1 /* 2 Copyright 2015 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package config 18 19 import ( 20 v1 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 logsapi "k8s.io/component-base/logs/api/v1" 23 tracingapi "k8s.io/component-base/tracing/api/v1" 24 ) 25 26 // HairpinMode denotes how the kubelet should configure networking to handle 27 // hairpin packets. 28 type HairpinMode string 29 30 // Enum settings for different ways to handle hairpin packets. 31 const ( 32 // Set the hairpin flag on the veth of containers in the respective 33 // container runtime. 34 HairpinVeth = "hairpin-veth" 35 // Make the container bridge promiscuous. This will force it to accept 36 // hairpin packets, even if the flag isn't set on ports of the bridge. 37 PromiscuousBridge = "promiscuous-bridge" 38 // Neither of the above. If the kubelet is started in this hairpin mode 39 // and kube-proxy is running in iptables mode, hairpin packets will be 40 // dropped by the container bridge. 41 HairpinNone = "none" 42 ) 43 44 // ResourceChangeDetectionStrategy denotes a mode in which internal 45 // managers (secret, configmap) are discovering object changes. 46 type ResourceChangeDetectionStrategy string 47 48 // Enum settings for different strategies of kubelet managers. 49 const ( 50 // GetChangeDetectionStrategy is a mode in which kubelet fetches 51 // necessary objects directly from apiserver. 52 GetChangeDetectionStrategy ResourceChangeDetectionStrategy = "Get" 53 // TTLCacheChangeDetectionStrategy is a mode in which kubelet uses 54 // ttl cache for object directly fetched from apiserver. 55 TTLCacheChangeDetectionStrategy ResourceChangeDetectionStrategy = "Cache" 56 // WatchChangeDetectionStrategy is a mode in which kubelet uses 57 // watches to observe changes to objects that are in its interest. 58 WatchChangeDetectionStrategy ResourceChangeDetectionStrategy = "Watch" 59 // RestrictedTopologyManagerPolicy is a mode in which kubelet only allows 60 // pods with optimal NUMA node alignment for requested resources 61 RestrictedTopologyManagerPolicy = "restricted" 62 // BestEffortTopologyManagerPolicy is a mode in which kubelet will favour 63 // pods with NUMA alignment of CPU and device resources. 64 BestEffortTopologyManagerPolicy = "best-effort" 65 // NoneTopologyManagerPolicy is a mode in which kubelet has no knowledge 66 // of NUMA alignment of a pod's CPU and device resources. 67 NoneTopologyManagerPolicy = "none" 68 // SingleNumaNodeTopologyManagerPolicy is a mode in which kubelet only allows 69 // pods with a single NUMA alignment of CPU and device resources. 70 SingleNumaNodeTopologyManagerPolicy = "single-numa-node" 71 // ContainerTopologyManagerScope represents that 72 // topology policy is applied on a per-container basis. 73 ContainerTopologyManagerScope = "container" 74 // PodTopologyManagerScope represents that 75 // topology policy is applied on a per-pod basis. 76 PodTopologyManagerScope = "pod" 77 ) 78 79 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 80 81 // KubeletConfiguration contains the configuration for the Kubelet 82 type KubeletConfiguration struct { 83 metav1.TypeMeta 84 85 // enableServer enables Kubelet's secured server. 86 // Note: Kubelet's insecure port is controlled by the readOnlyPort option. 87 EnableServer bool 88 // staticPodPath is the path to the directory containing local (static) pods to 89 // run, or the path to a single static pod file. 90 StaticPodPath string 91 // podLogsDir is a custom root directory path kubelet will use to place pod's log files. 92 // Default: "/var/log/pods/" 93 // Note: it is not recommended to use the temp folder as a log directory as it may cause 94 // unexpected behavior in many places. 95 PodLogsDir string 96 // syncFrequency is the max period between synchronizing running 97 // containers and config 98 SyncFrequency metav1.Duration 99 // fileCheckFrequency is the duration between checking config files for 100 // new data 101 FileCheckFrequency metav1.Duration 102 // httpCheckFrequency is the duration between checking http for new data 103 HTTPCheckFrequency metav1.Duration 104 // staticPodURL is the URL for accessing static pods to run 105 StaticPodURL string 106 // staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL 107 StaticPodURLHeader map[string][]string `datapolicy:"token"` 108 // address is the IP address for the Kubelet to serve on (set to 0.0.0.0 109 // for all interfaces) 110 Address string 111 // port is the port for the Kubelet to serve on. 112 Port int32 113 // readOnlyPort is the read-only port for the Kubelet to serve on with 114 // no authentication/authorization (set to 0 to disable) 115 ReadOnlyPort int32 116 // volumePluginDir is the full path of the directory in which to search 117 // for additional third party volume plugins. 118 VolumePluginDir string 119 // providerID, if set, sets the unique id of the instance that an external provider (i.e. cloudprovider) 120 // can use to identify a specific node 121 ProviderID string 122 // tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, 123 // if any, concatenated after server cert). If tlsCertFile and 124 // tlsPrivateKeyFile are not provided, a self-signed certificate 125 // and key are generated for the public address and saved to the directory 126 // passed to the Kubelet's --cert-dir flag. 127 TLSCertFile string 128 // tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile 129 TLSPrivateKeyFile string 130 // TLSCipherSuites is the list of allowed cipher suites for the server. 131 // Note that TLS 1.3 ciphersuites are not configurable. 132 // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). 133 TLSCipherSuites []string 134 // TLSMinVersion is the minimum TLS version supported. 135 // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). 136 TLSMinVersion string 137 // rotateCertificates enables client certificate rotation. The Kubelet will request a 138 // new certificate from the certificates.k8s.io API. This requires an approver to approve the 139 // certificate signing requests. 140 RotateCertificates bool 141 // serverTLSBootstrap enables server certificate bootstrap. Instead of self 142 // signing a serving certificate, the Kubelet will request a certificate from 143 // the certificates.k8s.io API. This requires an approver to approve the 144 // certificate signing requests. The RotateKubeletServerCertificate feature 145 // must be enabled. 146 ServerTLSBootstrap bool 147 // authentication specifies how requests to the Kubelet's server are authenticated 148 Authentication KubeletAuthentication 149 // authorization specifies how requests to the Kubelet's server are authorized 150 Authorization KubeletAuthorization 151 // registryPullQPS is the limit of registry pulls per second. 152 // Set to 0 for no limit. 153 RegistryPullQPS int32 154 // registryBurst is the maximum size of bursty pulls, temporarily allows 155 // pulls to burst to this number, while still not exceeding registryPullQPS. 156 // Only used if registryPullQPS > 0. 157 RegistryBurst int32 158 // eventRecordQPS is the maximum event creations per second. If 0, there 159 // is no limit enforced. 160 EventRecordQPS int32 161 // eventBurst is the maximum size of a burst of event creations, temporarily 162 // allows event creations to burst to this number, while still not exceeding 163 // eventRecordQPS. Only used if eventRecordQPS > 0. 164 EventBurst int32 165 // enableDebuggingHandlers enables server endpoints for log collection 166 // and local running of containers and commands 167 EnableDebuggingHandlers bool 168 // enableContentionProfiling enables block profiling, if enableDebuggingHandlers is true. 169 EnableContentionProfiling bool 170 // healthzPort is the port of the localhost healthz endpoint (set to 0 to disable) 171 HealthzPort int32 172 // healthzBindAddress is the IP address for the healthz server to serve on 173 HealthzBindAddress string 174 // oomScoreAdj is The oom-score-adj value for kubelet process. Values 175 // must be within the range [-1000, 1000]. 176 OOMScoreAdj int32 177 // clusterDomain is the DNS domain for this cluster. If set, kubelet will 178 // configure all containers to search this domain in addition to the 179 // host's search domains. 180 ClusterDomain string 181 // clusterDNS is a list of IP addresses for a cluster DNS server. If set, 182 // kubelet will configure all containers to use this for DNS resolution 183 // instead of the host's DNS servers. 184 ClusterDNS []string 185 // streamingConnectionIdleTimeout is the maximum time a streaming connection 186 // can be idle before the connection is automatically closed. 187 StreamingConnectionIdleTimeout metav1.Duration 188 // nodeStatusUpdateFrequency is the frequency that kubelet computes node 189 // status. If node lease feature is not enabled, it is also the frequency that 190 // kubelet posts node status to master. In that case, be cautious when 191 // changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. 192 NodeStatusUpdateFrequency metav1.Duration 193 // nodeStatusReportFrequency is the frequency that kubelet posts node 194 // status to master if node status does not change. Kubelet will ignore this 195 // frequency and post node status immediately if any change is detected. It is 196 // only used when node lease feature is enabled. 197 NodeStatusReportFrequency metav1.Duration 198 // nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease. 199 NodeLeaseDurationSeconds int32 200 // ImageMinimumGCAge is the minimum age for an unused image before it is 201 // garbage collected. 202 ImageMinimumGCAge metav1.Duration 203 // ImageMaximumGCAge is the maximum age an image can be unused before it is garbage collected. 204 // The default of this field is "0s", which disables this field--meaning images won't be garbage 205 // collected based on being unused for too long. 206 ImageMaximumGCAge metav1.Duration 207 // imageGCHighThresholdPercent is the percent of disk usage after which 208 // image garbage collection is always run. The percent is calculated as 209 // this field value out of 100. 210 ImageGCHighThresholdPercent int32 211 // imageGCLowThresholdPercent is the percent of disk usage before which 212 // image garbage collection is never run. Lowest disk usage to garbage 213 // collect to. The percent is calculated as this field value out of 100. 214 ImageGCLowThresholdPercent int32 215 // How frequently to calculate and cache volume disk usage for all pods 216 VolumeStatsAggPeriod metav1.Duration 217 // KubeletCgroups is the absolute name of cgroups to isolate the kubelet in 218 KubeletCgroups string 219 // SystemCgroups is absolute name of cgroups in which to place 220 // all non-kernel processes that are not already in a container. Empty 221 // for no container. Rolling back the flag requires a reboot. 222 SystemCgroups string 223 // CgroupRoot is the root cgroup to use for pods. 224 // If CgroupsPerQOS is enabled, this is the root of the QoS cgroup hierarchy. 225 CgroupRoot string 226 // Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes 227 // And all Burstable and BestEffort pods are brought up under their 228 // specific top level QoS cgroup. 229 CgroupsPerQOS bool 230 // driver that the kubelet uses to manipulate cgroups on the host (cgroupfs or systemd) 231 CgroupDriver string 232 // CPUManagerPolicy is the name of the policy to use. 233 // Requires the CPUManager feature gate to be enabled. 234 CPUManagerPolicy string 235 // CPUManagerPolicyOptions is a set of key=value which allows to set extra options 236 // to fine tune the behaviour of the cpu manager policies. 237 // Requires both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled. 238 CPUManagerPolicyOptions map[string]string 239 // CPU Manager reconciliation period. 240 // Requires the CPUManager feature gate to be enabled. 241 CPUManagerReconcilePeriod metav1.Duration 242 // MemoryManagerPolicy is the name of the policy to use. 243 // Requires the MemoryManager feature gate to be enabled. 244 MemoryManagerPolicy string 245 // TopologyManagerPolicy is the name of the policy to use. 246 TopologyManagerPolicy string 247 // TopologyManagerScope represents the scope of topology hint generation 248 // that topology manager requests and hint providers generate. 249 // Default: "container" 250 // +optional 251 TopologyManagerScope string 252 // TopologyManagerPolicyOptions is a set of key=value which allows to set extra options 253 // to fine tune the behaviour of the topology manager policies. 254 // Requires both the "TopologyManager" and "TopologyManagerPolicyOptions" feature gates to be enabled. 255 TopologyManagerPolicyOptions map[string]string 256 // Map of QoS resource reservation percentages (memory only for now). 257 // Requires the QOSReserved feature gate to be enabled. 258 QOSReserved map[string]string 259 // runtimeRequestTimeout is the timeout for all runtime requests except long running 260 // requests - pull, logs, exec and attach. 261 RuntimeRequestTimeout metav1.Duration 262 // hairpinMode specifies how the Kubelet should configure the container 263 // bridge for hairpin packets. 264 // Setting this flag allows endpoints in a Service to loadbalance back to 265 // themselves if they should try to access their own Service. Values: 266 // "promiscuous-bridge": make the container bridge promiscuous. 267 // "hairpin-veth": set the hairpin flag on container veth interfaces. 268 // "none": do nothing. 269 // Generally, one must set --hairpin-mode=hairpin-veth to achieve hairpin NAT, 270 // because promiscuous-bridge assumes the existence of a container bridge named cbr0. 271 HairpinMode string 272 // maxPods is the number of pods that can run on this Kubelet. 273 MaxPods int32 274 // The CIDR to use for pod IP addresses, only used in standalone mode. 275 // In cluster mode, this is obtained from the master. 276 PodCIDR string 277 // The maximum number of processes per pod. If -1, the kubelet defaults to the node allocatable pid capacity. 278 PodPidsLimit int64 279 // ResolverConfig is the resolver configuration file used as the basis 280 // for the container DNS resolution configuration. 281 ResolverConfig string 282 // RunOnce causes the Kubelet to check the API server once for pods, 283 // run those in addition to the pods specified by static pod files, and exit. 284 RunOnce bool 285 // cpuCFSQuota enables CPU CFS quota enforcement for containers that 286 // specify CPU limits 287 CPUCFSQuota bool 288 // CPUCFSQuotaPeriod sets the CPU CFS quota period value, cpu.cfs_period_us, defaults to 100ms 289 CPUCFSQuotaPeriod metav1.Duration 290 // maxOpenFiles is Number of files that can be opened by Kubelet process. 291 MaxOpenFiles int64 292 // nodeStatusMaxImages caps the number of images reported in Node.Status.Images. 293 NodeStatusMaxImages int32 294 // contentType is contentType of requests sent to apiserver. 295 ContentType string 296 // kubeAPIQPS is the QPS to use while talking with kubernetes apiserver 297 KubeAPIQPS int32 298 // kubeAPIBurst is the burst to allow while talking with kubernetes 299 // apiserver 300 KubeAPIBurst int32 301 // serializeImagePulls when enabled, tells the Kubelet to pull images one at a time. 302 SerializeImagePulls bool 303 // MaxParallelImagePulls sets the maximum number of image pulls in parallel. 304 MaxParallelImagePulls *int32 305 // Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}. 306 // Some default signals are Linux only: nodefs.inodesFree 307 EvictionHard map[string]string 308 // Map of signal names to quantities that defines soft eviction thresholds. For example: {"memory.available": "300Mi"}. 309 EvictionSoft map[string]string 310 // Map of signal names to quantities that defines grace periods for each soft eviction signal. For example: {"memory.available": "30s"}. 311 EvictionSoftGracePeriod map[string]string 312 // Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. 313 EvictionPressureTransitionPeriod metav1.Duration 314 // Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. 315 EvictionMaxPodGracePeriod int32 316 // Map of signal names to quantities that defines minimum reclaims, which describe the minimum 317 // amount of a given resource the kubelet will reclaim when performing a pod eviction while 318 // that resource is under pressure. For example: {"imagefs.available": "2Gi"} 319 EvictionMinimumReclaim map[string]string 320 // podsPerCore is the maximum number of pods per core. Cannot exceed MaxPods. 321 // If 0, this field is ignored. 322 PodsPerCore int32 323 // enableControllerAttachDetach enables the Attach/Detach controller to 324 // manage attachment/detachment of volumes scheduled to this node, and 325 // disables kubelet from executing any attach/detach operations 326 EnableControllerAttachDetach bool 327 // protectKernelDefaults, if true, causes the Kubelet to error if kernel 328 // flags are not as it expects. Otherwise the Kubelet will attempt to modify 329 // kernel flags to match its expectation. 330 ProtectKernelDefaults bool 331 // If true, Kubelet creates the KUBE-IPTABLES-HINT chain in iptables as a hint to 332 // other components about the configuration of iptables on the system. 333 MakeIPTablesUtilChains bool 334 // iptablesMasqueradeBit formerly controlled the creation of the KUBE-MARK-MASQ 335 // chain. 336 // Deprecated: no longer has any effect. 337 IPTablesMasqueradeBit int32 338 // iptablesDropBit formerly controlled the creation of the KUBE-MARK-DROP chain. 339 // Deprecated: no longer has any effect. 340 IPTablesDropBit int32 341 // featureGates is a map of feature names to bools that enable or disable alpha/experimental 342 // features. This field modifies piecemeal the built-in default values from 343 // "k8s.io/kubernetes/pkg/features/kube_features.go". 344 FeatureGates map[string]bool 345 // Tells the Kubelet to fail to start if swap is enabled on the node. 346 FailSwapOn bool 347 // memorySwap configures swap memory available to container workloads. 348 // +featureGate=NodeSwap 349 // +optional 350 MemorySwap MemorySwapConfiguration 351 // A quantity defines the maximum size of the container log file before it is rotated. For example: "5Mi" or "256Ki". 352 ContainerLogMaxSize string 353 // Maximum number of container log files that can be present for a container. 354 ContainerLogMaxFiles int32 355 // Maximum number of concurrent log rotation workers to spawn for processing the log rotation 356 // requests 357 ContainerLogMaxWorkers int32 358 // Interval at which the container logs are monitored for rotation 359 ContainerLogMonitorInterval metav1.Duration 360 // ConfigMapAndSecretChangeDetectionStrategy is a mode in which config map and secret managers are running. 361 ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy 362 // A comma separated allowlist of unsafe sysctls or sysctl patterns (ending in `*`). 363 // Unsafe sysctl groups are `kernel.shm*`, `kernel.msg*`, `kernel.sem`, `fs.mqueue.*`, and `net.*`. 364 // These sysctls are namespaced but not allowed by default. 365 // For example: "`kernel.msg*,net.ipv4.route.min_pmtu`" 366 // +optional 367 AllowedUnsafeSysctls []string 368 // kernelMemcgNotification if enabled, the kubelet will integrate with the kernel memcg 369 // notification to determine if memory eviction thresholds are crossed rather than polling. 370 KernelMemcgNotification bool 371 372 /* the following fields are meant for Node Allocatable */ 373 374 // A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G,ephemeral-storage=1G,pid=100) pairs 375 // that describe resources reserved for non-kubernetes components. 376 // Currently only cpu, memory and local ephemeral storage for root file system are supported. 377 // See http://kubernetes.io/docs/user-guide/compute-resources for more detail. 378 SystemReserved map[string]string 379 // A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G,ephemeral-storage=1G,pid=100) pairs 380 // that describe resources reserved for kubernetes system components. 381 // Currently only cpu, memory and local ephemeral storage for root file system are supported. 382 // See http://kubernetes.io/docs/user-guide/compute-resources for more detail. 383 KubeReserved map[string]string 384 // This flag helps kubelet identify absolute name of top level cgroup used to enforce `SystemReserved` compute resource reservation for OS system daemons. 385 // Refer to [Node Allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) doc for more information. 386 SystemReservedCgroup string 387 // This flag helps kubelet identify absolute name of top level cgroup used to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. 388 // Refer to [Node Allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) doc for more information. 389 KubeReservedCgroup string 390 // This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. 391 // This flag accepts a list of options. Acceptable options are `pods`, `system-reserved` & `kube-reserved`. 392 // Refer to [Node Allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable) doc for more information. 393 EnforceNodeAllocatable []string 394 // This option specifies the cpu list reserved for the host level system threads and kubernetes related threads. 395 // This provide a "static" CPU list rather than the "dynamic" list by system-reserved and kube-reserved. 396 // This option overwrites CPUs provided by system-reserved and kube-reserved. 397 ReservedSystemCPUs string 398 // The previous version for which you want to show hidden metrics. 399 // Only the previous minor version is meaningful, other values will not be allowed. 400 // The format is <major>.<minor>, e.g.: '1.16'. 401 // The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, 402 // rather than being surprised when they are permanently removed in the release after that. 403 ShowHiddenMetricsForVersion string 404 // Logging specifies the options of logging. 405 // Refer [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information. 406 Logging logsapi.LoggingConfiguration 407 // EnableSystemLogHandler enables /logs handler. 408 EnableSystemLogHandler bool 409 // EnableSystemLogQuery enables the node log query feature on the /logs endpoint. 410 // EnableSystemLogHandler has to be enabled in addition for this feature to work. 411 // +featureGate=NodeLogQuery 412 // +optional 413 EnableSystemLogQuery bool 414 // ShutdownGracePeriod specifies the total duration that the node should delay the shutdown and total grace period for pod termination during a node shutdown. 415 // Defaults to 0 seconds. 416 // +featureGate=GracefulNodeShutdown 417 // +optional 418 ShutdownGracePeriod metav1.Duration 419 // ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. This should be less than ShutdownGracePeriod. 420 // Defaults to 0 seconds. 421 // For example, if ShutdownGracePeriod=30s, and ShutdownGracePeriodCriticalPods=10s, during a node shutdown the first 20 seconds would be reserved for gracefully terminating normal pods, and the last 10 seconds would be reserved for terminating critical pods. 422 // +featureGate=GracefulNodeShutdown 423 // +optional 424 ShutdownGracePeriodCriticalPods metav1.Duration 425 // ShutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based 426 // on their associated priority class value. 427 // When a shutdown request is received, the Kubelet will initiate shutdown on all pods 428 // running on the node with a grace period that depends on the priority of the pod, 429 // and then wait for all pods to exit. 430 // Each entry in the array represents the graceful shutdown time a pod with a priority 431 // class value that lies in the range of that value and the next higher entry in the 432 // list when the node is shutting down. 433 ShutdownGracePeriodByPodPriority []ShutdownGracePeriodByPodPriority 434 // ReservedMemory specifies a comma-separated list of memory reservations for NUMA nodes. 435 // The parameter makes sense only in the context of the memory manager feature. The memory manager will not allocate reserved memory for container workloads. 436 // For example, if you have a NUMA0 with 10Gi of memory and the ReservedMemory was specified to reserve 1Gi of memory at NUMA0, 437 // the memory manager will assume that only 9Gi is available for allocation. 438 // You can specify a different amount of NUMA node and memory types. 439 // You can omit this parameter at all, but you should be aware that the amount of reserved memory from all NUMA nodes 440 // should be equal to the amount of memory specified by the node allocatable features(https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable). 441 // If at least one node allocatable parameter has a non-zero value, you will need to specify at least one NUMA node. 442 // Also, avoid specifying: 443 // 1. Duplicates, the same NUMA node, and memory type, but with a different value. 444 // 2. zero limits for any memory type. 445 // 3. NUMAs nodes IDs that do not exist under the machine. 446 // 4. memory types except for memory and hugepages-<size> 447 ReservedMemory []MemoryReservation 448 // EnableProfiling enables /debug/pprof handler. 449 EnableProfilingHandler bool 450 // EnableDebugFlagsHandler enables/debug/flags/v handler. 451 EnableDebugFlagsHandler bool 452 // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. 453 SeccompDefault bool 454 // MemoryThrottlingFactor specifies the factor multiplied by the memory limit or node allocatable memory 455 // when setting the cgroupv2 memory.high value to enforce MemoryQoS. 456 // Decreasing this factor will set lower high limit for container cgroups and put heavier reclaim pressure 457 // while increasing will put less reclaim pressure. 458 // See https://kep.k8s.io/2570 for more details. 459 // Default: 0.9 460 // +featureGate=MemoryQoS 461 // +optional 462 MemoryThrottlingFactor *float64 463 // registerWithTaints are an array of taints to add to a node object when 464 // the kubelet registers itself. This only takes effect when registerNode 465 // is true and upon the initial registration of the node. 466 // +optional 467 RegisterWithTaints []v1.Taint 468 // registerNode enables automatic registration with the apiserver. 469 // +optional 470 RegisterNode bool 471 472 // Tracing specifies the versioned configuration for OpenTelemetry tracing clients. 473 // See https://kep.k8s.io/2832 for more details. 474 // +featureGate=KubeletTracing 475 // +optional 476 Tracing *tracingapi.TracingConfiguration 477 478 // LocalStorageCapacityIsolation enables local ephemeral storage isolation feature. The default setting is true. 479 // This feature allows users to set request/limit for container's ephemeral storage and manage it in a similar way 480 // as cpu and memory. It also allows setting sizeLimit for emptyDir volume, which will trigger pod eviction if disk 481 // usage from the volume exceeds the limit. 482 // This feature depends on the capability of detecting correct root file system disk usage. For certain systems, 483 // such as kind rootless, if this capability cannot be supported, the feature LocalStorageCapacityIsolation should be 484 // disabled. Once disabled, user should not set request/limit for container's ephemeral storage, or sizeLimit for emptyDir. 485 // +optional 486 LocalStorageCapacityIsolation bool 487 488 // ContainerRuntimeEndpoint is the endpoint of container runtime. 489 // unix domain sockets supported on Linux while npipes and tcp endpoints are supported for windows. 490 // Examples:'unix:///path/to/runtime.sock', 'npipe:////./pipe/runtime' 491 ContainerRuntimeEndpoint string 492 493 // ImageServiceEndpoint is the endpoint of container image service. 494 // If not specified the default value is ContainerRuntimeEndpoint 495 // +optional 496 ImageServiceEndpoint string 497 } 498 499 // KubeletAuthorizationMode denotes the authorization mode for the kubelet 500 type KubeletAuthorizationMode string 501 502 const ( 503 // KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests 504 KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" 505 // KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization 506 KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" 507 ) 508 509 // KubeletAuthorization holds the state related to the authorization in the kublet. 510 type KubeletAuthorization struct { 511 // mode is the authorization mode to apply to requests to the kubelet server. 512 // Valid values are AlwaysAllow and Webhook. 513 // Webhook mode uses the SubjectAccessReview API to determine authorization. 514 Mode KubeletAuthorizationMode 515 516 // webhook contains settings related to Webhook authorization. 517 Webhook KubeletWebhookAuthorization 518 } 519 520 // KubeletWebhookAuthorization holds the state related to the Webhook 521 // Authorization in the Kubelet. 522 type KubeletWebhookAuthorization struct { 523 // cacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer. 524 CacheAuthorizedTTL metav1.Duration 525 // cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer. 526 CacheUnauthorizedTTL metav1.Duration 527 } 528 529 // KubeletAuthentication holds the Kubetlet Authentication setttings. 530 type KubeletAuthentication struct { 531 // x509 contains settings related to x509 client certificate authentication 532 X509 KubeletX509Authentication 533 // webhook contains settings related to webhook bearer token authentication 534 Webhook KubeletWebhookAuthentication 535 // anonymous contains settings related to anonymous authentication 536 Anonymous KubeletAnonymousAuthentication 537 } 538 539 // KubeletX509Authentication contains settings related to x509 client certificate authentication 540 type KubeletX509Authentication struct { 541 // clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request presenting a client certificate 542 // signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, 543 // and groups corresponding to the Organization in the client certificate. 544 ClientCAFile string 545 } 546 547 // KubeletWebhookAuthentication contains settings related to webhook authentication 548 type KubeletWebhookAuthentication struct { 549 // enabled allows bearer token authentication backed by the tokenreviews.authentication.k8s.io API 550 Enabled bool 551 // cacheTTL enables caching of authentication results 552 CacheTTL metav1.Duration 553 } 554 555 // KubeletAnonymousAuthentication enables anonymous requests to the kubelet server. 556 type KubeletAnonymousAuthentication struct { 557 // enabled allows anonymous requests to the kubelet server. 558 // Requests that are not rejected by another authentication method are treated as anonymous requests. 559 // Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. 560 Enabled bool 561 } 562 563 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 564 565 // SerializedNodeConfigSource allows us to serialize NodeConfigSource 566 // This type is used internally by the Kubelet for tracking checkpointed dynamic configs. 567 // It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet. 568 type SerializedNodeConfigSource struct { 569 metav1.TypeMeta 570 // Source is the source that we are serializing 571 // +optional 572 Source v1.NodeConfigSource 573 } 574 575 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 576 577 // CredentialProviderConfig is the configuration containing information about 578 // each exec credential provider. Kubelet reads this configuration from disk and enables 579 // each provider as specified by the CredentialProvider type. 580 type CredentialProviderConfig struct { 581 metav1.TypeMeta 582 583 // providers is a list of credential provider plugins that will be enabled by the kubelet. 584 // Multiple providers may match against a single image, in which case credentials 585 // from all providers will be returned to the kubelet. If multiple providers are called 586 // for a single image, the results are combined. If providers return overlapping 587 // auth keys, the value from the provider earlier in this list is used. 588 Providers []CredentialProvider 589 } 590 591 // CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only 592 // invoked when an image being pulled matches the images handled by the plugin (see matchImages). 593 type CredentialProvider struct { 594 // name is the required name of the credential provider. It must match the name of the 595 // provider executable as seen by the kubelet. The executable must be in the kubelet's 596 // bin directory (set by the --credential-provider-bin-dir flag). 597 Name string 598 599 // matchImages is a required list of strings used to match against images in order to 600 // determine if this provider should be invoked. If one of the strings matches the 601 // requested image from the kubelet, the plugin will be invoked and given a chance 602 // to provide credentials. Images are expected to contain the registry domain 603 // and URL path. 604 // 605 // Each entry in matchImages is a pattern which can optionally contain a port and a path. 606 // Globs can be used in the domain, but not in the port or the path. Globs are supported 607 // as subdomains like `*.k8s.io` or `k8s.*.io`, and top-level-domains such as `k8s.*`. 608 // Matching partial subdomains like `app*.k8s.io` is also supported. Each glob can only match 609 // a single subdomain segment, so `*.io` does not match *.k8s.io. 610 // 611 // A match exists between an image and a matchImage when all of the below are true: 612 // - Both contain the same number of domain parts and each part matches. 613 // - The URL path of an imageMatch must be a prefix of the target image URL path. 614 // - If the imageMatch contains a port, then the port must match in the image as well. 615 // 616 // Example values of matchImages: 617 // - `123456789.dkr.ecr.us-east-1.amazonaws.com` 618 // - `*.azurecr.io` 619 // - `gcr.io` 620 // - `*.*.registry.io` 621 // - `registry.io:8080/path` 622 MatchImages []string 623 624 // defaultCacheDuration is the default duration the plugin will cache credentials in-memory 625 // if a cache duration is not provided in the plugin response. This field is required. 626 DefaultCacheDuration *metav1.Duration 627 628 // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse 629 // MUST use the same encoding version as the input. Current supported values are: 630 // - credentialprovider.kubelet.k8s.io/v1alpha1 631 // - credentialprovider.kubelet.k8s.io/v1beta1 632 // - credentialprovider.kubelet.k8s.io/v1 633 APIVersion string 634 635 // Arguments to pass to the command when executing it. 636 // +optional 637 Args []string 638 639 // Env defines additional environment variables to expose to the process. These 640 // are unioned with the host's environment, as well as variables client-go uses 641 // to pass argument to the plugin. 642 // +optional 643 Env []ExecEnvVar 644 } 645 646 // ExecEnvVar is used for setting environment variables when executing an exec-based 647 // credential plugin. 648 type ExecEnvVar struct { 649 Name string 650 Value string 651 } 652 653 // MemoryReservation specifies the memory reservation of different types for each NUMA node 654 type MemoryReservation struct { 655 NumaNode int32 656 Limits v1.ResourceList 657 } 658 659 // ShutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based on their associated priority class value 660 type ShutdownGracePeriodByPodPriority struct { 661 // priority is the priority value associated with the shutdown grace period 662 Priority int32 663 // shutdownGracePeriodSeconds is the shutdown grace period in seconds 664 ShutdownGracePeriodSeconds int64 665 } 666 667 type MemorySwapConfiguration struct { 668 // swapBehavior configures swap memory available to container workloads. May be one of 669 // "", "NoSwap": workloads can not use swap, default option. 670 // "LimitedSwap": workload swap usage is limited. The swap limit is proportionate to the container's memory request. 671 // +featureGate=NodeSwap 672 // +optional 673 SwapBehavior string 674 } 675