1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1beta1 18 19 import ( 20 v1 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 logsapi "k8s.io/component-base/logs/api/v1" 23 tracingapi "k8s.io/component-base/tracing/api/v1" 24 ) 25 26 // HairpinMode denotes how the kubelet should configure networking to handle 27 // hairpin packets. 28 type HairpinMode string 29 30 // Enum settings for different ways to handle hairpin packets. 31 const ( 32 // Set the hairpin flag on the veth of containers in the respective 33 // container runtime. 34 HairpinVeth = "hairpin-veth" 35 // Make the container bridge promiscuous. This will force it to accept 36 // hairpin packets, even if the flag isn't set on ports of the bridge. 37 PromiscuousBridge = "promiscuous-bridge" 38 // Neither of the above. If the kubelet is started in this hairpin mode 39 // and kube-proxy is running in iptables mode, hairpin packets will be 40 // dropped by the container bridge. 41 HairpinNone = "none" 42 ) 43 44 // ResourceChangeDetectionStrategy denotes a mode in which internal 45 // managers (secret, configmap) are discovering object changes. 46 type ResourceChangeDetectionStrategy string 47 48 // Enum settings for different strategies of kubelet managers. 49 const ( 50 // GetChangeDetectionStrategy is a mode in which kubelet fetches 51 // necessary objects directly from apiserver. 52 GetChangeDetectionStrategy ResourceChangeDetectionStrategy = "Get" 53 // TTLCacheChangeDetectionStrategy is a mode in which kubelet uses 54 // ttl cache for object directly fetched from apiserver. 55 TTLCacheChangeDetectionStrategy ResourceChangeDetectionStrategy = "Cache" 56 // WatchChangeDetectionStrategy is a mode in which kubelet uses 57 // watches to observe changes to objects that are in its interest. 58 WatchChangeDetectionStrategy ResourceChangeDetectionStrategy = "Watch" 59 // RestrictedTopologyManagerPolicy is a mode in which kubelet only allows 60 // pods with optimal NUMA node alignment for requested resources 61 RestrictedTopologyManagerPolicy = "restricted" 62 // BestEffortTopologyManagerPolicy is a mode in which kubelet will favour 63 // pods with NUMA alignment of CPU and device resources. 64 BestEffortTopologyManagerPolicy = "best-effort" 65 // NoneTopologyManagerPolicy is a mode in which kubelet has no knowledge 66 // of NUMA alignment of a pod's CPU and device resources. 67 NoneTopologyManagerPolicy = "none" 68 // SingleNumaNodeTopologyManagerPolicy is a mode in which kubelet only allows 69 // pods with a single NUMA alignment of CPU and device resources. 70 SingleNumaNodeTopologyManagerPolicy = "single-numa-node" 71 // ContainerTopologyManagerScope represents that 72 // topology policy is applied on a per-container basis. 73 ContainerTopologyManagerScope = "container" 74 // PodTopologyManagerScope represents that 75 // topology policy is applied on a per-pod basis. 76 PodTopologyManagerScope = "pod" 77 // NoneMemoryManagerPolicy is a memory manager none policy, under the none policy 78 // the memory manager will not pin containers memory of guaranteed pods 79 NoneMemoryManagerPolicy = "None" 80 // StaticMemoryManagerPolicy is a memory manager static policy, under the static policy 81 // the memory manager will try to pin containers memory of guaranteed pods to the smallest 82 // possible sub-set of NUMA nodes 83 StaticMemoryManagerPolicy = "Static" 84 ) 85 86 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 87 88 // KubeletConfiguration contains the configuration for the Kubelet 89 type KubeletConfiguration struct { 90 metav1.TypeMeta `json:",inline"` 91 92 // enableServer enables Kubelet's secured server. 93 // Note: Kubelet's insecure port is controlled by the readOnlyPort option. 94 // Default: true 95 EnableServer *bool `json:"enableServer,omitempty"` 96 // staticPodPath is the path to the directory containing local (static) pods to 97 // run, or the path to a single static pod file. 98 // Default: "" 99 // +optional 100 StaticPodPath string `json:"staticPodPath,omitempty"` 101 // podLogsDir is a custom root directory path kubelet will use to place pod's log files. 102 // Default: "/var/log/pods/" 103 // Note: it is not recommended to use the temp folder as a log directory as it may cause 104 // unexpected behavior in many places. 105 // +optional 106 PodLogsDir string `json:"podLogsDir,omitempty"` 107 // syncFrequency is the max period between synchronizing running 108 // containers and config. 109 // Default: "1m" 110 // +optional 111 SyncFrequency metav1.Duration `json:"syncFrequency,omitempty"` 112 // fileCheckFrequency is the duration between checking config files for 113 // new data. 114 // Default: "20s" 115 // +optional 116 FileCheckFrequency metav1.Duration `json:"fileCheckFrequency,omitempty"` 117 // httpCheckFrequency is the duration between checking http for new data. 118 // Default: "20s" 119 // +optional 120 HTTPCheckFrequency metav1.Duration `json:"httpCheckFrequency,omitempty"` 121 // staticPodURL is the URL for accessing static pods to run. 122 // Default: "" 123 // +optional 124 StaticPodURL string `json:"staticPodURL,omitempty"` 125 // staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL. 126 // Default: nil 127 // +optional 128 StaticPodURLHeader map[string][]string `json:"staticPodURLHeader,omitempty"` 129 // address is the IP address for the Kubelet to serve on (set to 0.0.0.0 130 // for all interfaces). 131 // Default: "0.0.0.0" 132 // +optional 133 Address string `json:"address,omitempty"` 134 // port is the port for the Kubelet to serve on. 135 // The port number must be between 1 and 65535, inclusive. 136 // Default: 10250 137 // +optional 138 Port int32 `json:"port,omitempty"` 139 // readOnlyPort is the read-only port for the Kubelet to serve on with 140 // no authentication/authorization. 141 // The port number must be between 1 and 65535, inclusive. 142 // Setting this field to 0 disables the read-only service. 143 // Default: 0 (disabled) 144 // +optional 145 ReadOnlyPort int32 `json:"readOnlyPort,omitempty"` 146 // tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, 147 // if any, concatenated after server cert). If tlsCertFile and 148 // tlsPrivateKeyFile are not provided, a self-signed certificate 149 // and key are generated for the public address and saved to the directory 150 // passed to the Kubelet's --cert-dir flag. 151 // Default: "" 152 // +optional 153 TLSCertFile string `json:"tlsCertFile,omitempty"` 154 // tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile. 155 // Default: "" 156 // +optional 157 TLSPrivateKeyFile string `json:"tlsPrivateKeyFile,omitempty"` 158 // tlsCipherSuites is the list of allowed cipher suites for the server. 159 // Note that TLS 1.3 ciphersuites are not configurable. 160 // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). 161 // Default: nil 162 // +optional 163 TLSCipherSuites []string `json:"tlsCipherSuites,omitempty"` 164 // tlsMinVersion is the minimum TLS version supported. 165 // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). 166 // Default: "" 167 // +optional 168 TLSMinVersion string `json:"tlsMinVersion,omitempty"` 169 // rotateCertificates enables client certificate rotation. The Kubelet will request a 170 // new certificate from the certificates.k8s.io API. This requires an approver to approve the 171 // certificate signing requests. 172 // Default: false 173 // +optional 174 RotateCertificates bool `json:"rotateCertificates,omitempty"` 175 // serverTLSBootstrap enables server certificate bootstrap. Instead of self 176 // signing a serving certificate, the Kubelet will request a certificate from 177 // the 'certificates.k8s.io' API. This requires an approver to approve the 178 // certificate signing requests (CSR). The RotateKubeletServerCertificate feature 179 // must be enabled when setting this field. 180 // Default: false 181 // +optional 182 ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"` 183 // authentication specifies how requests to the Kubelet's server are authenticated. 184 // Defaults: 185 // anonymous: 186 // enabled: false 187 // webhook: 188 // enabled: true 189 // cacheTTL: "2m" 190 // +optional 191 Authentication KubeletAuthentication `json:"authentication"` 192 // authorization specifies how requests to the Kubelet's server are authorized. 193 // Defaults: 194 // mode: Webhook 195 // webhook: 196 // cacheAuthorizedTTL: "5m" 197 // cacheUnauthorizedTTL: "30s" 198 // +optional 199 Authorization KubeletAuthorization `json:"authorization"` 200 // registryPullQPS is the limit of registry pulls per second. 201 // The value must not be a negative number. 202 // Setting it to 0 means no limit. 203 // Default: 5 204 // +optional 205 RegistryPullQPS *int32 `json:"registryPullQPS,omitempty"` 206 // registryBurst is the maximum size of bursty pulls, temporarily allows 207 // pulls to burst to this number, while still not exceeding registryPullQPS. 208 // The value must not be a negative number. 209 // Only used if registryPullQPS is greater than 0. 210 // Default: 10 211 // +optional 212 RegistryBurst int32 `json:"registryBurst,omitempty"` 213 // eventRecordQPS is the maximum event creations per second. If 0, there 214 // is no limit enforced. The value cannot be a negative number. 215 // Default: 50 216 // +optional 217 EventRecordQPS *int32 `json:"eventRecordQPS,omitempty"` 218 // eventBurst is the maximum size of a burst of event creations, temporarily 219 // allows event creations to burst to this number, while still not exceeding 220 // eventRecordQPS. This field canot be a negative number and it is only used 221 // when eventRecordQPS > 0. 222 // Default: 100 223 // +optional 224 EventBurst int32 `json:"eventBurst,omitempty"` 225 // enableDebuggingHandlers enables server endpoints for log access 226 // and local running of containers and commands, including the exec, 227 // attach, logs, and portforward features. 228 // Default: true 229 // +optional 230 EnableDebuggingHandlers *bool `json:"enableDebuggingHandlers,omitempty"` 231 // enableContentionProfiling enables block profiling, if enableDebuggingHandlers is true. 232 // Default: false 233 // +optional 234 EnableContentionProfiling bool `json:"enableContentionProfiling,omitempty"` 235 // healthzPort is the port of the localhost healthz endpoint (set to 0 to disable). 236 // A valid number is between 1 and 65535. 237 // Default: 10248 238 // +optional 239 HealthzPort *int32 `json:"healthzPort,omitempty"` 240 // healthzBindAddress is the IP address for the healthz server to serve on. 241 // Default: "127.0.0.1" 242 // +optional 243 HealthzBindAddress string `json:"healthzBindAddress,omitempty"` 244 // oomScoreAdj is The oom-score-adj value for kubelet process. Values 245 // must be within the range [-1000, 1000]. 246 // Default: -999 247 // +optional 248 OOMScoreAdj *int32 `json:"oomScoreAdj,omitempty"` 249 // clusterDomain is the DNS domain for this cluster. If set, kubelet will 250 // configure all containers to search this domain in addition to the 251 // host's search domains. 252 // Default: "" 253 // +optional 254 ClusterDomain string `json:"clusterDomain,omitempty"` 255 // clusterDNS is a list of IP addresses for the cluster DNS server. If set, 256 // kubelet will configure all containers to use this for DNS resolution 257 // instead of the host's DNS servers. 258 // Default: nil 259 // +optional 260 ClusterDNS []string `json:"clusterDNS,omitempty"` 261 // streamingConnectionIdleTimeout is the maximum time a streaming connection 262 // can be idle before the connection is automatically closed. 263 // Default: "4h" 264 // +optional 265 StreamingConnectionIdleTimeout metav1.Duration `json:"streamingConnectionIdleTimeout,omitempty"` 266 // nodeStatusUpdateFrequency is the frequency that kubelet computes node 267 // status. If node lease feature is not enabled, it is also the frequency that 268 // kubelet posts node status to master. 269 // Note: When node lease feature is not enabled, be cautious when changing the 270 // constant, it must work with nodeMonitorGracePeriod in nodecontroller. 271 // Default: "10s" 272 // +optional 273 NodeStatusUpdateFrequency metav1.Duration `json:"nodeStatusUpdateFrequency,omitempty"` 274 // nodeStatusReportFrequency is the frequency that kubelet posts node 275 // status to master if node status does not change. Kubelet will ignore this 276 // frequency and post node status immediately if any change is detected. It is 277 // only used when node lease feature is enabled. nodeStatusReportFrequency's 278 // default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, 279 // nodeStatusReportFrequency's default value will be set to 280 // nodeStatusUpdateFrequency for backward compatibility. 281 // Default: "5m" 282 // +optional 283 NodeStatusReportFrequency metav1.Duration `json:"nodeStatusReportFrequency,omitempty"` 284 // nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease. 285 // NodeLease provides an indicator of node health by having the Kubelet create and 286 // periodically renew a lease, named after the node, in the kube-node-lease namespace. 287 // If the lease expires, the node can be considered unhealthy. 288 // The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal 289 // interval may be set based on the lease duration. 290 // The field value must be greater than 0. 291 // Default: 40 292 // +optional 293 NodeLeaseDurationSeconds int32 `json:"nodeLeaseDurationSeconds,omitempty"` 294 // imageMinimumGCAge is the minimum age for an unused image before it is 295 // garbage collected. 296 // Default: "2m" 297 // +optional 298 ImageMinimumGCAge metav1.Duration `json:"imageMinimumGCAge,omitempty"` 299 // imageMaximumGCAge is the maximum age an image can be unused before it is garbage collected. 300 // The default of this field is "0s", which disables this field--meaning images won't be garbage 301 // collected based on being unused for too long. 302 // Default: "0s" (disabled) 303 // +optional 304 ImageMaximumGCAge metav1.Duration `json:"imageMaximumGCAge,omitempty"` 305 // imageGCHighThresholdPercent is the percent of disk usage after which 306 // image garbage collection is always run. The percent is calculated by 307 // dividing this field value by 100, so this field must be between 0 and 308 // 100, inclusive. When specified, the value must be greater than 309 // imageGCLowThresholdPercent. 310 // Default: 85 311 // +optional 312 ImageGCHighThresholdPercent *int32 `json:"imageGCHighThresholdPercent,omitempty"` 313 // imageGCLowThresholdPercent is the percent of disk usage before which 314 // image garbage collection is never run. Lowest disk usage to garbage 315 // collect to. The percent is calculated by dividing this field value by 100, 316 // so the field value must be between 0 and 100, inclusive. When specified, the 317 // value must be less than imageGCHighThresholdPercent. 318 // Default: 80 319 // +optional 320 ImageGCLowThresholdPercent *int32 `json:"imageGCLowThresholdPercent,omitempty"` 321 // volumeStatsAggPeriod is the frequency for calculating and caching volume 322 // disk usage for all pods. 323 // Default: "1m" 324 // +optional 325 VolumeStatsAggPeriod metav1.Duration `json:"volumeStatsAggPeriod,omitempty"` 326 // kubeletCgroups is the absolute name of cgroups to isolate the kubelet in 327 // Default: "" 328 // +optional 329 KubeletCgroups string `json:"kubeletCgroups,omitempty"` 330 // systemCgroups is absolute name of cgroups in which to place 331 // all non-kernel processes that are not already in a container. Empty 332 // for no container. Rolling back the flag requires a reboot. 333 // The cgroupRoot must be specified if this field is not empty. 334 // Default: "" 335 // +optional 336 SystemCgroups string `json:"systemCgroups,omitempty"` 337 // cgroupRoot is the root cgroup to use for pods. This is handled by the 338 // container runtime on a best effort basis. 339 // +optional 340 CgroupRoot string `json:"cgroupRoot,omitempty"` 341 // cgroupsPerQOS enable QoS based CGroup hierarchy: top level CGroups for QoS classes 342 // and all Burstable and BestEffort Pods are brought up under their specific top level 343 // QoS CGroup. 344 // Default: true 345 // +optional 346 CgroupsPerQOS *bool `json:"cgroupsPerQOS,omitempty"` 347 // cgroupDriver is the driver kubelet uses to manipulate CGroups on the host (cgroupfs 348 // or systemd). 349 // Default: "cgroupfs" 350 // +optional 351 CgroupDriver string `json:"cgroupDriver,omitempty"` 352 // cpuManagerPolicy is the name of the policy to use. 353 // Requires the CPUManager feature gate to be enabled. 354 // Default: "None" 355 // +optional 356 CPUManagerPolicy string `json:"cpuManagerPolicy,omitempty"` 357 // cpuManagerPolicyOptions is a set of key=value which allows to set extra options 358 // to fine tune the behaviour of the cpu manager policies. 359 // Requires both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled. 360 // Default: nil 361 // +optional 362 CPUManagerPolicyOptions map[string]string `json:"cpuManagerPolicyOptions,omitempty"` 363 // cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager. 364 // Requires the CPUManager feature gate to be enabled. 365 // Default: "10s" 366 // +optional 367 CPUManagerReconcilePeriod metav1.Duration `json:"cpuManagerReconcilePeriod,omitempty"` 368 // memoryManagerPolicy is the name of the policy to use by memory manager. 369 // Requires the MemoryManager feature gate to be enabled. 370 // Default: "none" 371 // +optional 372 MemoryManagerPolicy string `json:"memoryManagerPolicy,omitempty"` 373 // topologyManagerPolicy is the name of the topology manager policy to use. 374 // Valid values include: 375 // 376 // - `restricted`: kubelet only allows pods with optimal NUMA node alignment for 377 // requested resources; 378 // - `best-effort`: kubelet will favor pods with NUMA alignment of CPU and device 379 // resources; 380 // - `none`: kubelet has no knowledge of NUMA alignment of a pod's CPU and device resources. 381 // - `single-numa-node`: kubelet only allows pods with a single NUMA alignment 382 // of CPU and device resources. 383 // 384 // Default: "none" 385 // +optional 386 TopologyManagerPolicy string `json:"topologyManagerPolicy,omitempty"` 387 // topologyManagerScope represents the scope of topology hint generation 388 // that topology manager requests and hint providers generate. Valid values include: 389 // 390 // - `container`: topology policy is applied on a per-container basis. 391 // - `pod`: topology policy is applied on a per-pod basis. 392 // 393 // Default: "container" 394 // +optional 395 TopologyManagerScope string `json:"topologyManagerScope,omitempty"` 396 // TopologyManagerPolicyOptions is a set of key=value which allows to set extra options 397 // to fine tune the behaviour of the topology manager policies. 398 // Requires both the "TopologyManager" and "TopologyManagerPolicyOptions" feature gates to be enabled. 399 // Default: nil 400 // +optional 401 TopologyManagerPolicyOptions map[string]string `json:"topologyManagerPolicyOptions,omitempty"` 402 // qosReserved is a set of resource name to percentage pairs that specify 403 // the minimum percentage of a resource reserved for exclusive use by the 404 // guaranteed QoS tier. 405 // Currently supported resources: "memory" 406 // Requires the QOSReserved feature gate to be enabled. 407 // Default: nil 408 // +optional 409 QOSReserved map[string]string `json:"qosReserved,omitempty"` 410 // runtimeRequestTimeout is the timeout for all runtime requests except long running 411 // requests - pull, logs, exec and attach. 412 // Default: "2m" 413 // +optional 414 RuntimeRequestTimeout metav1.Duration `json:"runtimeRequestTimeout,omitempty"` 415 // hairpinMode specifies how the Kubelet should configure the container 416 // bridge for hairpin packets. 417 // Setting this flag allows endpoints in a Service to loadbalance back to 418 // themselves if they should try to access their own Service. Values: 419 // 420 // - "promiscuous-bridge": make the container bridge promiscuous. 421 // - "hairpin-veth": set the hairpin flag on container veth interfaces. 422 // - "none": do nothing. 423 // 424 // Generally, one must set `--hairpin-mode=hairpin-veth to` achieve hairpin NAT, 425 // because promiscuous-bridge assumes the existence of a container bridge named cbr0. 426 // Default: "promiscuous-bridge" 427 // +optional 428 HairpinMode string `json:"hairpinMode,omitempty"` 429 // maxPods is the maximum number of Pods that can run on this Kubelet. 430 // The value must be a non-negative integer. 431 // Default: 110 432 // +optional 433 MaxPods int32 `json:"maxPods,omitempty"` 434 // podCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. 435 // In cluster mode, this is obtained from the control plane. 436 // Default: "" 437 // +optional 438 PodCIDR string `json:"podCIDR,omitempty"` 439 // podPidsLimit is the maximum number of PIDs in any pod. 440 // Default: -1 441 // +optional 442 PodPidsLimit *int64 `json:"podPidsLimit,omitempty"` 443 // resolvConf is the resolver configuration file used as the basis 444 // for the container DNS resolution configuration. 445 // If set to the empty string, will override the default and effectively disable DNS lookups. 446 // Default: "/etc/resolv.conf" 447 // +optional 448 ResolverConfig *string `json:"resolvConf,omitempty"` 449 // runOnce causes the Kubelet to check the API server once for pods, 450 // run those in addition to the pods specified by static pod files, and exit. 451 // Default: false 452 // +optional 453 RunOnce bool `json:"runOnce,omitempty"` 454 // cpuCFSQuota enables CPU CFS quota enforcement for containers that 455 // specify CPU limits. 456 // Default: true 457 // +optional 458 CPUCFSQuota *bool `json:"cpuCFSQuota,omitempty"` 459 // cpuCFSQuotaPeriod is the CPU CFS quota period value, `cpu.cfs_period_us`. 460 // The value must be between 1 ms and 1 second, inclusive. 461 // Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled. 462 // Default: "100ms" 463 // +optional 464 CPUCFSQuotaPeriod *metav1.Duration `json:"cpuCFSQuotaPeriod,omitempty"` 465 // nodeStatusMaxImages caps the number of images reported in Node.status.images. 466 // The value must be greater than -2. 467 // Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. 468 // Default: 50 469 // +optional 470 NodeStatusMaxImages *int32 `json:"nodeStatusMaxImages,omitempty"` 471 // maxOpenFiles is Number of files that can be opened by Kubelet process. 472 // The value must be a non-negative number. 473 // Default: 1000000 474 // +optional 475 MaxOpenFiles int64 `json:"maxOpenFiles,omitempty"` 476 // contentType is contentType of requests sent to apiserver. 477 // Default: "application/vnd.kubernetes.protobuf" 478 // +optional 479 ContentType string `json:"contentType,omitempty"` 480 // kubeAPIQPS is the QPS to use while talking with kubernetes apiserver. 481 // Default: 50 482 // +optional 483 KubeAPIQPS *int32 `json:"kubeAPIQPS,omitempty"` 484 // kubeAPIBurst is the burst to allow while talking with kubernetes API server. 485 // This field cannot be a negative number. 486 // Default: 100 487 // +optional 488 KubeAPIBurst int32 `json:"kubeAPIBurst,omitempty"` 489 // serializeImagePulls when enabled, tells the Kubelet to pull images one 490 // at a time. We recommend *not* changing the default value on nodes that 491 // run docker daemon with version < 1.9 or an Aufs storage backend. 492 // Issue #10959 has more details. 493 // Default: true 494 // +optional 495 SerializeImagePulls *bool `json:"serializeImagePulls,omitempty"` 496 // MaxParallelImagePulls sets the maximum number of image pulls in parallel. 497 // This field cannot be set if SerializeImagePulls is true. 498 // Setting it to nil means no limit. 499 // Default: nil 500 // +optional 501 MaxParallelImagePulls *int32 `json:"maxParallelImagePulls,omitempty"` 502 // evictionHard is a map of signal names to quantities that defines hard eviction 503 // thresholds. For example: `{"memory.available": "300Mi"}`. 504 // To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. 505 // Default: 506 // memory.available: "100Mi" 507 // nodefs.available: "10%" 508 // nodefs.inodesFree: "5%" 509 // imagefs.available: "15%" 510 // +optional 511 EvictionHard map[string]string `json:"evictionHard,omitempty"` 512 // evictionSoft is a map of signal names to quantities that defines soft eviction thresholds. 513 // For example: `{"memory.available": "300Mi"}`. 514 // Default: nil 515 // +optional 516 EvictionSoft map[string]string `json:"evictionSoft,omitempty"` 517 // evictionSoftGracePeriod is a map of signal names to quantities that defines grace 518 // periods for each soft eviction signal. For example: `{"memory.available": "30s"}`. 519 // Default: nil 520 // +optional 521 EvictionSoftGracePeriod map[string]string `json:"evictionSoftGracePeriod,omitempty"` 522 // evictionPressureTransitionPeriod is the duration for which the kubelet has to wait 523 // before transitioning out of an eviction pressure condition. 524 // Default: "5m" 525 // +optional 526 EvictionPressureTransitionPeriod metav1.Duration `json:"evictionPressureTransitionPeriod,omitempty"` 527 // evictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use 528 // when terminating pods in response to a soft eviction threshold being met. This value 529 // effectively caps the Pod's terminationGracePeriodSeconds value during soft evictions. 530 // Note: Due to issue #64530, the behavior has a bug where this value currently just 531 // overrides the grace period during soft eviction, which can increase the grace 532 // period from what is set on the Pod. This bug will be fixed in a future release. 533 // Default: 0 534 // +optional 535 EvictionMaxPodGracePeriod int32 `json:"evictionMaxPodGracePeriod,omitempty"` 536 // evictionMinimumReclaim is a map of signal names to quantities that defines minimum reclaims, 537 // which describe the minimum amount of a given resource the kubelet will reclaim when 538 // performing a pod eviction while that resource is under pressure. 539 // For example: `{"imagefs.available": "2Gi"}`. 540 // Default: nil 541 // +optional 542 EvictionMinimumReclaim map[string]string `json:"evictionMinimumReclaim,omitempty"` 543 // podsPerCore is the maximum number of pods per core. Cannot exceed maxPods. 544 // The value must be a non-negative integer. 545 // If 0, there is no limit on the number of Pods. 546 // Default: 0 547 // +optional 548 PodsPerCore int32 `json:"podsPerCore,omitempty"` 549 // enableControllerAttachDetach enables the Attach/Detach controller to 550 // manage attachment/detachment of volumes scheduled to this node, and 551 // disables kubelet from executing any attach/detach operations. 552 // Note: attaching/detaching CSI volumes is not supported by the kubelet, 553 // so this option needs to be true for that use case. 554 // Default: true 555 // +optional 556 EnableControllerAttachDetach *bool `json:"enableControllerAttachDetach,omitempty"` 557 // protectKernelDefaults, if true, causes the Kubelet to error if kernel 558 // flags are not as it expects. Otherwise the Kubelet will attempt to modify 559 // kernel flags to match its expectation. 560 // Default: false 561 // +optional 562 ProtectKernelDefaults bool `json:"protectKernelDefaults,omitempty"` 563 // makeIPTablesUtilChains, if true, causes the Kubelet to create the 564 // KUBE-IPTABLES-HINT chain in iptables as a hint to other components about the 565 // configuration of iptables on the system. 566 // Default: true 567 // +optional 568 MakeIPTablesUtilChains *bool `json:"makeIPTablesUtilChains,omitempty"` 569 // iptablesMasqueradeBit formerly controlled the creation of the KUBE-MARK-MASQ 570 // chain. 571 // Deprecated: no longer has any effect. 572 // Default: 14 573 // +optional 574 IPTablesMasqueradeBit *int32 `json:"iptablesMasqueradeBit,omitempty"` 575 // iptablesDropBit formerly controlled the creation of the KUBE-MARK-DROP chain. 576 // Deprecated: no longer has any effect. 577 // Default: 15 578 // +optional 579 IPTablesDropBit *int32 `json:"iptablesDropBit,omitempty"` 580 // featureGates is a map of feature names to bools that enable or disable experimental 581 // features. This field modifies piecemeal the built-in default values from 582 // "k8s.io/kubernetes/pkg/features/kube_features.go". 583 // Default: nil 584 // +optional 585 FeatureGates map[string]bool `json:"featureGates,omitempty"` 586 // failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. 587 // Default: true 588 // +optional 589 FailSwapOn *bool `json:"failSwapOn,omitempty"` 590 // memorySwap configures swap memory available to container workloads. 591 // +featureGate=NodeSwap 592 // +optional 593 MemorySwap MemorySwapConfiguration `json:"memorySwap,omitempty"` 594 // containerLogMaxSize is a quantity defining the maximum size of the container log 595 // file before it is rotated. For example: "5Mi" or "256Ki". 596 // Default: "10Mi" 597 // +optional 598 ContainerLogMaxSize string `json:"containerLogMaxSize,omitempty"` 599 // containerLogMaxFiles specifies the maximum number of container log files that can 600 // be present for a container. 601 // Default: 5 602 // +optional 603 ContainerLogMaxFiles *int32 `json:"containerLogMaxFiles,omitempty"` 604 605 // ContainerLogMaxWorkers specifies the maximum number of concurrent workers to spawn 606 // for performing the log rotate operations. Set this count to 1 for disabling the 607 // concurrent log rotation workflows 608 // Default: 1 609 // +optional 610 ContainerLogMaxWorkers *int32 `json:"containerLogMaxWorkers,omitempty"` 611 612 // ContainerLogMonitorInterval specifies the duration at which the container logs are monitored 613 // for performing the log rotate operation. This defaults to 10 * time.Seconds. But can be 614 // customized to a smaller value based on the log generation rate and the size required to be 615 // rotated against 616 // Default: 10s 617 // +optional 618 ContainerLogMonitorInterval *metav1.Duration `json:"containerLogMonitorInterval,omitempty"` 619 // configMapAndSecretChangeDetectionStrategy is a mode in which ConfigMap and Secret 620 // managers are running. Valid values include: 621 // 622 // - `Get`: kubelet fetches necessary objects directly from the API server; 623 // - `Cache`: kubelet uses TTL cache for object fetched from the API server; 624 // - `Watch`: kubelet uses watches to observe changes to objects that are in its interest. 625 // 626 // Default: "Watch" 627 // +optional 628 ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy `json:"configMapAndSecretChangeDetectionStrategy,omitempty"` 629 630 /* the following fields are meant for Node Allocatable */ 631 632 // systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) 633 // pairs that describe resources reserved for non-kubernetes components. 634 // Currently only cpu and memory are supported. 635 // See http://kubernetes.io/docs/user-guide/compute-resources for more detail. 636 // Default: nil 637 // +optional 638 SystemReserved map[string]string `json:"systemReserved,omitempty"` 639 // kubeReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs 640 // that describe resources reserved for kubernetes system components. 641 // Currently cpu, memory and local storage for root file system are supported. 642 // See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ 643 // for more details. 644 // Default: nil 645 // +optional 646 KubeReserved map[string]string `json:"kubeReserved,omitempty"` 647 // The reservedSystemCPUs option specifies the CPU list reserved for the host 648 // level system threads and kubernetes related threads. This provide a "static" 649 // CPU list rather than the "dynamic" list by systemReserved and kubeReserved. 650 // This option does not support systemReservedCgroup or kubeReservedCgroup. 651 ReservedSystemCPUs string `json:"reservedSystemCPUs,omitempty"` 652 // showHiddenMetricsForVersion is the previous version for which you want to show 653 // hidden metrics. 654 // Only the previous minor version is meaningful, other values will not be allowed. 655 // The format is `<major>.<minor>`, e.g.: `1.16`. 656 // The purpose of this format is make sure you have the opportunity to notice 657 // if the next release hides additional metrics, rather than being surprised 658 // when they are permanently removed in the release after that. 659 // Default: "" 660 // +optional 661 ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion,omitempty"` 662 // systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used 663 // to enforce `systemReserved` compute resource reservation for OS system daemons. 664 // Refer to [Node Allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) 665 // doc for more information. 666 // Default: "" 667 // +optional 668 SystemReservedCgroup string `json:"systemReservedCgroup,omitempty"` 669 // kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used 670 // to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. 671 // Refer to [Node Allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) 672 // doc for more information. 673 // Default: "" 674 // +optional 675 KubeReservedCgroup string `json:"kubeReservedCgroup,omitempty"` 676 // This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. 677 // This flag accepts a list of options. Acceptable options are `none`, `pods`, 678 // `system-reserved` and `kube-reserved`. 679 // If `none` is specified, no other options may be specified. 680 // When `system-reserved` is in the list, systemReservedCgroup must be specified. 681 // When `kube-reserved` is in the list, kubeReservedCgroup must be specified. 682 // This field is supported only when `cgroupsPerQOS` is set to true. 683 // Refer to [Node Allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) 684 // for more information. 685 // Default: ["pods"] 686 // +optional 687 EnforceNodeAllocatable []string `json:"enforceNodeAllocatable,omitempty"` 688 // A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in `*`). 689 // Unsafe sysctl groups are `kernel.shm*`, `kernel.msg*`, `kernel.sem`, `fs.mqueue.*`, 690 // and `net.*`. For example: "`kernel.msg*,net.ipv4.route.min_pmtu`" 691 // Default: [] 692 // +optional 693 AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"` 694 // volumePluginDir is the full path of the directory in which to search 695 // for additional third party volume plugins. 696 // Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" 697 // +optional 698 VolumePluginDir string `json:"volumePluginDir,omitempty"` 699 // providerID, if set, sets the unique ID of the instance that an external 700 // provider (i.e. cloudprovider) can use to identify a specific node. 701 // Default: "" 702 // +optional 703 ProviderID string `json:"providerID,omitempty"` 704 // kernelMemcgNotification, if set, instructs the kubelet to integrate with the 705 // kernel memcg notification for determining if memory eviction thresholds are 706 // exceeded rather than polling. 707 // Default: false 708 // +optional 709 KernelMemcgNotification bool `json:"kernelMemcgNotification,omitempty"` 710 // logging specifies the options of logging. 711 // Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) 712 // for more information. 713 // Default: 714 // Format: text 715 // + optional 716 Logging logsapi.LoggingConfiguration `json:"logging,omitempty"` 717 // enableSystemLogHandler enables system logs via web interface host:port/logs/ 718 // Default: true 719 // +optional 720 EnableSystemLogHandler *bool `json:"enableSystemLogHandler,omitempty"` 721 // enableSystemLogQuery enables the node log query feature on the /logs endpoint. 722 // EnableSystemLogHandler has to be enabled in addition for this feature to work. 723 // Default: false 724 // +featureGate=NodeLogQuery 725 // +optional 726 EnableSystemLogQuery *bool `json:"enableSystemLogQuery,omitempty"` 727 // shutdownGracePeriod specifies the total duration that the node should delay the 728 // shutdown and total grace period for pod termination during a node shutdown. 729 // Default: "0s" 730 // +featureGate=GracefulNodeShutdown 731 // +optional 732 ShutdownGracePeriod metav1.Duration `json:"shutdownGracePeriod,omitempty"` 733 // shutdownGracePeriodCriticalPods specifies the duration used to terminate critical 734 // pods during a node shutdown. This should be less than shutdownGracePeriod. 735 // For example, if shutdownGracePeriod=30s, and shutdownGracePeriodCriticalPods=10s, 736 // during a node shutdown the first 20 seconds would be reserved for gracefully 737 // terminating normal pods, and the last 10 seconds would be reserved for terminating 738 // critical pods. 739 // Default: "0s" 740 // +featureGate=GracefulNodeShutdown 741 // +optional 742 ShutdownGracePeriodCriticalPods metav1.Duration `json:"shutdownGracePeriodCriticalPods,omitempty"` 743 // shutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based 744 // on their associated priority class value. 745 // When a shutdown request is received, the Kubelet will initiate shutdown on all pods 746 // running on the node with a grace period that depends on the priority of the pod, 747 // and then wait for all pods to exit. 748 // Each entry in the array represents the graceful shutdown time a pod with a priority 749 // class value that lies in the range of that value and the next higher entry in the 750 // list when the node is shutting down. 751 // For example, to allow critical pods 10s to shutdown, priority>=10000 pods 20s to 752 // shutdown, and all remaining pods 30s to shutdown. 753 // 754 // shutdownGracePeriodByPodPriority: 755 // - priority: 2000000000 756 // shutdownGracePeriodSeconds: 10 757 // - priority: 10000 758 // shutdownGracePeriodSeconds: 20 759 // - priority: 0 760 // shutdownGracePeriodSeconds: 30 761 // 762 // The time the Kubelet will wait before exiting will at most be the maximum of all 763 // shutdownGracePeriodSeconds for each priority class range represented on the node. 764 // When all pods have exited or reached their grace periods, the Kubelet will release 765 // the shutdown inhibit lock. 766 // Requires the GracefulNodeShutdown feature gate to be enabled. 767 // This configuration must be empty if either ShutdownGracePeriod or ShutdownGracePeriodCriticalPods is set. 768 // Default: nil 769 // +featureGate=GracefulNodeShutdownBasedOnPodPriority 770 // +optional 771 ShutdownGracePeriodByPodPriority []ShutdownGracePeriodByPodPriority `json:"shutdownGracePeriodByPodPriority,omitempty"` 772 // reservedMemory specifies a comma-separated list of memory reservations for NUMA nodes. 773 // The parameter makes sense only in the context of the memory manager feature. 774 // The memory manager will not allocate reserved memory for container workloads. 775 // For example, if you have a NUMA0 with 10Gi of memory and the reservedMemory was 776 // specified to reserve 1Gi of memory at NUMA0, the memory manager will assume that 777 // only 9Gi is available for allocation. 778 // You can specify a different amount of NUMA node and memory types. 779 // You can omit this parameter at all, but you should be aware that the amount of 780 // reserved memory from all NUMA nodes should be equal to the amount of memory specified 781 // by the [node allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable). 782 // If at least one node allocatable parameter has a non-zero value, you will need 783 // to specify at least one NUMA node. 784 // Also, avoid specifying: 785 // 786 // 1. Duplicates, the same NUMA node, and memory type, but with a different value. 787 // 2. zero limits for any memory type. 788 // 3. NUMAs nodes IDs that do not exist under the machine. 789 // 4. memory types except for memory and hugepages-<size> 790 // 791 // Default: nil 792 // +optional 793 ReservedMemory []MemoryReservation `json:"reservedMemory,omitempty"` 794 // enableProfilingHandler enables profiling via web interface host:port/debug/pprof/ 795 // Default: true 796 // +optional 797 EnableProfilingHandler *bool `json:"enableProfilingHandler,omitempty"` 798 // enableDebugFlagsHandler enables flags endpoint via web interface host:port/debug/flags/v 799 // Default: true 800 // +optional 801 EnableDebugFlagsHandler *bool `json:"enableDebugFlagsHandler,omitempty"` 802 // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. 803 // Default: false 804 // +optional 805 SeccompDefault *bool `json:"seccompDefault,omitempty"` 806 // MemoryThrottlingFactor specifies the factor multiplied by the memory limit or node allocatable memory 807 // when setting the cgroupv2 memory.high value to enforce MemoryQoS. 808 // Decreasing this factor will set lower high limit for container cgroups and put heavier reclaim pressure 809 // while increasing will put less reclaim pressure. 810 // See https://kep.k8s.io/2570 for more details. 811 // Default: 0.9 812 // +featureGate=MemoryQoS 813 // +optional 814 MemoryThrottlingFactor *float64 `json:"memoryThrottlingFactor,omitempty"` 815 // registerWithTaints are an array of taints to add to a node object when 816 // the kubelet registers itself. This only takes effect when registerNode 817 // is true and upon the initial registration of the node. 818 // Default: nil 819 // +optional 820 RegisterWithTaints []v1.Taint `json:"registerWithTaints,omitempty"` 821 // registerNode enables automatic registration with the apiserver. 822 // Default: true 823 // +optional 824 RegisterNode *bool `json:"registerNode,omitempty"` 825 // Tracing specifies the versioned configuration for OpenTelemetry tracing clients. 826 // See https://kep.k8s.io/2832 for more details. 827 // Default: nil 828 // +featureGate=KubeletTracing 829 // +optional 830 Tracing *tracingapi.TracingConfiguration `json:"tracing,omitempty"` 831 832 // LocalStorageCapacityIsolation enables local ephemeral storage isolation feature. The default setting is true. 833 // This feature allows users to set request/limit for container's ephemeral storage and manage it in a similar way 834 // as cpu and memory. It also allows setting sizeLimit for emptyDir volume, which will trigger pod eviction if disk 835 // usage from the volume exceeds the limit. 836 // This feature depends on the capability of detecting correct root file system disk usage. For certain systems, 837 // such as kind rootless, if this capability cannot be supported, the feature LocalStorageCapacityIsolation should be 838 // disabled. Once disabled, user should not set request/limit for container's ephemeral storage, or sizeLimit for emptyDir. 839 // Default: true 840 // +optional 841 LocalStorageCapacityIsolation *bool `json:"localStorageCapacityIsolation,omitempty"` 842 843 // ContainerRuntimeEndpoint is the endpoint of container runtime. 844 // Unix Domain Sockets are supported on Linux, while npipe and tcp endpoints are supported on Windows. 845 // Examples:'unix:///path/to/runtime.sock', 'npipe:////./pipe/runtime' 846 ContainerRuntimeEndpoint string `json:"containerRuntimeEndpoint"` 847 848 // ImageServiceEndpoint is the endpoint of container image service. 849 // Unix Domain Socket are supported on Linux, while npipe and tcp endpoints are supported on Windows. 850 // Examples:'unix:///path/to/runtime.sock', 'npipe:////./pipe/runtime'. 851 // If not specified, the value in containerRuntimeEndpoint is used. 852 // +optional 853 ImageServiceEndpoint string `json:"imageServiceEndpoint,omitempty"` 854 } 855 856 type KubeletAuthorizationMode string 857 858 const ( 859 // KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests 860 KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" 861 // KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization 862 KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" 863 ) 864 865 type KubeletAuthorization struct { 866 // mode is the authorization mode to apply to requests to the kubelet server. 867 // Valid values are `AlwaysAllow` and `Webhook`. 868 // Webhook mode uses the SubjectAccessReview API to determine authorization. 869 // +optional 870 Mode KubeletAuthorizationMode `json:"mode,omitempty"` 871 872 // webhook contains settings related to Webhook authorization. 873 // +optional 874 Webhook KubeletWebhookAuthorization `json:"webhook"` 875 } 876 877 type KubeletWebhookAuthorization struct { 878 // cacheAuthorizedTTL is the duration to cache 'authorized' responses from the 879 // webhook authorizer. 880 // +optional 881 CacheAuthorizedTTL metav1.Duration `json:"cacheAuthorizedTTL,omitempty"` 882 // cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from 883 // the webhook authorizer. 884 // +optional 885 CacheUnauthorizedTTL metav1.Duration `json:"cacheUnauthorizedTTL,omitempty"` 886 } 887 888 type KubeletAuthentication struct { 889 // x509 contains settings related to x509 client certificate authentication. 890 // +optional 891 X509 KubeletX509Authentication `json:"x509"` 892 // webhook contains settings related to webhook bearer token authentication. 893 // +optional 894 Webhook KubeletWebhookAuthentication `json:"webhook"` 895 // anonymous contains settings related to anonymous authentication. 896 // +optional 897 Anonymous KubeletAnonymousAuthentication `json:"anonymous"` 898 } 899 900 type KubeletX509Authentication struct { 901 // clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request 902 // presenting a client certificate signed by one of the authorities in the bundle 903 // is authenticated with a username corresponding to the CommonName, 904 // and groups corresponding to the Organization in the client certificate. 905 // +optional 906 ClientCAFile string `json:"clientCAFile,omitempty"` 907 } 908 909 type KubeletWebhookAuthentication struct { 910 // enabled allows bearer token authentication backed by the 911 // tokenreviews.authentication.k8s.io API. 912 // +optional 913 Enabled *bool `json:"enabled,omitempty"` 914 // cacheTTL enables caching of authentication results 915 // +optional 916 CacheTTL metav1.Duration `json:"cacheTTL,omitempty"` 917 } 918 919 type KubeletAnonymousAuthentication struct { 920 // enabled allows anonymous requests to the kubelet server. 921 // Requests that are not rejected by another authentication method are treated as 922 // anonymous requests. 923 // Anonymous requests have a username of `system:anonymous`, and a group name of 924 // `system:unauthenticated`. 925 // +optional 926 Enabled *bool `json:"enabled,omitempty"` 927 } 928 929 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 930 931 // SerializedNodeConfigSource allows us to serialize v1.NodeConfigSource. 932 // This type is used internally by the Kubelet for tracking checkpointed dynamic configs. 933 // It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet. 934 type SerializedNodeConfigSource struct { 935 metav1.TypeMeta `json:",inline"` 936 // source is the source that we are serializing. 937 // +optional 938 Source v1.NodeConfigSource `json:"source,omitempty" protobuf:"bytes,1,opt,name=source"` 939 } 940 941 // MemoryReservation specifies the memory reservation of different types for each NUMA node 942 type MemoryReservation struct { 943 NumaNode int32 `json:"numaNode"` 944 Limits v1.ResourceList `json:"limits"` 945 } 946 947 // ShutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based on their associated priority class value 948 type ShutdownGracePeriodByPodPriority struct { 949 // priority is the priority value associated with the shutdown grace period 950 Priority int32 `json:"priority"` 951 // shutdownGracePeriodSeconds is the shutdown grace period in seconds 952 ShutdownGracePeriodSeconds int64 `json:"shutdownGracePeriodSeconds"` 953 } 954 955 type MemorySwapConfiguration struct { 956 // swapBehavior configures swap memory available to container workloads. May be one of 957 // "", "NoSwap": workloads can not use swap, default option. 958 // "LimitedSwap": workload swap usage is limited. The swap limit is proportionate to the container's memory request. 959 // +featureGate=NodeSwap 960 // +optional 961 SwapBehavior string `json:"swapBehavior,omitempty"` 962 } 963 964 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 965 966 // CredentialProviderConfig is the configuration containing information about 967 // each exec credential provider. Kubelet reads this configuration from disk and enables 968 // each provider as specified by the CredentialProvider type. 969 type CredentialProviderConfig struct { 970 metav1.TypeMeta `json:",inline"` 971 972 // providers is a list of credential provider plugins that will be enabled by the kubelet. 973 // Multiple providers may match against a single image, in which case credentials 974 // from all providers will be returned to the kubelet. If multiple providers are called 975 // for a single image, the results are combined. If providers return overlapping 976 // auth keys, the value from the provider earlier in this list is used. 977 Providers []CredentialProvider `json:"providers"` 978 } 979 980 // CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only 981 // invoked when an image being pulled matches the images handled by the plugin (see matchImages). 982 type CredentialProvider struct { 983 // name is the required name of the credential provider. It must match the name of the 984 // provider executable as seen by the kubelet. The executable must be in the kubelet's 985 // bin directory (set by the --image-credential-provider-bin-dir flag). 986 Name string `json:"name"` 987 988 // matchImages is a required list of strings used to match against images in order to 989 // determine if this provider should be invoked. If one of the strings matches the 990 // requested image from the kubelet, the plugin will be invoked and given a chance 991 // to provide credentials. Images are expected to contain the registry domain 992 // and URL path. 993 // 994 // Each entry in matchImages is a pattern which can optionally contain a port and a path. 995 // Globs can be used in the domain, but not in the port or the path. Globs are supported 996 // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. 997 // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match 998 // a single subdomain segment, so *.io does not match *.k8s.io. 999 // 1000 // A match exists between an image and a matchImage when all of the below are true: 1001 // - Both contain the same number of domain parts and each part matches. 1002 // - The URL path of an imageMatch must be a prefix of the target image URL path. 1003 // - If the imageMatch contains a port, then the port must match in the image as well. 1004 // 1005 // Example values of matchImages: 1006 // - 123456789.dkr.ecr.us-east-1.amazonaws.com 1007 // - *.azurecr.io 1008 // - gcr.io 1009 // - *.*.registry.io 1010 // - registry.io:8080/path 1011 MatchImages []string `json:"matchImages"` 1012 1013 // defaultCacheDuration is the default duration the plugin will cache credentials in-memory 1014 // if a cache duration is not provided in the plugin response. This field is required. 1015 DefaultCacheDuration *metav1.Duration `json:"defaultCacheDuration"` 1016 1017 // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse 1018 // MUST use the same encoding version as the input. Current supported values are: 1019 // - credentialprovider.kubelet.k8s.io/v1beta1 1020 APIVersion string `json:"apiVersion"` 1021 1022 // Arguments to pass to the command when executing it. 1023 // +optional 1024 Args []string `json:"args,omitempty"` 1025 1026 // Env defines additional environment variables to expose to the process. These 1027 // are unioned with the host's environment, as well as variables client-go uses 1028 // to pass argument to the plugin. 1029 // +optional 1030 Env []ExecEnvVar `json:"env,omitempty"` 1031 } 1032 1033 // ExecEnvVar is used for setting environment variables when executing an exec-based 1034 // credential plugin. 1035 type ExecEnvVar struct { 1036 Name string `json:"name"` 1037 Value string `json:"value"` 1038 } 1039