=Z$qoJa(ei<@zCZ~ z5B;I`NgK4t?e|2Y=3M>RN!O`m+W}6vS=ty?erFE`)a2Q70X45S0%}w9eIX6E z7^HT}qyvwIp}w}zi6yn6qBsaru}F{wIaiS+(VTIaL|BqwZLdU9 zB4!fN-xHnhEDid#D@7yVffc*!+;X^w1XD|dg`kV5kv0)?GN;#S(FpdIM%>Tba@r&K z{^?UupOfk=lt3C#66NwaSt-$-VS92UJTRURg|E#@xy=}F@^>y*d(~GdlQyTdE@_gY zveT_L*W`g!2WP01@1zf0;hhRn|?l$+3 z2BvU|D}gM%Vo#x|LNS!CNDEeu=1SNrS~Ay_m)ScO5V42Mbp>J%dE6Jf8BN)s-!w|L zQ@EhS>|0UPY;L>KG>erzHHW5YB^QD3XhI#UXL1=LQ zTi<(@Hod3LpM~NFVop5blgK3Mg!Gb7ltoVCX(k4JLcT0yIC+_J6^fbIMK2XEftvcj z(t75Mq_>;9Xt!WL7?&e?kFR4+^nJnhF1Jgv?&UDEVXdXkKzD%3b|eZa%p}SVF}um$3g|1NcId6A+1!nAU79s)hxBrgpJ(H zuQmFo)=V2gYES=)lUYDL`zvBTX#ua@+-qv@R3*{3gk&5q^o{*r3^_l4!ZzrvAELf4 z>3?J9`&94*d<T=Kp&8`k>DL^(0Sqq`A#X&-|kl7k<*XKuYPJ zUJ4RIM0OZsPEhl|f9$pox~=^tY7d;Sn)ct588Ld5_IoPLpQZcSw1Y)w)y=6UDocQp z$whmuji~^;PGR=d-O*4nn~_dugHTALewK2pdzVyN<&;x5cT2r=`xHMoZPxQl09m5{ zoM4}D_Y%u5egEs>!G7uf*MnEJ|L>DL#VfdbKO)A<(b?_O!5A*ze1CENVT79QwdvWF z^F>1aIJaT9$|!jUs{KW-+%%xvPV6eL#LlD;ZB|X`X*2s`BV((+IhW*Dd{y&IB1yHS zrm6%iNB(`zLiGKHyVdOt)mNKt@vkyBk;n&66ahC{GavpDWof z9XlO%Y}?hn&m! zNu!6cJlAnzoX;vkA!7If9W5~bc+LjAhyG|J&lF?TBAc|w53hygDl*V1bH}J57_^bR ztvRIra%^!xN2R|7!>Qhi)Ao|)9Yyc-q{Y6#etzzApOy&0KUHdeQ+6nW6eK!BV5sZ1 zS_;XZ8&Xd{9Bv@%eo6nDW3qQj^*i$GU*n$D-mKrAV{>|~{Ito5^S6UsDvGU{eFia;ul4{zIP98&^p-t+(UFgw%8pn}I|R z+5I$B)#YU4uwi)~^PcZMT(#-cBki$axr?H)1mF)H*8FOl{JL+}eE{(IJU-mi%@-hPRzoy-nNp4$Jx?*CU!N z&p}Hxs9V}a@1kNO{M@oBi1JwSnA&KoXv*=Zp+ZVtDZOKbOm9tHG5AbIer?~kJ9Ocmk^n6wLMW{U#|mh7B#iydSV@6IOJ33dk)O{Uf%}JgeA?%n z9b-dSWhQDTm0NOEe;mnb(4KFoRk0wULA=^hXjY`gB0VyeAT4UH2AS80_7q^L`*A;A z^#u4_9(>>4CcIdF0MKMZ&j5500MmCko~gS%wzvM3ecRj7fbe+wrcJ>1F%3|2&EPGE zx`XxRf79%(RS0-@umRLi{iJPZ#h1CCgqYk^+ioZtHD=LtymEe`mmp6N)&~J!3&emH2)AM)A}}*yX&#km5G}TbG+3qc%aN#$xN+H+Ph#JcyW0mXaE=-1Ou}rJCYNu4O z7?;%tQW(2d$DgyK?L!Momm*#dal8EY3y+#z3+ZhGI$3kW*^&ZVADGW=*Drjg8A)Ss zdv3tnbDe^$F=|%Brv1`8F}j))+4~dpsVUpQ1LFcDu2o}YLf=4 zuuWhLs5y8QBR&b)GgZ2l>^fCp`!Tf1P6EpNx{2fKVaLClgEm@5HI^K*4fohGnGD=4 zXt(IaN?u$LSZ5if!Q?D%WBkVyy2IocBA&{FSWB%H1c>0EjC40W53WL5TMeJbopVvW zv96rC_0Z7&_E+{}?Dy`z)!@=KNG+TSv||hV21Ao7QQR5kh_BRNm3P%AB78$VkvmI`#oxa!#%0u%SjB1>CJeFrM$${9>qzFD~T33awkLZ2* zDu-pnM0(_XVzL+W^URH{j}J@Qm+QyX#~v3$E|Zi42Jf8B6`UM#UX|&dBL8sAhQK61 z(%0rGSIWC@g_M}9IRCP)Ht~hUejrS}g^;)ndC3Cj0C@*tZf0rc<-`#Yj? zFB-GF&*)EfzKRyrt}H?)-r19sO*NhD;!z?#eO8hZS(x0+DJPVPT8~wFeeCLNs+IT< zC!bry*KR@XuOdL47ugd2tS@0VY8BmJ!{#q{5RXl-YG%?d?{U&NT16=)`$g74&3Kxr zSgM{(!;jDDAt-64Y%rAX@jf#4hpUcw$Rh8S#PZ9YhWv19@LkA#9}YQ_)u`QG7$@*f z1KZS88Su~7K7!nWJl8*JZXfQfTF*u|XnOv!&1>4BLaXI(qtn9fxz;5CsIXhxlvf$a zpBQ}=G=nYI+)XhY>ER899_>4-(hixX=(n4L^vIc2cH2ni?FS@KGzf+!c z5OyUpadM){;5gJ6H2L?Dc4l2^_SFzJ;g&2+qsEt+)5#RMNOO$GaI4N$;{EKQ##%Y2M^eH#nW=^_<-(3Ni+3(%>qkIwosP z`a<*)T_4x?ZDC`5A+DKG5ois2^*YP=q4C+})zHIKUR+u!F=kQn2GhLVLiksg(%~HT z!u9HiVk}!-t1WRZ&SOX{*b_~3cS`9Yvh6H@tx&x_btF%9f1Evz%$Ix# zVat_D7kg;!?4CpRngafc8n@37c56yBxCnha|7`%7TZ(SD_7UYXQ1WC5+;#l+XU@R= zmgI49(EYB8s(pBlsPH{pM|!~8@wAjsg&Qb9;o-h)!CWz)zT))39dlWeY92Xn{O6>G zeB9-|W#RC5QC+si@1hxPZQMG^8wQ~I`uC7?8mc3X#LYHK! zt8JVNfQ@;uTXK$&;(5=|ocWav1g+ig`j5xhlK^MkuNOkdrcBys@7;OjOz51WUz$kX1o_`2#`+eo; z6u%@M0)DET>6V0)5<-^W1Nhv&a`3Km__qLQ!COo@fD(xp%eWh0=W#Ni#3BWFUQ>1f z((a-nLI3+@*v*o0>oh$=3kTVv+UKj%BM%^sw;0&ywg`BgeF#oPy``4L;U1TTggF>` zmX-l};&*O?U;VAWn`8k>Mj#e;=iFLd2^jTfWeFHR<-=tEguWC4-v)cLg|z}6F$K7% zDx3#w0lU0DY)_pgXOv9R;8fS81s~mkl{MS+5BU&$ zlvwz0Y<&I)8=e2a#_3;d1pf=0?0>L1{udj|{|lS%|Nq#y{%>sl{y(uv`WG9Y|HNkL zUu=B-4>mpjVxtShM(8WY()vHJ0p319m(p;8L=+vXE~|UmKs~fM_*yo=60n$YB`g4# z7Jj}I1|lGx-JjPDvw{E}dj7te3wF`|4G{SG8}5;c3ZAyGFJ_!5*uo3}{@x{0rpHPR zueDUIZxMvG83Bs*OR6$Tw>KJ@ht?5|@jhUGMW}#VsX8r=mCEE*k2<5`&gg5vmN&o* zIxTI!4^7539M+*ozH$!Jx$5+0K_+RKRU zo|W)SW`k0b%nW@zoJrG~%aF1^yBHz7sjcEBSaCUz!ZZ=10&5z$g1O~bOEQD3OyCXX zV>u@1*M8l+_PV*iPx$mRsv+l9QF+;_dGL-Ia7D23%5n->Zu;G9QwH`{t}De@ml}cS z*bPmt;%jc%JrQx?PO;mOSGN{Jy28wj=Zk}yj|*l+%0WV#buYhMba91 ztNm!^!8OcpN6)x){Sij6&m*Cvye9<3zjOj%Xc)-?YD*9(E~~}Vh!tvk>uT?!aVC0a! z3-Wi(&7&Hn%t?$*+{6ISgrYt05qY3mnJS<8kik`Ysq34u+mX&b$38!Mbfk67Mn2Bp z)q3xHI;$TpsM0cP$r`a$Zq2@B*5)G{%iI7&fQQqDAP>KN*w>$veXOtRotxZVfE)4? zGLp^LHBB}FI|PD|KZS5Ol2$Z z*X`LUCzci$jm~OH_4*ar#Cz#dp+4feHuwxF+4e?3fSz$Ol0#YqS%xK%1f}WxOR1Iu zz-cN`)lz6W^CmCviKrMIm1Vz@iJ+Sg8j5u0?i&$7;b}7JU$s^`l%Fgjk5#ewIkh72Snr+2mlcLg7e8QDM! zawAQzR2g>%Gg>V->f*N)4|Zbyh1=0`vchS!G$apb{nP?Ec0BOOaNxhicoDgK&|Tn$ zq(!_jVS>;c7qOLjD#+g>ye1dKR69}(lZ>vpr3Gj_45=M%VZei9@GBn0ZJ=pRxbBfW zwbuem2yeT+C1(aGyc=@JxmrDFW)O?NUF1h&95=v;OSN7{cK?&?z{fpDcM5P-ah1{k z>i=?fBk%jq!iwqZVk(rx-Ba1kO61M=8M$05&4rdENa`D99W&c9`~^+&5V4Bvcsh1V zlyXyaa`6Ofz5}$N#=avLafoiV>z;Y(DGUr?#EgOQ6?_3?E*qXwTWE^EKsQeJ`>?B{ z4-0NLKGNGiHd?c9FsgnH$<2OWs*ifqD#4?(@<(#SM zSQj_w&(njw0Z(Tic79$#p6n;+pnGJ?#JVP{RMoP3rZh2B*rx?lJu>z6-gQ8WtUBhS1-`bt+tUB1Ckyj3B&mV_Y35V%T9A#k5B#h2i>6o^D9 zebW4D>{S8Dh=8&borL~w)Ldd9=HiWJB}dL(#~5md zYx}95m%-|At4iJGIQ$p&u#YayWA@M<% zy`?QN!tJ)fZ7UYOqv`Wo+7jwgev(Y!Xl+()QSI*SF(>*s#Xr!i^Q?*<8xM8kmc;Kq zC&+BQU7mlO9#PJlS=uvbuV$MLIk{ULotj3%EnKii6~j`m6_Xg4aWFrM4kR;#bd;VH zNb6^iV6n5QVG7z`=V{*|kGZW779qBUu!;Lkw90L|&vE0h096?8UI3=|C905rJTDJ3 zX3VVD4;VCQ4Uka2-xb&F!0*M^O0)PLTadgt1a%nx$I==ANnbQZ>^nVvRGQZ0&a`G4?`75cOBp&M6yTip?fZPxd~Jca_ifTIv{nhd>99qgv9Pp&Qt`%;Y@9#WHS)7N7k3 z_1--lfwF3Adr_^{Y@5UCMzk2JFWe{tWh1`fwYmJh83a{67H(aCJ5+drEH=!))P0!@xU^sAs<3~hAO@KSn(uob{$DJ>+a9Q0nKt$7v%5W#$az42YPo$)%cGaLRuNK=jLZN1 z!_|)k7kkaVCz+VFUIOrC;UkN(ntpK$Y^nIXVKMG9dJAD2v(Fvyn*}{fR@fQRp z1CoM3G}SQn{H}7__m}%jB5i3_#nwIpHfAiG0oOps*W2r|Z+A|*%ekbV^ms@QG$sNx z$`mCTyQ>E;CXRgR2-DNWCC8G(hrimr+xVl&cL_n!S847eoSYRTReWFYpz|1#dLc&D zAG*tmEEYknI%?3)IX$Yq1h}vNOv{0bxY-{FThR^#NEgmD0!HgL}G3lsOYk$Tu+e(8fij|ypFJTyGR*v0&nD2Pv{Jtrwo zDS)UTZf~Vmjt%JdxDHSxD^)MIA&a8# zm)=(ec(&iFWCa}eNxBDne!|}W2)6Q|^l0#lQ4q$H>qjGCOC~(l%CXoRc3Te{EXaZ8 zIkUAXy8EpcI)#+Xa0>Vj-iMoNr9t<46JfLj)j{&8PO-9)pS`u)XcHaeOWfRQ6p!3X z+QwVE(hI16_r)R=G{}JR>>m`}BTXkx`N2OTgF0GH7wRU>$Ho#oOPj8*nMRqQFeozS zxF2iDCrM?P7^UeTSI6N5j0$m+p1z>I-ySR1x-*{8!c`PSXfTIMo^-ukFidM|do72; zZ>N>pISLtr*PQcg-7!ZO>7X$-lYPgCQTDFfq{CV}0(s9|3Hg8Y-&#Z;c{Um93X;S4`Zl9GQZph0S2Cg$}8*n^J>P zdh}b3@MGzy1%E6BVvZ_Jkh#Wzp2~E4+(iLc(>8(pPD=-bRk1z}tSVCZ97)S7F>^lQ z%d#Re3AWs<{QRs?B2Q3RpM9RSCn0W!(a6)s=C<1LMBOm&OZpPz4yC^((kr4RX_?wh zbvldd?I5=n(KoB=t|4vPM2L3NY6;B8+zxxJ+D&J&%M2~2shfmLwe!6k z5ADe#jT}m`sSVrVR1prsG-B3`N(OWs%HLh$S3n%))CITSu7Eq=WdsZ>o$#y#!x3_8_B%I#uV%B{_L)H15gZZL^E>EcV33rN

Zt+lW|aI~Abc9llz{j?k26F$hDtCrD@zLz&yAer=WgrZe1Q`! z;IrXtq(8~d-}+|sup1nz=4SzDj_F*ub)zC@i%a|`QF-9xRP@Tl$cFm}n@K^BvjDpB z54_(*MYbUJhAWR=c$4@sTL4Fu{jUxkq|a~BFJPXL(XXeo%mdAU(vv*=&pj>`$agZ5 zu_`j^d)e4xn~W9(nJAZyU5@9>N{Ly1OSW~5m;3267$2AU*Y3=UTrzN{F`x0>0%laS zNf?!I4&4GVllS|z=i&)^LlGa_V&+6)yxHXp9+fADb^pF=H(a}%T>7Rb5ivk zsx9`T>>(?eO5_<)=!PvFM+8TR$I`_x_8>3;QPhJ@y@nhihakjH*Y8s#TA*T}7R`ga zi4RsAZu>-;$ozf>= z9XIW_%5vm&Ow-%`Tw%OPhq3X1wzzmeFCBcU0H5|%BD4v&&_$ud30-#CCd>tonA5r; zX_$CRW|&0b-0#!RQ#R>OF8)OXWTJc+X)Tkpz27r|yhX{~g zw6L6Idtk1}Q}R|bKdWabSGwkIY?Na&}R8I2r9g@fZ=IDJ&mu>DEL@Jmz^=9VfNMRVuuZO1yqM`OhDpXT_IEC+yD^GO1y1Y-Ed=^97q z#N;g6H);p)b?o2g)F%w9MDFd|N0GE^!OxSyfE1Sa`kF+5o?tG3d2Pi$@DBcYVe+9| zAAOCKm6aVrHi{}=uSY{v(CSCMqC%y-hwBT?=)q)6CUtZ1AQk|DZ9nfq_m-dFq=JFb z$WY(eWv8a2uHgo%?BGC~p_kl5+R9sG@NJr`>;gFi_QV1GTg}XcAbt90C!R}G%>mla zpV5RLmsT991e088n)~ZL8oo|&n_pTpmzgmpI;!%!pvnOsQ6@MYh4!my9alb152GHM zo>Aj%IJPPJKjQIf(&xUxvI{%y=in)KuQG{Jrt*GDU_VP2N@zY$pHLW|CJ^c-=OCj~ z2xKcDVfPSBV!b(_`||KCP9F^<4$2Ag<-{HlVK>~5n(<{}_eS24#{5|cyY&>vPz+0S z7IUYU+KJVy#)ryt@caZI=}Dr?IW`Tm_mwX7wQ4w+?Z??2oIG`I2J3js=zFLfA`y2s zn4K=PS7Vy|mfKo=(aW$TCRy{b+`u&&W$WyBN@H6sGnsedzK%&79+kC-W+@#B<(#86C0GJ!8;_ghsyhg;(n$eeCJ-EqW1L_mmo8k5H2jowg7f`Zi$2 zt>G!PixV+O*K~R|DBLh89r)f68Q4MheBNi^572iPm|l&Ga5r;$^AzPEF4iGEx4pM6 zAf~>M8bEtj!z~AU@u=N9jQM5^Y63In#htuM-B~FmB@_0Fd4oZ%zYf!I*vD+mBTf&x z<%P0=0hUc(9cwqylyHAVroy=Z3cW~mxY1lHp&(UOyFZ1pfFhpj;}47*M?)4jUYFIgX#3c zN0X8N!j51Vj|azhHqsfs$sFh#mWvd?$bG*QxcNUp%&80POtTFmV$B7yTt zJ+lMy6?@s`oBRf#Bg8}KFD&N1Vx5X(h_PUpXDzH6rU^*#jn8}m(Ls`rMvs()UTR{u z!+G5vfPeAW$`vJ|O1{}(C}p=pUKx`#xroprxR<3NjKikd-yaMS_+-wG0Rlz!7UHME zWBdMU`4k-+%|FldP{!=s9aQCyG>rRr9{rks|IMO3VH)?q??YGdIEKjjbGdFi?jpVh zu+_QgJO1YH^?uf*1F$<({%{xsX#7`mO_U8loF*V^w4bG?aqRr&o91GpqA|JZD9}EG z-7p*P$CWwNXnWq1sA`kVm8{oKTC>9lzZV~USjbHOE0vU|h&$XkJ-zqZa7#=(|J(IP z&|f=aapk|LW%V1udBaR_hqPi&yO`L1zS#Pa=zwtU+X=ofT_0l}4MDe~Q5s8b+p`n4 zmUsP`p3U=p!*BQKS52d>7~guM-rrqU1Y<6k;igm=Wfm`!$!Ev2GHv5|syPYhvR@4y zWv4;;=3`;-(9Tv*{y1|&C!upin_(YfybYBori_YOWwU32~qbC31Oe;VsXS1eYzJE(P4qa$* zXk}FI`KHwpnr1JvR9iVX{#~bm&Q&=>F9Sc7u1uZ}N`1m#q+@Tfuj(+&GyByn71ppx z_@=zCuFCi)XO+1o4f`~G`5Bx(VP{#F(D?1A;aVl%3{`Oj{ zjO>J{0ELshhu`6#PIW`()T9fl&33ZsFOpt%%=E+f#f?yR(zz3{M@y(3L!J4wRxkzu zGbDJS-7ML3E@z=zV|c?x;0|iMB6PWAp_sCciviBE|B;s1`A^()7KJ#Y^u0pGN@6jj z>Dltc{UMFH5CX&H zdecovC*xst?8jLzechG11sLj!L<0{C@uBK+|9*pXKd-kayD4VrWl&37p99%@LYCj3 zTZgrC7KfkFt+gk1rn~wTU%~KB&0iagVFMgCc21v7)qGPj8H^8>^)s8*$8Cq&EkcKw zJoEs*f3n_I>5fY*OCie*49Sx|DW91C zia5X7({J!B-o@2Su?xW>ZAI#Da6i%`T<CF~3{Wc@N!dE4ECQ zh?AY!SWCVis-VyLkzro2!w55bMjVeh-Y+)A%=NT6!W*D}x0!bS_m(Sf8vMZW*SMUj zaxp|q_ypVb?6-S&cJXrYp*wyQ0x~9u9R2BazJhIh+q6VlL04Z_j4Hm_Xer42nv{mC zKf$MI)p1_qR)@*W)m?HR?5*$ z-G61n#s>k!B6L8&VXymk#+;#WFsoxRJ!Ov>_2=weXUM$_e%kIwYc|BOS#+WyN*cY1xin3^ z$m4iLj1RYJYZUbuzFwt@driH2u0DTf`Gz^a zBjVB*b=(lVntS?Vy`{LwXQj|ydKM8Vl60MpohrP>R5fHyb>kSG%%7Gn(7>3BX)rMQ z*6lsl)3P7iH4E6H>4yUw_>4#?C^ z7o6x>EU&6nj~{ru`-mIU?0qg9nC`lo9C$ZAFg_)Ja*z73(?9*{dLYnj7Zj{2RKIWF ziurq9Av-Eja8-799?1BKB?VvefyGDA1BqZH>=?5UEx?xA4!e#QyB6 zQw0C|;i1|qYgfZ~+55Z2%1slKzi~{*jo0#h=Y6;R4CcoWEr?T0^=wAL#qkT*v2%&B zMDcD`-c8UUy(+Bo>?91nJv8HfsA&>vsRJ9fZ~R3&y_AcP_d|IZR{jAP=_q* z@8G4@c8Ar{jt*IYV|cAL)~;g~y33r#D5Q#})nu{CT+fK}&Iy8-Mxp&P&eh=d-do!P zb9eE$?O*znu6zE-h$eDW?ti6cUDok52&kdeS)tXdGEZ&>Zm~emCr`#Ur;zvTp$}1$ z2M7)wkKdhI=k4p((W`VJk9Hg*Xe74Pw)~Txb0jZ5Eeqf$v&~qv_I1g6Lii%Oe=K;E z6=mXO^$%>BG)1Qs~0n0LZ;cn0a8VRy;R;Ha5cD1$-s0;Q5{hpEAdI z`u-6u;flz!AlNeZcRtV4>PnQ-2>Jbr!ZisLlef;0lrFPJ3<_B##KubeLlCU=9mwI^7e|$UZS0ud-5_(`9BQv7YyP~JzOI>`HCZP*dwRz znYMWo7$P69_Z?ykp4V_85@2moYu8+`@6j9Rd(Bdo$s;-W?sW0R!af3?(7hbKWs%{R{m)M%zl)*sdKxF>l=+f1mv)NO z^nQl@foQT>;M>;EyMYpK-MICW1Ghs7mcT)X+-Cnlz8n|T_-x_fuZhRZ>^mTecX`X} zH=_8ZU#HMq<{&;-y^-L=h_NqjU+p*@oI)38(~F?eWNNuU#_(r`vLFF5>B;s{OOezy3vF7V+dbd}_}LLfB=8dz^A03G5x-r>91(kXs`p}8CN0+(wFQ721mGv-i^UI|Xq79r!G<_^)peH-&gc1llmw z@?cbx6o=qeg?=DS7$}85;M7rsa)XJhjbrfw*=_7SzrH<6C80vdzYlo!Z57Kpb?5h| zJ%?pZ-KyrqJLMdk!;-?68E^D<$5EEG22IP(AJ3oSt zyd17jR0S~FB+MX!q`CJN>navgfMlJ(KFt4tSkyEEsh}pN@!tHBE`x`u$D~1E9&{i_ z24Nj@@QcVK6t~GcZ)^6JC;UxmIk6Tigl$xkUoyiAE;N<-DY&9uV1`wWf}D$9JpC@S zs&?}=dd8Rtm_J8NKQ-L2=i@_2`FZt1wT9EIUv6~?=KbS{>;0G1>18cx#54>o3b#CUqSu_QL?V?Frl#`9#aVl>h$oQ+QqLjN%q*Q62IhU#P+P|F7C)zP zvL=2xE?>l*0`smo2#=;AJ2&AKf?-urDF{?OnIjAml7KlcR{+2K$LV-9^$z&0a4lp? zeL;Jzgiph4C=F!HiVCr*9Bg#Os3I7uB=EUSeq*b5X@a)d;WEYqP)cr1D)hulD0n{f z+9G$DZP6j8-Ax||gf(*_~5 z107p{EEP2jfP({HC}0tCp#_&xcwV2BLDK=hX@wvz;T%Dzj4;Fk&C5f?!Gj2}%F8;1 z$66T?p`{TbgARWQb_#dKF^S!}0NZWzWjBSgn5c_>b>nnM%(AV62i0{Z^R-#=t)E%7 zOtJN^M>$Y8devFK*^{?^V~t{^H*kKDXMd`Pnn@tnBmb82fCL8_kuL$2nZErKrV)Kv z%a7T1fF(ZXa@}rk(<+c*^6ASpu(l)dLAN}a=6!&d>9X9cS&U$a|6Vt!ifC7K7tn*_ zk!{0m9JT`RFB<|}clq5%_5phQx>{;(0PCI@UxvE?PC--a*NHq#7mF|i5FXz_&;WU7 zkm$wakjz>|@(dVza&vthP>t`&i69s*J1nfwClhA$U_550>w37cPBAGu@lp;Uff)w3 zlW-X!qS7$&J@wx<(qerF#L(YP1cET^2zvnp16nzh&$$%uMs&mg+8xK{HA(|J44zE) zIE;9a54AHgWMp3sU0MoAV8}G_0n$wGV_nPNnD>^ycz$He$s&Yw2X#9G$|I&Bd|w9f z!*C#-++ilaV}+;LBsHP0S08XuHi}RnJZMBlok6Ilxdp%XO`9+iooB*Z2U*z|#gx3w zT9p$`nUAs$?lp_-+Jgk^vOLlv*e~PgF$(hGBA(3lKjeeYJe?+{n?>^kbeTqZUKebW zVK}0%tZ(Yys;>BZ=oIED6~c+r)}ZF`1k8NGFXa0D8QnAKZV!l3c;BbqQVfGE)q(hR ziO|0SY2f60V{Ex2oJYfr^*cs!zw@t@FsYX*hR(iN^?ZuFYzu-88T#=jt^HFK=n`C^Hq?d**n(JPM1Vt=h8D{yPM)Lb_I&bT qTo8VRH~bfQovG_Crk5Q5nR1+0_w79Z6!_>vfDr0WSdeURkpBe*G12e< literal 0 HcmV?d00001 diff --git a/istio/helm/istio/values.yaml b/istio/helm/istio/values.yaml index a85599855..18cfa0b4f 100644 --- a/istio/helm/istio/values.yaml +++ b/istio/helm/istio/values.yaml @@ -39,6 +39,7 @@ istiod: memory: 2048Mi env: PILOT_ENABLE_STATUS: "true" # Needed for KNative + PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING: "true" # Needed for KNative VERIFY_CERTIFICATE_AT_CLIENT: "true" # More secure # ENABLE_AUTO_SNI: "true" # Possibly needed for ambient mode # PILOT_ENABLE_HBONE: "true" # Needed for ambient mode diff --git a/kubeflow/helm/gateway/Chart.lock b/kubeflow/helm/gateway/Chart.lock index 6e4e46112..7bcad6f34 100644 --- a/kubeflow/helm/gateway/Chart.lock +++ b/kubeflow/helm/gateway/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: gateway - repository: https://pluralsh.github.io/plural-helm-charts - version: 1.19.1 -digest: sha256:07ce90c69d8d013e339d6d1bb45ece138c0d20abeb6079dc6b09b6aa9edeb8b9 -generated: "2023-09-14T15:38:52.229116+02:00" + repository: https://istio-release.storage.googleapis.com/charts + version: 1.20.1 +digest: sha256:3102d001678122a5133dd1ef858f955f05b5aa033c7b6e95e4e6172602f61033 +generated: "2024-01-02T12:43:36.589988+01:00" diff --git a/kubeflow/helm/gateway/Chart.yaml b/kubeflow/helm/gateway/Chart.yaml index 29e411cb3..f917b4998 100644 --- a/kubeflow/helm/gateway/Chart.yaml +++ b/kubeflow/helm/gateway/Chart.yaml @@ -3,9 +3,9 @@ name: gateway description: A Helm chart for Kubernetes type: application version: 0.1.0 -appVersion: "1.19.0" +appVersion: "1.20.1" dependencies: - name: gateway - version: 1.19.1 - repository: https://pluralsh.github.io/plural-helm-charts # TODO: remove once https://github.com/istio/istio/pull/45894 is included in a release + version: 1.20.1 + repository: https://istio-release.storage.googleapis.com/charts condition: gateway.enabled diff --git a/kubeflow/helm/gateway/charts/gateway-1.19.1.tgz b/kubeflow/helm/gateway/charts/gateway-1.19.1.tgz deleted file mode 100644 index b3e7c77c859f1f9cad5962652ccf9a3d826a09cc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7159 zcmVDc zVQyr3R8em|NM&qo0PKBha~rp^U_Q^U=%sS&+PUP2dRWfkmbX^1brMxgkH-i5`{v*Ac-;PXyuY*a&CdRl@%UhTu=`~HoAJ)>!QS{A7~elB-KUg_h;PPs zuB+X+f02h2^j8#;ayEh0ZbXWr`g14V`CB}WQk03Hg);Ac!YqeG%L>f7fE0_2uPIx= zu~d|UlO`F_L_;r?D&%B)o9d4-<=YuiDAo3ytTce!CM*@4rlXy|?S9<(+iqO2Mf3sJ z7hI%r5{$hJs|-8q|_XkV{@>DKM^Jh9FTn5}BqIVPTr6p_ ztlt|HPWXUIAW&$d!sn3(F_@w)c+Qy;Jd=hZSzr#rn*WC0VGLKN=<%(LeaT4OekS4c6V9 zmZ*k6zCbJ-Gg zSEl@%rIkJ4^S)9VSt&904beO@jcLnnKw~ANQNh!IKFy6n@Ep|=OR0TT!G)T@VCTtr zcRc8Pm5CtQr3`dqyPpf9mJ=9kOGT92uD@wW%KjS@6<1DCVO|)=IDvudMGYotiU|=l zoGn*X8EwG}oKuF5HAyL`T0_E_!jG!biGrtE`j6*OGRGWRizO))&xxXm(QApycTi3l z&C47LL02@x1xgV3&yor&!!ydvznV$#{TK*KVSj(m=ot%@YA4>^{V!K3XW80gvFbc! zsA5{I_G4PSFIiPt`d%Y`uT8U>f?Uf)WpU)&_}n&e0{=JCttFJ9IPZS*@@@tF&AKph zlaTV&(G(lzx<+TMt?VaJVlWpQ)Gdro1!f^ z}jTley z95YN57xs2Yfp%FE(IoZPPIeSdgVR7 zu|FhHK(y;;s4lqpP<{2bYe84Y{MR^gKb&*)@xi&NVGT4V3xuM~GANAjXy5Oh)C`wo zMY#Yf*?(&PF100#tqpBJOu!COEWX-O9%kAh17;H8cz(jwsX(dSzkxd~vn&wV`sFz$ z0zH4WtUEWcw)aW8V-n8hbWsWf657sFp1z<`lxFPpLzynHHtUX6akLd}!4GTSP|M|M z(JeXE6*?1_!Xszur!_G;x1;z?gq-ryufnSTEQ#O79 zMB4>J5TC;il&nKdO@}mCudS}Z2VdboTzQg7?%8R@pkzxVnOd$-d3v;>i7`P&N~bWV zn59GGxHasGWHhzSmp}x<^mzW0E$rn-gHEj)9O}kRwfb!6iRU zJ;#KzR8C;e_>4oysMKR6nEuMMGDkVpu{EYZnG4_iNa&QOQinQPHGGQXLuFxfRGIQb zZYP{2SSYzI6&GZI+bfHAJC58hZ@@ZrztWNTpHG0T#!&IKhs^(0Pb>c;lO^UP{%^_I z{nc@O{%2?BVE0KY|Fgfh|KuV6^Ch0k2w?E7?e@V01}>YR1z_Zafs4hq{kb(5YH&Rg z(y-Rx*>@yOskT}qI~BY@p(x711m+}@XaI`v^`!~92aAl)NLKybMQvVR4K1{fE^iCp z8ZPz}ds{UD2CU4o!Mg^6O@qr%$Mk`+bTH{qEtQ~bF&O&y$jaOxtFucQ;R}K}XXmI| zSc3>YBxyre`0oMH)f?#0V%|}vaDie_y?f_=T@7#5Vf7H|nm(&g^+<^0iiuepF9S3) z&NC#eCi1Fo!yp)yZ7SbsWTSjN%=@hJ*AD`3k1`7X_54M)x~(qQ0pe|;8OgB^*2zc{ zHW)SD7JoDKb{E;$m`mHl+OP@j&g!P{?g0xI>h4%gh}Glrf$`~*!!{?$GeV?Rieb9i%+bpYI#?e0=|o|_dDo5RJ|h9 zn>qa)W7169-W5ZbEp`$Q+;(A~jnH|K1>qA}_b zj$2s{n;*V?@ZRrNW+eHdLx^4~g6WVxVgj32m)J00a?A3~8IRj~)z*x}HO0CkPi?Vm zX4II{V4_3+eS#|#EkD_w>e$@0sYRW_s~rJ-x=NJ#P|(5zS$GD<_l^;GAZ^Rhul)G>oVVc-C$>Unv(Cb#`hwEy;O$D z=s%&BNdI^BB{SSU|62{5w@+TbIXaKkM|E#?+_e7pU}wLR|J{4~kpKM>&*1VBC`+<3 z#cK6YYz!;JaCJ2RS(PQS^pGhD0#Pxj-N@UaD~6)ew|ePa=SC zVToDp7RJEkCB$bIA~q`zudZsC1uC;hp${lJ!H){0!osZI_|C1s1H#~^H*Zd%S{1Nq z(Xp9lQbc}`+sY28Mmb?*fjKg@P1!=Al>XmQVpkn*_f&O$Uv-%THIDqBUu9yetN-tp zm=!2wtcrVD3Veh9@9pom_5aE4-u{FBe~IVvas;VeM%YsS(bZL?ztTD2KU?}ZI6HcI zba;L=IyroGWI+KmaQv&CM>MN0|EQMV42*(!N%xB!t18T*nj4WcNw__7mNtHCTXK21 z{ay6jj7;2a22&SdDY$(BK-}`2nO#d^p-dV*j=tM=_}ZK^P<7RXpiIqS@E>yYA94V( z-DG3PcfZ|c3;4q<2O$Z<;J*eict3zYK#7tiaIj~7()_%f&*?`Pj0VtYO_vgv@HeDr z+ZxN|wxMnUeHPyl9$VDi@6u)XUpllg)Y9Raa#(F0(cef>#LapBYQu%L?wulkz&}f_ zu+_9K7HdY+(QG|wxQTPOV6(T7T?%=XlE&A5U` zT)-pzrzrvhQWS&7!QVzO2ag{+u9}y1Lk&fymj1@~|LpDUf~PNo4*#Sc{8w#ryFr1y zS`zs)uG_6Jq^jm6ga$A_ zZb4rSxS2$2S55^QyJD?q+qm4^3t@ihr0qF;Gn!zrO$vGZ8-QBo|Iwy)JT^n8X6tW{ zcHn+o)9|nDqyNmO8~@dtXYOk^*iHMto*Z=Izo!Qe>wmt;6Yl>cMIpCWJ8p-Q_O4EY z^ovksg5@b%KXOzgC5lX{{WUijMhhkjlHjB>*fXy!lv~zrawEo|v~gyYGy4M=WhpWR z`=%&qZtZCXmcd7D1o=Nmo`o26?Xp0#sVi`NRq=XVOYAbsPzA3I>mAOyTM$w05zy_f zi#b!%`osG;+k~8`Wcf1S$p)@;U47lQ1B=+JyF(mwpvT&1M{~i3MWLS#mwjo+)3E06 z>tc;I>L+V7>gK&qVO1@LyZwb%b+WfYB5)P5eFH5Um>Pswy{+={(o0r5M_$*~*(h)q zHg=tHzbf`Q?Kni!+)EY8TIkXnP;CZ!(ld0r5KF!*23cH-UL z(O3_oNI_;aql%)8e=cX}ELi*_Rqp5Gken?zCvyZzS%PLm+N5v0cs*nYe->qyZSRct z_I3|y=`{P%g0AwLt!}ZKEl8i6CASk8j0cfJ7tUdbwH`nu8G;@7`)xAo^}c(l$}6B{lNq3SJhQ zKAv!qigaTHpAb@2ZdRn$3c#}H>TXX zbxdg{aDtpvP0RLbw~^!B3^qeWcEb#=&1n6^1^rz+uk4hkhpq&QzgqqZ?l*yD8u`Yo zdp*Os#nqSf)9*hu^H=-y8#&fEFe9iT6t)1y6$%g4*i@*7afMI`nuKhh_ZGZG_HcwI*Q zbF=Av`SLzCUK4xncC!CpW&*OS|AJ?DzX9Nl@!z<8{^S0Wy}bwh{}RvT<@R^ysGuy| zfrWD}++nUR`4PhjSM}j<`g?HJV6_w~Fd||`l5k=yv>xUgDb-TPV#Zg+AHKKigS2A;Z--q%47kR>UeZdId3xOV4xFa$jw@rCvL7Y7Q)uO&I;<`n0 z-{%eMMF$S9nY3?Y279ehj$(oEC`Bxu^J3lMX;A3#XN>4O&GC4fySyFe+6Q*J$;&}| zsar3`<|b*2v2#G@=U}9M4m&v6Giqkq!-n4m^QIl@T|P9>UMVfsxxoHqHcvi ztL)R>vQJyfJv)3e+zM6cny&3GRE>j^X`9_?j;gJv=WZ;gn`q3(#?f7SQ2NQE&~}qP z#r|*f|L%O;+I(+f!D9+PAp^oeIe`oK>)2HqGe|EAmk6&^cJnHJy*7Lu%# z3dImg>G;D7WKw?{1ves1VNNpy#r*|2*th}3LJo~2xwEkE)Vna6LoXe5bEm<|)~Qi6 zk$c`R(Vd0g*}po3sVOjooUCDnMn+Ug6D_uZpAEd+k-hyOCO`XFo<0v}e<~kdVI^`(M@%Z+1eC2MYv0+I=#H5owa~d|}rBo)nvLvgP3OeGS z`9t}qetWU8WA56cO0g?=Hvw0hx4W*Pt}7a;CDxxtwjygG%^?qz&3SAE@W{%!G=FWu zk&$NaMWX0MrGBJxEs7hF(?V&FO@G@gbwi6b9;blz_yqgU$Okl!tqK~oX`J-82!1m8ONuUHg3VIGE;QqhT_}5zWO9az}rUgTe8FUr#JDr z#^9`(^JyO4)cqLkOaqp*@6xD%Y8&&4E`(jWZ|A@MenPMQ}Z#jO?ue zl?Nzks=E?qnDL7^I-Z-u{E0cb#8`tN5J)nu;SHjxwg_6(MGQaj3tVY;VXrfqD`fS3 zMxpE+pE?pX279%JqdZxXEJL=SY!OG%Z--|m$0t8d?0sH=E7yL;V$?ihi@-zMD?Zc( z58l<+l$hkB=F0*N3uiW@8~O`A$Qm*vmT?R}7MN%@3Y2B0WbDNGB`!#^ZpMU;tC8)g zCDjp{^8kE4M{_Tfriq$Am~sVR1k;=_I!CFbi{HGTliLkn=x&&}3EJxURGWO1XnN3{ zo#33E4_f2sx21O5ESSC=0yQ_53DhAUvQ+C}mKotGB?{@p$>XpWWK_LiL7ep2PAj;S zbe3VqaFr1Whp$8 zim;T3l>Uy@bsa9A8v4KOVeP~4HV@4M+fJ$byJRT}n0n5}eKAS=-E`OtWHsf1(<2{@ z%xXVsN6%JAh)h2i2OIa)gNp$N>XR@`1w zD6l|lq^z?yrq8=@16nmQ`VLOZSw`j38V;@<3Dw$aMEWN`aFA4SvDV=BaL?erQ_aGP zz(>cHUqk0ohHylrg5OZ8$6k}%orz%Xw-8K5(cd*1kU8gSSsMv|XPvuT$F$a}L%rfI zHkTjzM4*cnq>V7lLY6r4X3fW%MxLfU;b(8$Y5LnQtM>*)lal(Nr5Z5!Yh$Jza_q%I zfu}JiB{Yirvk5#ATir2}AzT|O-LtkZ6!xG3sRS(wOs%7`4HmVEHjKB9+Sq?8r-r&3 zSAneWatTBFymhq@wd^#pTg@8Bl6*a~`_F2&Sbn#85>4lvKbsLTG%b17I})^B*<{T+ zh+zv}hXW78BE@a5*G=!-2WIBDiwO({pofaOYy6mn6h)PGwq!5pxCYb|xp~dI()+sfinH z^Q^Pz*6u#vvi5d$Fwz4B!;oja16BLIJ}~7LP<=vgo2AEBwLqKUnKdHXWjUcsk=3GJ z4ZHk}puK9Z11lmJWs8Xc3c^TOqNv5#M31_3>l#ZFExCK3c$WIICSw17?BKpP_gx+b z7UD2mKw{?mD7xF!%(2kg-`lFJAu>}`))2YNbgS#HFo(1hR#>ToLhwX;n1~DTdtUwE zT-b|jYX)hG{S~)%Fsa|Zt!@Y<>557&t{Gr3yl|(}QMGpR>Hi$7*IEG&C3|h-056Xckr2u zRZk9I9i5*ZK0lh)xxb!J$qB17H%*iA^YO`x^JkCzg`;&$|2T4W^{QA@RsF1CE;Pj& zrH-2h-(DK*Z~ynZtHJ+-)b4@)P|h$>8H`3Xf!|ixU^LQ-cOj_4XG)alXFw3XHF&>u zRGC8~VxL-dO*1H;d5|wtok97mM)_H_8oSf3^19Q=CW*iWp&BY`0LLM`E*HdzVV*wxM}`(_sO`u{%d^ju>SvxJR2`ij{5eM*SpF6 t9`c(v*Y|CyzhUck&o20{&8LUw;dyu-o`1LJ{{;X5|NmVn2^#>4008A9GA{rC diff --git a/kubeflow/helm/gateway/charts/gateway-1.20.1.tgz b/kubeflow/helm/gateway/charts/gateway-1.20.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c2275d339ab046b1215d51eb03d81aa60a64aae4 GIT binary patch literal 7298 zcmV-|9DU;-iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBha~rp^U_Q^U=%sS&+PUP2lw>=HTi#m5)=5-}Wv%2Sb;{*3 z!I>tB>lt7UfT7HzXn*?_UNe{nCD~H!+`F2p#1y8{Xf*nT9z2#r;RV_3zE}~V;tk2O zZ|?mWkH_Pu2M6Zg@p#<+cYH9Jd^0(CvVZV&a`0rb_sw{+_jG^%8yMd|Dcz@(iimH< zcW$fQx&I;$Dd=w~B;{-h>%E8+MfK+--W$i0C`FkFS}0TY6J|LiT2^4e1*BMHd_&n1 zj-{d;oHWUZCK`IBR3WFkyHvl7Dc{YALaBBaWUT?@E@7$QG#yR;w)b)Jx4pPv%jg4c zF1SeLG#Y`a7>#PYjN~}=e@2p*B0&S`n_5z}D(7*+bK9!@f21}APJt9fMiZjD60KX^ z{MrNYl^(DEYm${H{~QBwgZ@8zHhI?4|NY5i@}U1;;@N={k|U5T;};V68ik;#R%o?C z5SSs62wLl6_z@Wjl4ToED=I;*c$uZZxPm!?MCFuoFoZMJS{hj?G4>tNJTjeW%WgnpC8JTn(||tBjY9Ao)e1|geO1AQn!;f6WV|;X zbl%ED5baV1y0hKa1yQRh40fd=O77P0G$dvJiHV9Ur>HP5jANX_z>T5?lQhMIh#Jn; ztD1~<;3Y07L&ut=6jW^>;Y{I2Rp~^*Q!V|+3n-am4z0zKl#1s>(ZuMrMCAu4r;O%h z4uzm=n&A>92>fSBg_YqsW#(VaB=~*|gr#tBuy6E?g-SJv_xAq7HOg7G@mQ=n&lswh z7VCqU7Vk?|HI}~Dh~I0|tY#oLGErF^`98j|U7W)IjdX7bWhltdqG>REY8Zt!%W}67Wh7iASlKwz4!V(mE)VWYbc1BLJ^njOgq{|}! z3or#OL=*eB;EE?ao5GtHr=~;^u|##+fb-b2Ztn$nz8~KLi2({R$NY7!2(nnv94;kn$dq5KAxgTkSVf6GfdGAobnWq zt*PM5c%C&8RJSA}WNX9qXa{~FbIhy>Eeh>_xpvr4u_4L~fCq1z-Tpf5(Tx~S@f5U1Ydye>s*NW^JC_0zx}e%2YQ6Fv-`F3L zC?MMPGgKE`e5l@f+qI-?Wd3a&xgX9s`uO17w6Fo1lO;k?W*HPlc(m{LPHK)TvZh=B zmF(ZOf0x>l#ny&4Af{j^DHdOCDGxL4kO4D^aJ)F->QtcA?%%+jmRS~vY+ZPci9pYv z9qZ0btnGc09+-r)1znZ`frPg6l&3GL6s4Ja{ZOV$tj)S(RUGX^JMhECchquuR&;C5 zbc4>srSQm^`q|~x?C~(#ap75xM9a*IC}6y|eJ?+q@W2rAriyMf89nufL0_qY`Nj#z z#)X{G4$N}O4%dWc8qW;4fLTsH{>n&I7Q^4U0Q^YuBGbVLw~ouy_I`_%`5c8d_*Ffq z;zq?`GK38;At4OPA|(o~i?TyQBrLdzh^MAoJ?xxDJ7BCpMXELf8u+ysI%VS*K(t*j z1n~t-pky6tYC5FBdTnzJKKKUz;p&r2a?egH1|?e|$<%6d%G0AYO^gXLQaXbL#Vj2f z$E{)4B%`VAz62r=X2*-4Y-KM$8gypW;81sNrqyT5NL=5x7Q7JApEDK!u$_o01O#~5 z4I_YF;q_!@NY+MxwfSOzd7(DI=Q=(!Dz%+dZ5el>ZEqrlBB#ul+#dx=@Dv5*={Y8x zrE&`U#%CNtMx~xB!R$All{w0pj;%2T%3S#7XF{hul{(bXs^L>4A1Vu@qso*gayQ{D z!9vMhskk6Z++AC|yK&@xc>~sI`<0Hw|9k>$GoFeUl@T$LqSXynbh$#I16FPW;fzQL zlmQnh3JsH!4+v7%+VD~|Q&xJgq_%_FthqVu2byVHImd*Q(gcrMrJD_C9XP{kw-Wx1ZqjrYR1z_Zafs5s?{kbz3 zYH&Rh(y-Rx*)o!*R7)<&P6aPeD2j40g$2nZ8h|1!zBD2CV43kb$*RA*s7>+J&_es@ z^0x4;>0(c{w^bKlz{)HeylWuXHo5$COdlvq2h$GKQVGhIgP|`+R^|p-on6uhUlPnY zJ4e;R8bt6RNn3`(zYmD6N}xlFDWgo`62+h@d*^;#4R1AI^%UxwF{@DZNQmQ#iCG(k z0h&4I84^|#c~$pe5X{Q9)$eq&QNNz%eOCSJCxN#|8HN9P{vuo7Ru}99@wU*6h`n1%4*RF1nG5hW2 zw#Gx0>`fn`?4CxyN-`lqQs$#PpqqIc~_SLzKgK;JLo=C zy&}|`IsF`C(oEal6+@Wg-G++@VZUN@QPs)Z0kmpUg?W$YZwZ%L13EZ9T_5N%KR#VQ z9lYyEYA+Qo&)lKpnkMT8bz|q0Ei*hABKJQaE___8EfRdi-Qc+_R@`VBr8+l_@~ z=kODF)ni_+H!xkdznvW|fR>$cow*)UC&bx`%6+J~AHwR79G^$tCprO#?hanN`OWq# z8lxWJxRvFw`Qh6K@BMydPLeM=h3KUs_#DzlOknfs8e6`X+_HZ2i^pxfYU_){HPyN^ zPi?VmX4II{;6sQ0`vli0T7I(qsbhQBs@A%;YrEarZnOIB)ioyJrs$<7D|;8A3lq{? zB=2n)b320j-9t0=e`j>t6XQ4N_;yd&`d&~Al1Z`mIOLXcU6=Xp8wUG@rz!a^YkV&v z*h^)YjQ;al>Ew2A)ci>Qcl8;I7=8Y?nmF&Cynb_Z9;=V)-g1mLt^a*GIq2kn5B47N zzhB}RTwVfYNmiy+rvD>~-f+l}2xdP^kU1|^ zxbSKSN^GVPz_+l%EO!fI;PMjUGYb)$m4{bXHOvx~S)|Yh6rJEl1yW&Q)^B|0R^S0) z@Y9<&r%)z$P{>#n_p}uF2L0bZIB4ttlfC_C5BmQlp3BP-q;?r$OZ`VzSCM{8 z7l8k4>Eqz+=$E6z^P|zp;j1GH3ZQ}G-|Tlpv+DAXYWdB;D2SJIzsRv_!Yrz}5lNGT z+aqUbAH(dzI z)B*t!;yc1)i@N(>x(xp>4s8szbhxe@R$E8(J5m&J^D}t0 z;X+&YPL)64pCwn=>RK0zHKXZhzL_@M#JO9r*;~mjg}mO=nPvrHON4Jf;ARNlu1N;d z=an>Cjt2c^T)`tQ;1T}QRDl60ioxUHZzGt4$B!LXO<~8vzw`Y+dq=zA=`X>6 zf6@s4SM77VLxH_o5&1K2+PyHOddwG8ty%yvDGIo{B1NI8jQ=q7)r5q$s)D*vqJqwB zC(QEfI?@b;1~5NvL0=8HokVL_P6ZmfVy$S~xZFGnVSehQ?KylmnqaX_3VHlnfLiAN z(YAg(HZ!1R?{ANG;C@`w@vrTp|IDWw|J9pk?rS&Ljr+g$_S*5^v!@3S@!ywt!u_A5 zDCF*X;&wP`@9H#27lbMkEKkw;k)t9hQDj=}uerf6S}<9V1gD+Jo+-9aZdtoYaTtTr z#+g;l>0evajuU8n*m>U9Hha{bY?!-MsfHY^ud@x4-bJPWDzv1g=B2Z=q!iQ-ctzw^v?X zddX_%$m`ZR8wKvd#;!B&SH(W39fxR|d#OTM3tf5xs?9)8`WEQz9nv10F5r>Ge2wA- z&kG_D2LJ2%B;MN_jrBB&6l6{_swm3%=W>qDg2g{l<$gX6$=QK(vOtiOC1^IJP5ZWs z*Heb@XHjO^?qs~bzxTA3PO~2^7%IQn>K41%g7mprayx~=c(83eJ96am+ckt=ogJ|L zQ-!8l<=E398xt0Sf7}Fw@3{36)gF+77iDI)w-N=SWQykKC(e1P4Fp@l15&*{G?Th_$^rAE7^W|w17x?Mf(Cy-Ef0uA*W z2ig{-*M@A>q8?4!w$8MPuUD)n={VU-)V+&BNgV=p1=UGWQX!siDC+q z{rzX%cRvbV7TaE)aHd=6;0-4@_sb#xlBQj-lcP89e>gsQ`TqRq?6>0=N89>1{@f0B zS-gF)x=g;^X!I&4vUOV_8y2DY;k{Yc8^`1GH^;BvzdCwz`2OtZ|NMG%{^scA`;((L zzrQ~F`TcLlN540y_16CKGQPSR+(h3^i5X<;exiKJr6nS+^`7L*4TMx1oa=@vn^Wys z{@b{vMD4xB{;BsQkC3hTM!S|g3Wqe<*xRJ6W%w${8!TOq`?Ozgo1l$NMy!fS2#-7`|gnpg&{BDULSogbg@3oy^QA`aLZXCYn*0wCD3ESSbNBJ(4+^{iE zD^^A0b)eVut@G8thV9wx)r>+uJ6qMw|Evmf&&L4WkpG!Hd)hw#>tX-bmwH?%N>~by zuE}rM41XgZ6lQ@Q2RZKEm~#KtF{Sx{6Xc|7T6WiajU4ZGusJHS7iMs6M(Zao=)bh{ z%1(KD=xU(&tL3lYeiK-xlW)wr*E3vLTzy$TUH++=zuKqY$g#$O89@u7umv!#Qh2Dw zwn{aOtAt9>BxL)dx8n7CvwZhP?%)k?==##hB3zPIaxyg@nR8Q#)@T=OC0um6Qnl$kxdmK4;a%cNOK|1JviAn!JhBeuqpB}u@TD8 zVu~!yN`Eub7T0+L^z*RZmv`vee}6#Y{kedf*8h(8#+~)Qdk^v77kR>UeZdUh3xS?l zxFa$jw@rCvL7Y7Q)uO&I;<`n0-{%eMMF$S9nY3?Y279ehj$(=MC`Bw@@M6>9X;A6$ zXUyn3-SK#vySyFe+6Q*JwBevR^4a4b)U7Cigx&BxD~45 zHACAY&B3X*&EYi1+-{fWPCYBq@ijBU_JsD6XRz%qeQkgA@O;^4Yy9WVSig@j@TUCV zlTQBc>C?%RhxqSHJhxq^e_i0`Co+HO+2fW>U8}>Sy~?#W!t2T39ekzy-CZBA|7S;s zFJB$SdHN@`alQUe_Mbd!-~Y0=H-5c@k_7HI}7w`N*tqf9h=7<%~zz2X71gEibmiJ3H_zquawa2-LF^&RRqv}=(eWZY)z~z@rg#CeEX)ldjYE%t7uLXbI6eeXvK|WL zieLD%$$R;*1Fs8Y=PSBUQS|!?S#UF1c!&wodqkKXGYOP?s>mLcNaou|MC!Kros?% zvVl1o8Brxwbd9l9cl=1DlGT~l?gkmNyJ5?vF@1}_hwg47bCrtLfgF<+VN~WoB)mPh zE4ks=FWG+g=uQj4A3NgREml>l4Y9NGmeB0unFBFL z*BEOs1OiE>HM~JI)fPdEx`^Q?et~Q4F6?zy3x%w{&nlFi<5NeX#$c~jag--3l4Z!2 zlr7^Z`u*_i0Vj0KqV}Xfgqd-|^O2$r{f59b5HqDsOaW%3dwW2yga~^;%7HIAT(=<`@2UD&B zj9``%Mi(fRbn%<_b8@%g3*8MPH$huHpJ|hi63qy@vooBt^FeDI{l3y}n+2b*hd|AZ zbpmzBhb+}Pm}N$IN{K=`aq>9q1u4}iSP&QW2ICk@h(}40%o4GabHXle>WR816fUZ;Pl7`BeU9%+S#+!(K!0fEk(o1wAbEi zXtl}R_)`{3K~fz%5znW}E-S912^+F)>UQmjkTtj0R0=H68Y%1Sjp_3)+<;b{jJ|`@ za-LDSvWA0eM?$r>8j=3VPaGswTx>MBJ=`_8?^d(0BJk0%<=4=;lp!1uso-~%>ao`( zcV{M;>pujOQS^6>24v2;TGd9v-&yD`S2De|>QJw^jLqejKAG#H1!*G;vydr{yjk{heJ zu_WJ&?Eb@=EtcPHoJr<6uAqUbPqvkKmL=V~S08I_s4Y_zh;^G$nJ(!AfcJ@Q0L+?w)I zMh&65AUbGd2pRow>xmxR(h0(dxr%l>o0D=qg)Xzy#ErIl)>(90cdu{Rdb>Fo>4}12 z$n)Nbs(oJ{m~#uLKB2eW((|iYpw0Bm8WHWXoY1AnYEiGIUH(ScUbWYO6%mZG<3vEbU@ z+or4`GM^c(A##@~SJ$6m4rwW@uu=(y;EDDy5f|Y1Jp0MHuooHE4AK<)D~|1CQkTB1 zZipr6no2INnP4!yaHkVewQ=(4{~Ya&_a>w9cyG5gF?0zC@A=Ga!L@^vm2Z-WfI@H~ zjRL_;=rByjkCl-6Ervj9muT2XGJz!BxGcrY^C%pA%TFEWni-wqn#zRE^+cb1K;Rb) zggwrpfsE_~hmJ^GE)|**d0w9J#i7RV=ESe%>$_nqrMo$4!H8FAes$|NGt5;D17D z_rQNB=a{GrMx&a*Z!2st8fnG55LDrFB}(*PKoGt)c)xX2nL|TjpIUWYGbo>XkT27m zLHWE!`B|+RyVGv+y3^;LYtIyEH(*WKKb+9fCDRJw1l*pA8bl7}VmW(ddCAiF>wg*Y z>5|@j<2|);)A!%KC!O_w Date: Tue, 2 Jan 2024 13:23:07 +0100 Subject: [PATCH 31/32] fix(profile-controller): remove unused volume mount Signed-off-by: David van der Spek --- .../helm/profile-controller/templates/deployment.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/kubeflow/helm/profile-controller/templates/deployment.yaml b/kubeflow/helm/profile-controller/templates/deployment.yaml index c361152f0..a263bb1ca 100644 --- a/kubeflow/helm/profile-controller/templates/deployment.yaml +++ b/kubeflow/helm/profile-controller/templates/deployment.yaml @@ -61,10 +61,6 @@ spec: envFrom: - configMapRef: name: {{ include "profile-controller.fullname" . }}-config - volumeMounts: - - mountPath: /templates - name: profile-templates - readOnly: true - name: kfam securityContext: {{- toYaml .Values.securityContext | nindent 12 }} @@ -99,10 +95,6 @@ spec: name: {{ include "profile-controller.fullname" . }}-config - secretRef: name: {{ include "profile-controller.fullname" . }}-kfam-secret - volumes: - - configMap: - name: {{ include "profile-controller.fullname" . }}-templates - name: profile-templates {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} From 00ca70b11fca9e7a19cb33f0aa218a7aa93c977d Mon Sep 17 00:00:00 2001 From: David van der Spek Date: Thu, 11 Jan 2024 12:14:00 +0100 Subject: [PATCH 32/32] changes before abandoning Signed-off-by: David van der Spek --- kiali/helm/kiali/Chart.lock | 6 +- kiali/helm/kiali/Chart.yaml | 4 +- .../helm/kiali/charts/kiali-server-1.73.0.tgz | Bin 7223 -> 0 bytes .../helm/kiali/charts/kiali-server-1.78.0.tgz | Bin 0 -> 7272 bytes knative/helm/knative-serving/values.yaml.tpl | 9 +- kserve/helm/kserve/values.yaml.tpl | 8 +- .../templates/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/central-dashboard/values.yaml | 4 +- .../templates/kubeflow-gateway-cert.yaml | 1 + .../templates/oauth2-envoy-filter.yaml | 114 +++++++++++------- .../helm/gateway/templates/oauth2-secret.yaml | 1 + kubeflow/helm/gateway/values.yaml | 7 +- kubeflow/helm/gateway/values.yaml.tpl | 2 - .../web-app/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/katib/values.yaml | 4 +- .../web-app/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/notebooks/values.yaml | 4 +- .../api-server/authorizationpolicy.yaml | 26 ++-- .../authorizationpolicy.yaml | 18 +-- .../web-app/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/pipelines/values.yaml | 4 +- .../templates/authorizationpolicy.yaml | 16 +-- kubeflow/helm/profile-controller/values.yaml | 4 +- .../web-app/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/serving/values.yaml | 4 +- .../web-app/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/tensorboards/values.yaml | 4 +- kubeflow/helm/training-operator/values.yaml | 4 +- .../web-app/authorizationpolicy.yaml | 28 ++++- kubeflow/helm/volumes/values.yaml | 4 +- 30 files changed, 315 insertions(+), 129 deletions(-) delete mode 100644 kiali/helm/kiali/charts/kiali-server-1.73.0.tgz create mode 100644 kiali/helm/kiali/charts/kiali-server-1.78.0.tgz diff --git a/kiali/helm/kiali/Chart.lock b/kiali/helm/kiali/Chart.lock index 00490dd2d..0935b0d65 100644 --- a/kiali/helm/kiali/Chart.lock +++ b/kiali/helm/kiali/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: kiali-server repository: https://kiali.org/helm-charts - version: 1.73.0 -digest: sha256:ae1594c1ad4ef754c30fbda9583da93c08fdf8b904d75cbd9f7c46117c39119d -generated: "2023-09-01T15:42:45.406451+02:00" + version: 1.78.0 +digest: sha256:19be4849402ff6785ad59a773f331a908e637311c8dba51c14735118dc9fdbc5 +generated: "2024-01-02T15:06:49.894319+01:00" diff --git a/kiali/helm/kiali/Chart.yaml b/kiali/helm/kiali/Chart.yaml index 51f9ed588..bc62305e7 100644 --- a/kiali/helm/kiali/Chart.yaml +++ b/kiali/helm/kiali/Chart.yaml @@ -3,9 +3,9 @@ name: kiali description: helm chart for kiali type: application version: 0.1.1 -appVersion: "v1.73.0" +appVersion: v1.78.0 dependencies: - name: kiali-server - version: 1.73.0 + version: 1.78.0 repository: https://kiali.org/helm-charts condition: kiali-server.enabled diff --git a/kiali/helm/kiali/charts/kiali-server-1.73.0.tgz b/kiali/helm/kiali/charts/kiali-server-1.73.0.tgz deleted file mode 100644 index 81156f4f956d12fe13da8a651aeed037d0c8c146..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7223 zcmV-79LVDziwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH<$bKADE{j6WHm+6_>y%r_;+3HT_9-lOAbDG!KZqJ1ZHw zC7~t>767g2B>wMr@E`>~B|qZyVSGp|a+NoXSNu^#c|UG`RVL-%W?>&Kw1r@3`OQIEsEKM1g7;2?H zCBfyA@DKtPr$kb-AOJ~1SkfqhDFVlsU110`0Rpp3W*oulA%*pcOvz@!UW6DG+eDoD_?16U&!`kf;3ja(pKQh|Fd#L{`fIEGsgnh6a3UKPnW z??BHPZ;roZl-rT^)VeGdbS6C@nOuO7oJgFn6n+0@87#;Zss;EmVM`zjB%$h+q%p#B zK_skL#^H=*65+?Qmj!#K7?4b0?+I`^Ur123)wrl-1N5>10ZG1)Fr#zDI;n_bnFJz% zXNktYLnSO(7KObhkRXPNj3uGQZcxaKePJ4xOf_r9$c~r-dy`^vuDYi<$Ux0s2~LjLu(?RI%hW(}WRe zrj1-MVTH}e08Cf9()WsNZK4+}Ss+(Z*XwB;MT?F|NuY$pgC`K;jAW5i60%gFYwJx* zTNGi~>nRZ#_dr{7G#tbGYx_fsko}#Dkm>tcY*j@ohMM?@##9O;My4@MDv=W7RBCo1 z?!h$6U!PlB@iYinmPl9-0V(pB3N`J8tpRw2d?gn&nftoMZyAS}aRg=IaTWo)LT;MP z8BjwVki@i}33S->Cbx_LND!b9bQ7k7SaGfJ8Kz53cq-4IxqtEOr``IZi@4MQ>&a6m*a5xlFBfAF;jI|7{zMNSCElnE*s zU%52>uO!o_lFY>}Fb)LFFzIfqc9S_rA?%>9r6M9zj6}ieAR1hN9TKMz@`+LgWAH}msS@*v zzz74$xFyy|cvYCy)6)2)oH9=3YEl{|g_L6&(SV3CjP$Q!C#0xQs~rj{@{tPCOc67T zy<+HM#+3jaAHJe?2()4vR{=)f>GwvaYC|h9$P9gIANj6OhIZ!HdzinGt2FP4WRcP@ z21tvnl}s}fC6QG^n*Xn#+(ukg3lx_VrH?1E)L_;ei zx}LET$MCcF!;90=!EogL((6TRPLqjbmzXFhLFWlg=4w<86U;7dtY;dRW7r=Khidx7 zC^-$pq}q}Exq<$A`1P;{u*B&^aag1L)Vq_%^07;4|F4X+NKL)L>o*tA&wcq$-bWi7 z_W#4f!^6t{|L9=&=>L6?@-MT=QFgXAhyQDBT3a_Pu*AIDD=$ZdA*wW`(j^O9_ z@4+{R38#fa8LqE?(dPXWF*axBwT@DEb)82 z9knqUo1M{9r)gDP)!YM%@M#UZd2I=F>pC>={;9QK%lw}#FiMdNU#53=1$NK>(b4|l zQDy!gk4{b==l?^L_wNT^!WE6jAW(ub&Xn!?G*-hBEN~284z90zJq6Z##*s)=TOsRL zm}OD4Qv11x&ZwTsW{;vLwBP#|DoY~?bR`ML2ioZ(az~PO)W8qf6nTOYg{}p9Ln5@# zMBD7fN2E8FJJu2M&FgaoOOv_Y%~Oi^}b?x_uPwMOos)DulRK3WN&!a(iy6rEK>d%$wvVrM`6 zo@Uwm_kG1DnxM5(?IibeydLx|7@ffmNkZ7c-@yOLoB^~FX?I7vu#;c`UF&oXwF}p3 zKcHG^h5cZpM9GIG2qS^@imfCyAV|W>pCt)4zCT@8^*eVJkg~tcKxs>V)0k?|^?;_F zCUOSe-$eg!!Yi#umG$L=-s!3(&iiiTSg4FIAP21T}D})MyU6Eu5Btj!MSu z;jiiMJEPNYWIl^ymKcVLOTVv>+KhW+WvG?ZIj zxns7mQcAe&v)S4WQ{&^g9k=Z`SsmqmW2?^Ld&ApY-E=U2tyTTTY5EOHz<0a=jq|Yuwys_~0P8xLlO#Ni(gk^)#V|VFq<5Qpzr?9_ zCT;4j{V(@SGgFtLRX}gx*+r^6996gi-+CarE0neOz;iG-qf{DI)t_f1 zHNi3zg@5|?g`H`_|DFi&^dXdAoX+UEJn~#}$}LrB^#=Bsw2_t@F)#P{X_uWg9DTUZ zhfLbwS;NiL2J-SN@jvE-h$ZU-yiJVH+wco_Vu|+)B7VSC!GMAy&jGKAc^&7+#e-nVz_ZAHxX3Trk}Uj zI5s7S@=9Ob$Cg1IlGFy4$pWqtQcUd_90^IQrHN4``UOa1&Pra{PyuaLz(eJ0D*s=zj+NI4J0ge zyxAqLjMG(nzAP0QrE!s&aI`9bp#wr9$tGr+4)$$Ldk!zw%==s}@Eb+X_^F|*&eVpO z0e^jr@7GW8UE{;>=yUT%I|DA*OU5q0Wn4A6!*P!9&eMoW@Sb{iXwx`N_IH~bRkBfP zct*L9Ep#d)}^3CB~wnqRn!v z|FL$X#qQ_POW;{o+HNa|b+)w+)9$Wb(s$-4Z&4X`+DC79z0TW#w!GE8+VRtRbBQ@M zbgC4?&^iK6oKV*=IABg-i6zK$DQ%$jDKw5wH_mcLoQ11I+CGgtHr+Y0s3&`ALZoK&6T3aS5df1jMH07ujcXHX_oOCoL_Q8mV2+AM&8;}+Jdv>obbe-BZr_8&=8F({0{ZwfK^{ab-LueFpq*c{xJzc-B*iHo|~n8;x9(xIb^ zl6w5!nxbQiJx`mqiE~jzllhN26}?DBB=62MK1Y-3XrKI;kSjtXGL4GoCZ+JqMbQJu zXRIaP;gQZjz9FBA%(kNUH|4}vRVQV$Rld#yt-`n4-%g#5_DW97nuV`Z@)j6eiY&H! z+|u~$=*V68+`q8n>i>fXd`py_RoN4JySn2h8Cqm3MpqX$^~XR+)xCZ zq-%#lGmuHzb40w-ihA#cXO;%ZIsWTtUdK*!x9@rFqYqFxoSp1an6te+=X)D5scqY~ zm6hgQT9?4&8pQGY*t-K>-(n(lbgQ2BysnnNe5T$N?QV&s#_vYIelu0|6#I28{qAiR zMd#(z*!9WM4H5R&y2;-_?Uv-bmm;j;)zedZQ$lYW$tj_!>GMXK0=B*oEbpD}`xv}t z)~#xk+RWnlcokBQN)&SIlZD0&hfbjNJPxld?w3(4VmUZVf`IP623{I)fr>* zTNXqAUKHc87tblgq%Y{;B!QW|h&WTw_nf5K*O$e$i$vI(P55KPSyF4n2O*BCv-f}iY zcSsd2-=Qpza!TZ)W3JVA)Ab;AxV|1NkVJCvpE7FQw+42s55aHaZ^?@Y7N~~!`-_XW z=QZs0Sx~M~uTUOF0Gd!qN%RdyWOa@KOOz#YeYz_UwMkSzP9gPAxsdS^24b{#G-t6vd$TrnPoozWHwQ z^7&8CUsfA5%YCb>&Zf-yrA608`t6&uSEm=vSi2M8%rz;kh%a8edOrE~#q*cn+_H_@ zO+l?qou9sX`||nO$BBNs#MK^renlc3{MOw6wm3z97e46oo;*IOf#lDN#JY~LYHnblsw>L2?#-4F ziunyhw;Sb+H2cogS=-RwY)lsye3gx#(yd>x(Xw7+=`^WbqKs;BHg5N!Q-b^`(Oqb6 zvk$tH!ZD0-Nw|;Ld>8kPyds*oy2@&{EnNKOcxii`sQos5VjMTsma0aHlWK4W~K zlc=^usr_ZZ&$EZoGhXDb~%r>td05 zpZ{|9kWPBrhF*M(#jj)O+t^#X*lj=jH(uxN#*D^k)8>z49CjMSB)<>VPgsb%u(Js) zW#R5d2z_;|8x3B*brw1o+7d-2HysP{v=LGJdRs=e^_sgCeJQKBhr(M^r%>HHaheNN z3KL21LZ!jEHK{jnjyso-uEE`#NqgJS>SAd;QMmy{rCVdy71ZPN(vj>YqRNOik@XlC zQYkI*AB&XS-)A5;#s8liG~EAq{22f75T)ZlEhWB4F=&eNZ?-g54d?!GRndfze9t)j z4@)G8-m>u2-bs%9j}ud(>AfI)jVKJ>0c&cH2pe;W=dbJncM-Osh#4O0(V z=6`;B!@cN$4f9{k{A&Ey{^&9O>p{x>Y_2R8{LRL!wCyjt?jSLnYNctm^HU@!myBO3 z+yC+_bF0~C@WNo#?h1E;HUXDXxHkb$QIe56xy&@T?R^SO)*LfnN454vf`+i!8&$96 zIW%52aQA$x&0Q;fETK8m^+tW&0$*F_oxQjDB#Fh@*I##A3!atxk6#Pk|D zbu$W_7`R)I;I&N@`!lyM-fwyLQdwBRQ}w-VEQV%bZ?Yk(1GafWR-@SL^Nj&)ZS_mT z#j_~?1do~$`JON(a^ZOGZ+`0Du;IVsa#J`0h+JIgVBNPmXQp^zWu)wM(%$Owf%NSn zrXY_Hs2px5Sv*DF8Yia6gJkv>scepm7!-{?ouK~x9at!2;XD{@(dmZJ|Fh0%Uh)O-> zx^M%AakFyEYdaci&PgI)pZQUiG$>?qx{?TKW7p4?Y9-vh$MHq z2xgQ1A0Aiyzx%_{$^N7Me~41m&U{J&Jwq6$|IyoD$6;cW^cjorE| z*MQbO=DC||;FN`85V3i$q<}Z;*)2LzEP|qFN&jK9+7-j>0vjP0R@0k{I_`@E-8;3r zm@&R2JS^i4^e2`qppaFB_)cP?cb48BcqC0lQxhSX#&hbEepvV0BJset9D>me#Xml$D;l2^dzMBzXvIwYW;s)_;npt+q-XcoY2?ScwxLyR!z@&nrqt!+M95H~Fy>;IG{Ax-9YcLQ&X z|2;mb_(Q7>8aS;j8VRJM~&*Q>}%R5o2(k zmu{W|D%)P!SHeZKSa5k{okYpx>MrRnl@ocw9;RDE`LS5 z@~t+Kuw)gpOymiiw{$R;VIYTK1}@A{{F#H zE&l8A{QqIfJ;i_BL*~a5IMtW&7vBkmL;q+`e+HoV@Mzz4lfGaH;LiSMtJH_ZQF14YzGyT__tiTi!0+ zdara7X*Z#!bm4TJ0p)L=w5!~%51eeY_?=BhE)UvF-oid^tLhrZjaKBRUQGXhrQ80q zw+jwSe4PJ}<*_`L$8w|c{{a91|NpD0jCTOI F007KpY777X diff --git a/kiali/helm/kiali/charts/kiali-server-1.78.0.tgz b/kiali/helm/kiali/charts/kiali-server-1.78.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..763aee288442838a8ba1ddea34332813fc729b13 GIT binary patch literal 7272 zcmV-u9GBxCiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBxbKAD^X#eJ?*vs@cwRl3)SQicaG1eg_Xy;8XG=P9NqUiACbE*j+4k7rVeEB{3ZcPyr+bmSGBllYDKW2>0Vw`c7 zXF~Pt0i;9?MB~l_$a%a1xB$pAW!(Ab8QkiA)*xYBfdR{q6UlgA$vMW!AXG9ycvl4% zSSI+~eERr&nx`WFuSlGuxc3EMjr>2}KRBq#|HI+o!K3_ti027>HO=E#37>aY$T^Mh zD<$3|%s7TbVidqn0^zF&vzRRtB~586BuPUYt6E=y`iUe8yeDumr$W_cX}koHXBp!X zBQ4Y?B)nV@9zn>Gj7Vx01R!Yy3mV5TLExCMD~y1qKwz57oFiB{q#A!U?SM695`4|b zzHYA%R#BAP@t%O3W7=0*118BOs*<2*2e4Ks^fv|MJ2^+bpaOR~fTgpPaf~(qG#3~J zUcHe~F#ylOH^<*|$}OgSwJwV}ok|}_F6SU5ClY5%1>b*I4s&vaY5~4X*#gKMNu)+4 zX@anr6A4R}b2wwUMEL3KbxEEHh9np0JpoQp6d3usDuT}scsF9EXGu^cNwPVYIur*4AlIU zKqchacA%I6rmfb-chhWC;eI#`l;j zn8teT_7(EICvc8Z(sU+3Dzqgup`kN~=V!2(({K)iBV;iN4Qs0c&sjR9vo|DDBzem; zU__c}Bj-$5W-~khlclcog92Nt=p{+!$Q9Rl9*H8V6f_c#BPz0(EXP)hQpy8KQznT~ z;7SFEWON`h3_Sp){ERyb$z_I0W1}+05uBX9f)^~z71Qd{o~IQg&9@>Wq2f>NlDWNosn}1v)(Pu29PWNEo6JbQ0qVl|l`10RGos`>Mo>$X3N3 ztEJjviA<+7rE;mN0HjQb3jF~fW0Cv!n52^07oq0Fgk%o=Me!{ck|kq-Ax9}j@XN0r zz?=y=CNU)f%U2mOosx`>OU2PAxnv?FF->Q?SNpy$p%~7#P7^Z2aYSb*q-7a}8(+-H z{?V}ybZU#(7PZj<=BuLA9JV3`Z{J-&#&JsDo4IX-^n%Jc5b*!uZgMNWzDrC+{|@d}mP zr0JBIw`w&QPbtRHs?Pp!csv;H4Tk#{dq<<;;b?gD|AtRT!=dFJl4LRRu@VL&@b}bP z#pYvyF@}0hN8rl3$uEea_LOodsl zfEgx!iMoVw#X!f0Z>U9q7EGghfxYkbcf(T+)Cvr91D`Tt-&%^f;xg)wXI;@0=h?q|p z(e}2&P{E%dd9Icoy}(%XGbXD`jpxw_Q>i4M!NZdfxg1YvjCz5{IK3hg$CtRYFYSUp zMWR&9@iZng0}XOXr&MXZVyswI@ufl*O(XS|@ecS38rshT2#IP-*k2m_K}ZIslkyXDc+mX-wwYWdH@TYj1`4-lb_o(`dd5|`(NovvEu&Sx9=`qo(J;1ypKNC z*#E=B!^4{We{?W>^#4A{^KWD1C{g>7ZBlzXR z2MEk&!b#~+hU@EJwT3-GOjkC5GKorgZfc%kj6`7YwtRhk{c8ZPq~j?d(Gmn>Y2bNV z$}k!k%jlWYwW_Xa?tpFZS)+CH*#hX+bzt89OADfo`9GdxoFNy1%ub+b#k}Vni9}_MSkr!* z$MI5`R56`WJ(Z1_peJ|aRhbmTi|`?_%cP+nYp8E)_RS?L8&L2_C0h0K!qu_<0&}n4ebCce2cx~2s}-) z4<81KPBcZUDB4LL6z%#ju*K*Uwn!Sm7XA*w&t?yx6G&^IY{OQHW$DJCi&EQgtyFT= zOJ~`ShD#KGSb#7V*sRzIQcDAARQt2S!N&Ke>#A`V);g*B+e|5~Y_G$qF1kW!#%U_2 z;Qx;p{EzS}>rrie`KXOewZ!@V+XsK_yMs}G(&Rj!PU(B_2Y&02UTNcJN>ON_OKaQs zKngy-LOx*vwMnMOtUjc;aLR`)6*NMQ(Yn#bZ1!4Jsc=vWl`5SUMK>*{d7!6~@jL`8 z_y-Pl2Cc+rNy1V?P_b@^x{w**9OEPq^Ic8k5q$UnG!5fC>R^IE^+>YJdQrX3@`c;t zwe3q+ES*V87imS+%6x~9r6g`@TOZ-~oJq961ec|lRR-h3^pcR2%rF{EmZqaZ^D2C! zt(7vu<$z6Bo{$C|&n@0IqhuY+gVtW1&G(kCg}CV<{z|F_t<&@cO5}+GPtCjnq1vbh zZB!Q)HC*Cyg9%vJ;(=p`x6a3ovQ6>YQ?MzMIZ30FIGdBVc>;UK>*Q|x=odKA{+xBg zwf_~)f!1Nx%D@U#wYoVATfLya>)S=DijI1@vb_}|`YTkW_pa}>;9#kORW+XHBs0M> z6h&}y`pV8U5&S>|_<9p6C^ty-T;B6taH>7kVD)$HHfbv?HzHo)bkklltvCj7q4#;T z!m}zjRR-kcH{$=8O&XT2Ht^OFzUU(;J$e<|&x!aEmn8v8h%7wcwJYS!u|R=w;4(o751PfN3kW~;Y$0_!df;Dzzp z0+l79%s2aHV`_DG(nqdlE%3`~{VIB;k55N1$#d+ckKTQ_1BtZn-f>V3Hrdx+J8`NT z=B*1_txU_@XclO(o!We9HyC~;eniJnh#C%jtugr8OSm%Sm5JfTq1=Q~Ri8o8XDe_&$qiNM*bPyP>E|aqZNpwY6k9 zEJ!MENV6K%>;mP?!tPbfPU73kNv-nUvzTmb85@}wRQG^eCB$Y`o7}y5z59^0C*`)U zj(wC^Y}pq3$!bW&0y==0u}fhi?CodcsT3qZ2l?IjK0}%FQ~-g0oxghv5e+3QbiCOm zE{)Swd%i3bx=G_AGvR3U0tOCk1L^Y-F5`V$&mQ?IkWZTs}fd(@5D$ zho%8Hs?rAbX+1EQpd?iU(DXM9WeMX5d=q&W1i_z3c6H7FA}stq1i+g4e{j&q|2jT; zjQ@C;=Tpw#hnu$Dd(f@<4IOh`dlT7zND^<}QY$ES>K8~eH3O5Y@v-b`_iK2=galRs zuBZp%>XmDpKz?vsrF2nw400w0aTiZ9v4uWLP%_8j3Kv957ULK zgBYtZXmvD99P*fvScgCtpOrwLv!qP1Y9LLabcQK%A~7;>CpO_t!UXLOOGx4!m~xhs zxa@`#{D#MOtDVOi<${VMvO0S0H1b!T(vCK3{?v6Xu2wnl!)TyPF?7jBjw&J_#w9FmU-6lka^Vbd>eULQc z_f`-c+t!QBWt+Pe$26V&q*Kw$Y(VnPO_Cl zp}mmFn{!ya){FY?hG$lg2Ifb9G_RS zQ&&4nH*9dQl1;%HXg37kJ(plrUcEiBhZT66a89L}hCFYDDP*ey!HUu8v5&xSC*A5m z0=T|bT-8GmoB4lz{g1x3%2FRbSl~u|#jncrw$=PCX?$u=KJ4aOc=< z)*yw`Bq3?ElG+3CcUdOgq;uc>I55(=@~(*F(_eCv2fyn$V^)QWT>IxX)qVrnR8P;} zST@xwI$X9lTqmgkNF1}pDW_L7#u>g8A&KpwEhf=^RWd6IMa^##tauV6}@h<>Nlxd3J^Wj3(oZURtkNiG2UcKB_R-c_t9GSL);IOS}DE=mZz&!T&QYQGhl`8T^G55< zSx~LftWZTG08Oc+Bz}Q0S)OCaQl*I;xswGsWl{O*U|4>O=@mYb;Iond)2pUvIC*~Y z>gSi^wgDSfx9p>FSWjnH z=O=GYU%xyXpPgJZ2(qph_k5p92Ujf46MUl-@s=fG*l8J54;E`%Y89hY?V@_ms)YVsVU-ri z<3zt*;&KPRydtpPZ6Kg0`iw-VqFie+B?`))fHqLk7mON#o`d4 z+hKVv%z<-y)h4jFE7Ro}TUF(!a_|F)`y{$I3@tV64d>N~`hoW0Ur<%HV;4~HL5T=se z1xnNA#-QH7IqsYTx+?A-4(e?JtJ_NJj>-)nsvO+9s-Rw^9}n^LY^Y@<5E+JTQU2|krmEo_0j?^VFp?h_r~hTC zB=ISWPVBMZ$p1VsB^urf!e=N;|6yCy4CqboTI3Ae!ungYNm-C)1@3+!-ENqA&@umu z(;MzZ2CSL?hlfua@n8Gm;ZD%D!j%;6b%iG=$(}p8%rv+CeGW<19y4IE+PD;;C2aOa)f;&Z zt%nWVJ>P2m&?@&8v}d~BXsjEw*EM*@_BOYI*ft0HvW4PYNdYX5ii1Um!TvB9>Z3Yz zAOH>~B)r5l5`k@}dQF6TNn3fm%5J5fT`EM5V)x*1@A!%SJ7kF(;^6S$oBhM5-yVLm zy&gsj7)c{gOMp2|#KJbnIFl@7ap2PERt_`WYl-{nF?%(HR081o>eZnffv-0){Z>ld z3<4(x?iL{UT@%IrEcA;H8=k#XWmfQ2eSZ^;p`F>=bci~_)=$WK6q|j&Hh`_Geg$1T zkBeJy)RZV}!i>ndU7fH>gtB{?INb2 zh!Ci4Zl`%NLEafBvnJlC8|K@DL^{=bgLk^U9;_HO#O*rx67qgbW>^F24S9bu!;K+v8u|MO|8DuuS&RdFyf4KMb_)-2p#8a2fd_qD!Ll~$3)#k6`Ffl^kHsV@Qd&N>RcnJmzt5c@ecO}Jy*gI22M^*)sk|< zsRqRng62xViG4ZKu_gnEsW5*mhz#d-iTJsB_VKyDr%(Q0QCuLuyA`lT{_h_(^#7;B z;p6__gFLs8|MsHEJ1zr;x$aGf_laC9+{*l2p?_i;WsIg$c&<}nuFRd7&BQ>GN&hjR zjr%mW3kjUDNbJUJ=2ZmndO5qnAj(Bhls)M`Y*xD>m|b9F{f$rco{-XOl0m}<+?-vOUwnP}@GBABpLnDuGkoR41_Z24VCB5|6>V$%h! z2Gm5oY-JhF(%;y`^kV7u9{f41j+nFub(nqbqrrV;eIbCXfV@fER zgP$C!*w&slC^;$tCtBymA4!MmS^w`X0BGI%fBba6?*BU)KH7f|@_erK|8e2}gDw1a z8|`nS0(6e|o|S?2em*xO`_y6r34xcvse+P$;^Zy~9yXpUJVxT`IPOWKUmc~nc+jI36@!DN& zBxUI`VYw(0IB)4-tj0CnCKA8YBWbjp9F_dZPg*Z%&&Q6v8A zasU5eo_mV_x`)hO7lYO)w!Ml-xv6)R5lJhQ=xsx>xpG8XMxd#iNCRp7bQNs{ZMyZ=@}c7NcfWBo6# zy?TiJ&x3=#`ucyoKYWb;evqg0{-;75{NZ!7dy)w6a?n-x#c%pcI&%-S8r=MxF864s z_9Pd5sptloF5Bx$>2o?s^-6Q4vvrksb8yNd+>3i(204$r@@Y&*aD6@6-R;e|xkaW{ zJv-^s0M;K%e_OCybN~8PKg)h?$KUrW7i|^Y8M8hMv8PeF%nD6JXSj8pI94xR8FqQp z^X>CUi=&-nnAx)!vePp2Qm4)~R44Zk=k_{vIQ5MO_WQ+ibHZ)ctqWDfX2a8^JI|GF z1MMczR1TbO5})DyWnK4#_t#%1wUvtc?12ptE#IUw`!4}doleJKK=TiJw@@3 zYT&y4zo!28^yuhu|L;Mbb^2f7di}$zfsgb5@p*h6pU3A$&;Jhq0RR6=obUetxBvjW Cd1#ve literal 0 HcmV?d00001 diff --git a/knative/helm/knative-serving/values.yaml.tpl b/knative/helm/knative-serving/values.yaml.tpl index 0c2ce495a..4b86c1511 100644 --- a/knative/helm/knative-serving/values.yaml.tpl +++ b/knative/helm/knative-serving/values.yaml.tpl @@ -7,16 +7,15 @@ knative-serving: net-istio: configIstio: data: - gateway.kubeflow.kubeflow-gateway: kubeflow-gateway.kubeflow.svc.cluster.local - local-gateway.knative.knative-local-gateway: "knative-local-gateway.kubeflow.svc.cluster.local" - enable-virtualservice-status: 'true' + gateway.kubeflow.kubeflow-gateway: istio-ingress.istio-ingress.svc.cluster.local + local-gateway.knative.knative-local-gateway: "knative-local-gateway.istio-ingress.svc.cluster.local" istio: - namespace: kubeflow + namespace: istio-ingress ingressGateway: create: false localGateway: selector: - istio: kubeflow-gateway + istio: ingress kubeflow: enabled: true {{- end }} diff --git a/kserve/helm/kserve/values.yaml.tpl b/kserve/helm/kserve/values.yaml.tpl index c5bbe456f..8795cdc1d 100644 --- a/kserve/helm/kserve/values.yaml.tpl +++ b/kserve/helm/kserve/values.yaml.tpl @@ -1,4 +1,4 @@ -{{ $istioNamespace := namespace "istio" }} +{{ $istioNamespace := namespace "istio-ingress" }} {{ $knativeNamespace := namespace "knative" }} {{ $kubeflowNamespace := namespace "kubeflow" }} kserve: @@ -11,16 +11,16 @@ kserve: localGateway: gateway: {{ $knativeNamespace }}/knative-local-gateway {{- if .Configuration.kubeflow }} - gatewayService: knative-local-gateway.{{ $kubeflowNamespace }}.svc.cluster.local + gatewayService: knative-local-gateway.{{ $istioNamespace }}.svc.cluster.local {{- else }} gatewayService: knative-local-gateway.{{ $istioNamespace }}.svc.cluster.local {{- end }} {{- if .Configuration.kubeflow }} ingressGateway: gateway: {{ $kubeflowNamespace }}/kubeflow-gateway - gatewayService: kubeflow-gateway.{{ $kubeflowNamespace }}.svc.cluster.local + gatewayService: istio-ingress.{{ $istioNamespace }}.svc.cluster.local {{- else }} ingressGateway: gateway: {{ $knativeNamespace }}/knative-ingress-gateway - gatewayService: istio-ingressgateway.{{ $istioNamespace }}.svc.cluster.local + gatewayService: istio-ingress.{{ $istioNamespace }}.svc.cluster.local {{- end }} diff --git a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml index 35817034d..0a6cac1f2 100644 --- a/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/central-dashboard/templates/authorizationpolicy.yaml @@ -6,10 +6,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "central-dashboard.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "central-dashboard.fullname" . }}-oauth2 + labels: + {{- include "central-dashboard.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "central-dashboard.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/central-dashboard/values.yaml b/kubeflow/helm/central-dashboard/values.yaml index 177839e00..ee632be54 100644 --- a/kubeflow/helm/central-dashboard/values.yaml +++ b/kubeflow/helm/central-dashboard/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml b/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml index 43088e89f..667663298 100644 --- a/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml +++ b/kubeflow/helm/gateway/templates/kubeflow-gateway-cert.yaml @@ -3,6 +3,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "gateway-plural.fullname" . }}-ingress-cert + namespace: {{ .Values.global.istioIngress.namespace }} labels: {{- include "gateway-plural.labels" . | nindent 4 }} spec: diff --git a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml index 503d2e0a7..33d47f6b6 100644 --- a/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml +++ b/kubeflow/helm/gateway/templates/oauth2-envoy-filter.yaml @@ -2,12 +2,19 @@ apiVersion: networking.istio.io/v1alpha3 kind: EnvoyFilter metadata: name: {{ include "gateway-plural.fullname" . }}-oauth2 + namespace: {{ .Values.global.istioIngress.namespace }} labels: {{- include "gateway-plural.labels" . | nindent 4 }} spec: workloadSelector: labels: - {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} + {{- if hasKey .Values.gateway.labels "istio" }} + {{- with .Values.gateway.labels.istio }} + istio: {{.|quote}} + {{- end }} + {{- else }} + istio: {{ include "gateway.name" .Subcharts.gateway | trimPrefix "istio-" }} + {{- end }} configPatches: - applyTo: CLUSTER match: @@ -39,13 +46,11 @@ spec: context: GATEWAY listener: filterChain: + sni: {{ .Values.global.domain }} filter: name: envoy.filters.network.http_connection_manager - subFilter: - name: envoy.filters.http.jwt_authn - portNumber: 443 patch: - operation: INSERT_BEFORE + operation: INSERT_FIRST value: name: envoy.kubeflow.oauth typed_config: @@ -68,10 +73,12 @@ spec: path: /etc/istio/config/token-secret.yaml forward_bearer_token: true use_refresh_token: true - # pass_through_matcher: - # - name: "K-Network-Probe" - # string_match: - # exact: probe + # This allows us to not redirect to oauth login for subdomains like from serving, since those are dynamic and aren't a valid redirect URI for the oauth provider. + pass_through_matcher: + - name: ":authority" + string_match: + safe_regex: + regex: '[A-Za-z0-9](?:[A-Za-z0-9\-]{0,61}[A-Za-z0-9])?.{{ .Values.global.domain }}' redirect_path_matcher: path: exact: /oauth2/callback @@ -83,39 +90,56 @@ spec: cluster: oauth timeout: 5s uri: {{ .Values.global.oidc.tokenEndpoint }} ---- -apiVersion: security.istio.io/v1 -kind: RequestAuthentication -metadata: - name: {{ include "gateway-plural.fullname" . }}-oauth2 - labels: - {{- include "gateway-plural.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} - jwtRules: - - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. - fromHeaders: # TODO: possibly add this to profile controller setup - - name: cookie - prefix: IdToken= - issuer: {{ .Values.global.oidc.issuer }} - jwksUri: {{ .Values.global.oidc.jwksURI }} - outputClaimToHeaders: - - header: {{ .Values.global.userIDHeader }} - claim: email ---- -apiVersion: security.istio.io/v1 -kind: AuthorizationPolicy -metadata: - name: {{ include "gateway-plural.fullname" . }}-oauth2 - labels: - {{- include "gateway-plural.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "gateway.selectorLabels" .Subcharts.gateway | nindent 6 }} - rules: - - from: - - source: - requestPrincipals: ["*"] + # The next filter allows us to rewrite the oauth cookie returned from the above envoy filter and add the domain to them so subdomains can authenticate. Note, the oauth2 filter cookie validation fails for subdomains, which is another reason why subdomains need to be passed through the oauth2 filter. + - applyTo: HTTP_FILTER + match: + context: GATEWAY + listener: + filterChain: + filter: + name: envoy.filters.network.http_connection_manager + subFilter: + name: envoy.kubeflow.oauth + patch: + operation: INSERT_AFTER + value: + name: envoy.lua.modify_oauth_cookie_domain + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua + inlineCode: | + function envoy_on_response(response_handle) + local numCookies = response_handle:headers():getNumValues("Set-Cookie") + local wantedCookies = { ["BearerToken"]=true, ["OauthExpires"]=true, ["IdToken"]=true, ["OauthHMAC"]=true, ["RefreshToken"]=true } + local changed_cookies = {} + local unchanged_cookies = {} + + if (numCookies > 0) then + local location = response_handle:headers():get("Location"):match('^%w+://([^/]+)') + response_handle:logInfo("Location: "..location) + + for i=0,numCookies-1 do + local cookie = response_handle:headers():getAtIndex("Set-Cookie",i) + if wantedCookies[string.match(cookie, "(.-)=")] then + response_handle:logInfo("Found wanted cookie: "..string.match(cookie, "(.-)=")) + changed_cookies[i] = cookie .. ";Domain=" .. location + else + response_handle:logInfo("Not editing cookie: "..cookie) + unchanged_cookies[i] = cookie + end + end + + if (table.maxn(changed_cookies) == 0) then + response_handle:logInfo("No response cookies to rewrite. Exiting.") + else + response_handle:headers():remove("Set-Cookie") + for _,v in pairs(changed_cookies) do + response_handle:headers():add("Set-Cookie", v) + response_handle:logInfo("Added response header: "..string.match(v, "(.-)=")) + end + for _,v in pairs(unchanged_cookies) do + response_handle:headers():add("Set-Cookie", v) + response_handle:logInfo("Added response header: "..string.match(v, "(.-)=")) + end + end + end + end diff --git a/kubeflow/helm/gateway/templates/oauth2-secret.yaml b/kubeflow/helm/gateway/templates/oauth2-secret.yaml index 34b007e02..fea6020e9 100644 --- a/kubeflow/helm/gateway/templates/oauth2-secret.yaml +++ b/kubeflow/helm/gateway/templates/oauth2-secret.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: oauth2-secret + namespace: {{ .Values.global.istioIngress.namespace }} labels: {{- include "gateway-plural.labels" . | nindent 4 }} type: Opaque diff --git a/kubeflow/helm/gateway/values.yaml b/kubeflow/helm/gateway/values.yaml index a441026bf..375a8d592 100644 --- a/kubeflow/helm/gateway/values.yaml +++ b/kubeflow/helm/gateway/values.yaml @@ -1,6 +1,8 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" @@ -29,6 +31,9 @@ oidc: - offline_access gateway: + enabled: false + labels: + istio: ingress name: kubeflow-gateway autoscaling: minReplicas: 2 diff --git a/kubeflow/helm/gateway/values.yaml.tpl b/kubeflow/helm/gateway/values.yaml.tpl index f82b28aa6..45a27f987 100644 --- a/kubeflow/helm/gateway/values.yaml.tpl +++ b/kubeflow/helm/gateway/values.yaml.tpl @@ -21,8 +21,6 @@ gateway: service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance {{- end }} -provider: {{ .Provider }} - {{- if .OIDC }} oidc: clientID: {{ .OIDC.ClientId }} diff --git a/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml index 9b802ba6a..8a8e51155 100644 --- a/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/katib/templates/web-app/authorizationpolicy.yaml @@ -6,10 +6,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "katib.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "katib.fullname" . }}-oauth2 + labels: + {{- include "katib.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "katib.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/katib/values.yaml b/kubeflow/helm/katib/values.yaml index f6c035389..67d89a117 100644 --- a/kubeflow/helm/katib/values.yaml +++ b/kubeflow/helm/katib/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml index 65e78fd91..530200d12 100644 --- a/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/notebooks/templates/web-app/authorizationpolicy.yaml @@ -6,10 +6,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "notebooks.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "notebooks.fullname" . }}-oauth2 + labels: + {{- include "notebooks.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "notebooks.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/notebooks/values.yaml b/kubeflow/helm/notebooks/values.yaml index c6c223a36..f4473e2c8 100644 --- a/kubeflow/helm/notebooks/values.yaml +++ b/kubeflow/helm/notebooks/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml index cd67e0d38..5c452adc9 100644 --- a/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/api-server/authorizationpolicy.yaml @@ -5,19 +5,19 @@ metadata: name: {{ include "pipelines.fullname" . }}-api-server spec: rules: - - from: - - source: - principals: - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-api-server - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-web-app - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-persistence-agent - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-scheduled-workflow - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-viewer-controller - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-cache-server - - when: - - key: request.headers[{{ .Values.global.userIDHeader }}] - notValues: - - '*' + - from: + - source: + principals: + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-api-server + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-web-app + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-persistence-agent + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-scheduled-workflow + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-viewer-controller + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-cache-server + - when: + - key: request.headers[{{ .Values.global.userIDHeader }}] + notValues: + - '*' selector: matchLabels: {{- include "pipelines.apiServerSelectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml index b5cb07627..699d4eee7 100644 --- a/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/visualization-server/authorizationpolicy.yaml @@ -5,15 +5,15 @@ metadata: name: {{ include "pipelines.fullname" . }}-visualization-server spec: rules: - - from: - - source: - principals: - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-api-server - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-web-app - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-persistence-agent - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-scheduled-workflow - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-viewer-controller - - cluster.local/ns/kubeflow/sa/{{ include "pipelines.serviceAccountName" . }}-cache-server + - from: + - source: + principals: + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-api-server + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-web-app + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-persistence-agent + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-scheduled-workflow + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-viewer-controller + - {{ .Values.global.clusterDomain }}/ns/{{ .Release.Namespace }}/sa/{{ include "pipelines.serviceAccountName" . }}-cache-server selector: matchLabels: {{- include "pipelines.visualizationServerSelectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml index 3eb63cc48..3c889a04a 100644 --- a/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/pipelines/templates/web-app/authorizationpolicy.yaml @@ -7,10 +7,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "pipelines.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "pipelines.fullname" . }}-oauth2 + labels: + {{- include "pipelines.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "pipelines.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/pipelines/values.yaml b/kubeflow/helm/pipelines/values.yaml index 58652177d..0b5f86a74 100644 --- a/kubeflow/helm/pipelines/values.yaml +++ b/kubeflow/helm/pipelines/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml b/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml index 6a8eda771..841c69855 100644 --- a/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml +++ b/kubeflow/helm/profile-controller/templates/authorizationpolicy.yaml @@ -6,14 +6,14 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Release.Name }}-central-dashboard #TODO: make this more robust - - to: - - operation: - methods: ["POST"] - paths: ["/api/v1/getparams.execute"] + - from: + - source: + principals: + - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Release.Name }}-central-dashboard #TODO: make this more robust + - to: + - operation: + methods: ["POST"] + paths: ["/api/v1/getparams.execute"] selector: matchLabels: {{- include "profile-controller.selectorLabels" . | nindent 6 }} diff --git a/kubeflow/helm/profile-controller/values.yaml b/kubeflow/helm/profile-controller/values.yaml index 492b26407..39faffb2e 100644 --- a/kubeflow/helm/profile-controller/values.yaml +++ b/kubeflow/helm/profile-controller/values.yaml @@ -6,7 +6,9 @@ replicaCount: 1 global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml index 6240a6287..d9bbc5310 100644 --- a/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/serving/templates/web-app/authorizationpolicy.yaml @@ -6,10 +6,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "serving.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "serving.fullname" . }}-oauth2 + labels: + {{- include "serving.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "serving.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/serving/values.yaml b/kubeflow/helm/serving/values.yaml index f928ba0be..1748d4bf5 100644 --- a/kubeflow/helm/serving/values.yaml +++ b/kubeflow/helm/serving/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml index 4cb9fb07b..3e5638a69 100644 --- a/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/tensorboards/templates/web-app/authorizationpolicy.yaml @@ -6,10 +6,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "tensorboards.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "tensorboards.fullname" . }}-oauth2 + labels: + {{- include "tensorboards.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "tensorboards.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/tensorboards/values.yaml b/kubeflow/helm/tensorboards/values.yaml index a2102e5d0..4768abcc9 100644 --- a/kubeflow/helm/tensorboards/values.yaml +++ b/kubeflow/helm/tensorboards/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/training-operator/values.yaml b/kubeflow/helm/training-operator/values.yaml index dacfcfff4..7dc9954f5 100644 --- a/kubeflow/helm/training-operator/values.yaml +++ b/kubeflow/helm/training-operator/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: "" diff --git a/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml b/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml index 5884932a3..48f58a906 100644 --- a/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml +++ b/kubeflow/helm/volumes/templates/web-app/authorizationpolicy.yaml @@ -6,10 +6,30 @@ metadata: spec: action: ALLOW rules: - - from: - - source: - principals: - - cluster.local/ns/{{ .Release.Namespace }}/sa/{{ .Values.global.istioIngressServiceAccount }} + - from: + - source: + requestPrincipals: ["*"] selector: matchLabels: {{- include "volumes.selectorLabels" . | nindent 6 }} +--- +apiVersion: security.istio.io/v1 +kind: RequestAuthentication +metadata: + name: {{ include "volumes.fullname" . }}-oauth2 + labels: + {{- include "volumes.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "volumes.selectorLabels" . | nindent 6 }} + jwtRules: + - forwardOriginalToken: true # TODO: needed so the requestauth resource in user namespace works. + fromHeaders: # TODO: possibly add this to profile controller setup + - name: cookie + prefix: IdToken= + issuer: {{ .Values.global.oidc.issuer }} + jwksUri: {{ .Values.global.oidc.jwksURI }} + outputClaimToHeaders: + - header: {{ .Values.global.userIDHeader }} + claim: email diff --git a/kubeflow/helm/volumes/values.yaml b/kubeflow/helm/volumes/values.yaml index 8400b2adc..c2609e8cb 100644 --- a/kubeflow/helm/volumes/values.yaml +++ b/kubeflow/helm/volumes/values.yaml @@ -4,7 +4,9 @@ global: domain: "" - istioIngressServiceAccount: kubeflow-gateway + istioIngress: + namespace: istio-ingress + serviceAccount: istio-ingress clusterDomain: cluster.local userIDHeader: kubeflow-userid userIDPrefix: ""