mirror of https://github.com/tailscale/tailscale/
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4415 lines
150 KiB
Markdown
4415 lines
150 KiB
Markdown
# API Reference
|
|
|
|
Packages:
|
|
|
|
- [tailscale.com/v1alpha1](#tailscalecomv1alpha1)
|
|
|
|
# tailscale.com/v1alpha1
|
|
|
|
Resource Types:
|
|
|
|
- [Connector](#connector)
|
|
|
|
- [DNSConfig](#dnsconfig)
|
|
|
|
- [ProxyClass](#proxyclass)
|
|
|
|
|
|
|
|
|
|
## Connector
|
|
<sup><sup>[↩ Parent](#tailscalecomv1alpha1 )</sup></sup>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Connector defines a Tailscale node that will be deployed in the cluster. The
|
|
node can be configured to act as a Tailscale subnet router and/or a Tailscale
|
|
exit node.
|
|
Connector is a cluster-scoped resource.
|
|
More info:
|
|
https://tailscale.com/kb/1236/kubernetes-operator#deploying-exit-nodes-and-subnet-routers-on-kubernetes-using-connector-custom-resource
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>apiVersion</b></td>
|
|
<td>string</td>
|
|
<td>tailscale.com/v1alpha1</td>
|
|
<td>true</td>
|
|
</tr>
|
|
<tr>
|
|
<td><b>kind</b></td>
|
|
<td>string</td>
|
|
<td>Connector</td>
|
|
<td>true</td>
|
|
</tr>
|
|
<tr>
|
|
<td><b><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta">metadata</a></b></td>
|
|
<td>object</td>
|
|
<td>Refer to the Kubernetes API documentation for the fields of the `metadata` field.</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#connectorspec">spec</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
ConnectorSpec describes the desired Tailscale component.
|
|
More info:
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status<br/>
|
|
<br/>
|
|
<i>Validations</i>:<li>has(self.subnetRouter) || self.exitNode == true: A Connector needs to be either an exit node or a subnet router, or both.</li>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#connectorstatus">status</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
ConnectorStatus describes the status of the Connector. This is set
|
|
and managed by the Tailscale operator.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### Connector.spec
|
|
<sup><sup>[↩ Parent](#connector)</sup></sup>
|
|
|
|
|
|
|
|
ConnectorSpec describes the desired Tailscale component.
|
|
More info:
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>exitNode</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
ExitNode defines whether the Connector node should act as a
|
|
Tailscale exit node. Defaults to false.
|
|
https://tailscale.com/kb/1103/exit-nodes<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>hostname</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Hostname is the tailnet hostname that should be assigned to the
|
|
Connector node. If unset, hostname defaults to <connector
|
|
name>-connector. Hostname can contain lower case letters, numbers and
|
|
dashes, it must not start or end with a dash and must be between 2
|
|
and 63 characters long.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>proxyClass</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
ProxyClass is the name of the ProxyClass custom resource that
|
|
contains configuration options that should be applied to the
|
|
resources created for this Connector. If unset, the operator will
|
|
create resources with the default configuration.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#connectorspecsubnetrouter">subnetRouter</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
SubnetRouter defines subnet routes that the Connector node should
|
|
expose to tailnet. If unset, none are exposed.
|
|
https://tailscale.com/kb/1019/subnets/<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>tags</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
Tags that the Tailscale node will be tagged with.
|
|
Defaults to [tag:k8s].
|
|
To autoapprove the subnet routes or exit node defined by a Connector,
|
|
you can configure Tailscale ACLs to give these tags the necessary
|
|
permissions.
|
|
See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
|
|
If you specify custom tags here, you must also make the operator an owner of these tags.
|
|
See https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
|
|
Tags cannot be changed once a Connector node has been created.
|
|
Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### Connector.spec.subnetRouter
|
|
<sup><sup>[↩ Parent](#connectorspec)</sup></sup>
|
|
|
|
|
|
|
|
SubnetRouter defines subnet routes that the Connector node should
|
|
expose to tailnet. If unset, none are exposed.
|
|
https://tailscale.com/kb/1019/subnets/
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>advertiseRoutes</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
AdvertiseRoutes refer to CIDRs that the subnet router should make
|
|
available. Route values must be strings that represent a valid IPv4
|
|
or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
|
|
https://tailscale.com/kb/1201/4via6-subnets/<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### Connector.status
|
|
<sup><sup>[↩ Parent](#connector)</sup></sup>
|
|
|
|
|
|
|
|
ConnectorStatus describes the status of the Connector. This is set
|
|
and managed by the Tailscale operator.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#connectorstatusconditionsindex">conditions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
List of status conditions to indicate the status of the Connector.
|
|
Known condition types are `ConnectorReady`.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>hostname</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Hostname is the fully qualified domain name of the Connector node.
|
|
If MagicDNS is enabled in your tailnet, it is the MagicDNS name of the
|
|
node.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>isExitNode</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
IsExitNode is set to true if the Connector acts as an exit node.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>subnetRoutes</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
SubnetRoutes are the routes currently exposed to tailnet via this
|
|
Connector instance.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>tailnetIPs</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
TailnetIPs is the set of tailnet IP addresses (both IPv4 and IPv6)
|
|
assigned to the Connector node.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### Connector.status.conditions[index]
|
|
<sup><sup>[↩ Parent](#connectorstatus)</sup></sup>
|
|
|
|
|
|
|
|
Condition contains details for one aspect of the current state of this API Resource.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>lastTransitionTime</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.<br/>
|
|
<br/>
|
|
<i>Format</i>: date-time<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>message</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>reason</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>status</b></td>
|
|
<td>enum</td>
|
|
<td>
|
|
status of the condition, one of True, False, Unknown.<br/>
|
|
<br/>
|
|
<i>Enum</i>: True, False, Unknown<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type of condition in CamelCase or in foo.example.com/CamelCase.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>observedGeneration</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
<i>Minimum</i>: 0<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
## DNSConfig
|
|
<sup><sup>[↩ Parent](#tailscalecomv1alpha1 )</sup></sup>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DNSConfig can be deployed to cluster to make a subset of Tailscale MagicDNS
|
|
names resolvable by cluster workloads. Use this if: A) you need to refer to
|
|
tailnet services, exposed to cluster via Tailscale Kubernetes operator egress
|
|
proxies by the MagicDNS names of those tailnet services (usually because the
|
|
services run over HTTPS)
|
|
B) you have exposed a cluster workload to the tailnet using Tailscale Ingress
|
|
and you also want to refer to the workload from within the cluster over the
|
|
Ingress's MagicDNS name (usually because you have some callback component
|
|
that needs to use the same URL as that used by a non-cluster client on
|
|
tailnet).
|
|
When a DNSConfig is applied to a cluster, Tailscale Kubernetes operator will
|
|
deploy a nameserver for ts.net DNS names and automatically populate it with records
|
|
for any Tailscale egress or Ingress proxies deployed to that cluster.
|
|
Currently you must manually update your cluster DNS configuration to add the
|
|
IP address of the deployed nameserver as a ts.net stub nameserver.
|
|
Instructions for how to do it:
|
|
https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns (for CoreDNS),
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/kube-dns (for kube-dns).
|
|
Tailscale Kubernetes operator will write the address of a Service fronting
|
|
the nameserver to dsnconfig.status.nameserver.ip.
|
|
DNSConfig is a singleton - you must not create more than one.
|
|
NB: if you want cluster workloads to be able to refer to Tailscale Ingress
|
|
using its MagicDNS name, you must also annotate the Ingress resource with
|
|
tailscale.com/experimental-forward-cluster-traffic-via-ingress annotation to
|
|
ensure that the proxy created for the Ingress listens on its Pod IP address.
|
|
NB: Clusters where Pods get assigned IPv6 addresses only are currently not supported.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>apiVersion</b></td>
|
|
<td>string</td>
|
|
<td>tailscale.com/v1alpha1</td>
|
|
<td>true</td>
|
|
</tr>
|
|
<tr>
|
|
<td><b>kind</b></td>
|
|
<td>string</td>
|
|
<td>DNSConfig</td>
|
|
<td>true</td>
|
|
</tr>
|
|
<tr>
|
|
<td><b><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta">metadata</a></b></td>
|
|
<td>object</td>
|
|
<td>Refer to the Kubernetes API documentation for the fields of the `metadata` field.</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#dnsconfigspec">spec</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Spec describes the desired DNS configuration.
|
|
More info:
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#dnsconfigstatus">status</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Status describes the status of the DNSConfig. This is set
|
|
and managed by the Tailscale operator.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### DNSConfig.spec
|
|
<sup><sup>[↩ Parent](#dnsconfig)</sup></sup>
|
|
|
|
|
|
|
|
Spec describes the desired DNS configuration.
|
|
More info:
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#dnsconfigspecnameserver">nameserver</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Configuration for a nameserver that can resolve ts.net DNS names
|
|
associated with in-cluster proxies for Tailscale egress Services and
|
|
Tailscale Ingresses. The operator will always deploy this nameserver
|
|
when a DNSConfig is applied.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### DNSConfig.spec.nameserver
|
|
<sup><sup>[↩ Parent](#dnsconfigspec)</sup></sup>
|
|
|
|
|
|
|
|
Configuration for a nameserver that can resolve ts.net DNS names
|
|
associated with in-cluster proxies for Tailscale egress Services and
|
|
Tailscale Ingresses. The operator will always deploy this nameserver
|
|
when a DNSConfig is applied.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#dnsconfigspecnameserverimage">image</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Nameserver image.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### DNSConfig.spec.nameserver.image
|
|
<sup><sup>[↩ Parent](#dnsconfigspecnameserver)</sup></sup>
|
|
|
|
|
|
|
|
Nameserver image.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>repo</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Repo defaults to tailscale/k8s-nameserver.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>tag</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Tag defaults to operator's own tag.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### DNSConfig.status
|
|
<sup><sup>[↩ Parent](#dnsconfig)</sup></sup>
|
|
|
|
|
|
|
|
Status describes the status of the DNSConfig. This is set
|
|
and managed by the Tailscale operator.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#dnsconfigstatusconditionsindex">conditions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#dnsconfigstatusnameserver">nameserver</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Nameserver describes the status of nameserver cluster resources.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### DNSConfig.status.conditions[index]
|
|
<sup><sup>[↩ Parent](#dnsconfigstatus)</sup></sup>
|
|
|
|
|
|
|
|
Condition contains details for one aspect of the current state of this API Resource.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>lastTransitionTime</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.<br/>
|
|
<br/>
|
|
<i>Format</i>: date-time<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>message</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>reason</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>status</b></td>
|
|
<td>enum</td>
|
|
<td>
|
|
status of the condition, one of True, False, Unknown.<br/>
|
|
<br/>
|
|
<i>Enum</i>: True, False, Unknown<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type of condition in CamelCase or in foo.example.com/CamelCase.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>observedGeneration</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
<i>Minimum</i>: 0<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### DNSConfig.status.nameserver
|
|
<sup><sup>[↩ Parent](#dnsconfigstatus)</sup></sup>
|
|
|
|
|
|
|
|
Nameserver describes the status of nameserver cluster resources.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>ip</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
IP is the ClusterIP of the Service fronting the deployed ts.net nameserver.
|
|
Currently you must manually update your cluster DNS config to add
|
|
this address as a stub nameserver for ts.net for cluster workloads to be
|
|
able to resolve MagicDNS names associated with egress or Ingress
|
|
proxies.
|
|
The IP address will change if you delete and recreate the DNSConfig.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
## ProxyClass
|
|
<sup><sup>[↩ Parent](#tailscalecomv1alpha1 )</sup></sup>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ProxyClass describes a set of configuration parameters that can be applied to
|
|
proxy resources created by the Tailscale Kubernetes operator.
|
|
To apply a given ProxyClass to resources created for a tailscale Ingress or
|
|
Service, use tailscale.com/proxy-class=<proxyclass-name> label. To apply a
|
|
given ProxyClass to resources created for a Connector, use
|
|
connector.spec.proxyClass field.
|
|
ProxyClass is a cluster scoped resource.
|
|
More info:
|
|
https://tailscale.com/kb/1236/kubernetes-operator#cluster-resource-customization-using-proxyclass-custom-resource.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>apiVersion</b></td>
|
|
<td>string</td>
|
|
<td>tailscale.com/v1alpha1</td>
|
|
<td>true</td>
|
|
</tr>
|
|
<tr>
|
|
<td><b>kind</b></td>
|
|
<td>string</td>
|
|
<td>ProxyClass</td>
|
|
<td>true</td>
|
|
</tr>
|
|
<tr>
|
|
<td><b><a href="https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#objectmeta-v1-meta">metadata</a></b></td>
|
|
<td>object</td>
|
|
<td>Refer to the Kubernetes API documentation for the fields of the `metadata` field.</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspec">spec</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Specification of the desired state of the ProxyClass resource.
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassstatus">status</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Status of the ProxyClass. This is set and managed automatically.
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec
|
|
<sup><sup>[↩ Parent](#proxyclass)</sup></sup>
|
|
|
|
|
|
|
|
Specification of the desired state of the ProxyClass resource.
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecmetrics">metrics</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Configuration for proxy metrics. Metrics are currently not supported
|
|
for egress proxies and for Ingress proxies that have been configured
|
|
with tailscale.com/experimental-forward-cluster-traffic-via-ingress
|
|
annotation. Note that the metrics are currently considered unstable
|
|
and will likely change in breaking ways in the future - we only
|
|
recommend that you use those for debugging purposes.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulset">statefulSet</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Configuration parameters for the proxy's StatefulSet. Tailscale
|
|
Kubernetes operator deploys a StatefulSet for each of the user
|
|
configured proxies (Tailscale Ingress, Tailscale Service, Connector).<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspectailscale">tailscale</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
TailscaleConfig contains options to configure the tailscale-specific
|
|
parameters of proxies.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.metrics
|
|
<sup><sup>[↩ Parent](#proxyclassspec)</sup></sup>
|
|
|
|
|
|
|
|
Configuration for proxy metrics. Metrics are currently not supported
|
|
for egress proxies and for Ingress proxies that have been configured
|
|
with tailscale.com/experimental-forward-cluster-traffic-via-ingress
|
|
annotation. Note that the metrics are currently considered unstable
|
|
and will likely change in breaking ways in the future - we only
|
|
recommend that you use those for debugging purposes.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>enable</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Setting enable to true will make the proxy serve Tailscale metrics
|
|
at <pod-ip>:9001/debug/metrics.
|
|
Defaults to false.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet
|
|
<sup><sup>[↩ Parent](#proxyclassspec)</sup></sup>
|
|
|
|
|
|
|
|
Configuration parameters for the proxy's StatefulSet. Tailscale
|
|
Kubernetes operator deploys a StatefulSet for each of the user
|
|
configured proxies (Tailscale Ingress, Tailscale Service, Connector).
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>annotations</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
Annotations that will be added to the StatefulSet created for the proxy.
|
|
Any Annotations specified here will be merged with the default annotations
|
|
applied to the StatefulSet by the Tailscale Kubernetes operator as
|
|
well as any other annotations that might have been applied by other
|
|
actors.
|
|
Annotations must be valid Kubernetes annotations.
|
|
https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>labels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
Labels that will be added to the StatefulSet created for the proxy.
|
|
Any labels specified here will be merged with the default labels
|
|
applied to the StatefulSet by the Tailscale Kubernetes operator as
|
|
well as any other labels that might have been applied by other
|
|
actors.
|
|
Label keys and values must be valid Kubernetes label keys and values.
|
|
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpod">pod</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Configuration for the proxy Pod.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulset)</sup></sup>
|
|
|
|
|
|
|
|
Configuration for the proxy Pod.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinity">affinity</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Proxy Pod's affinity rules.
|
|
By default, the Tailscale Kubernetes operator does not apply any affinity rules.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#affinity<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>annotations</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
Annotations that will be added to the proxy Pod.
|
|
Any annotations specified here will be merged with the default
|
|
annotations applied to the Pod by the Tailscale Kubernetes operator.
|
|
Annotations must be valid Kubernetes annotations.
|
|
https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/#syntax-and-character-set<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodimagepullsecretsindex">imagePullSecrets</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
Proxy Pod's image pull Secrets.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#PodSpec<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>labels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
Labels that will be added to the proxy Pod.
|
|
Any labels specified here will be merged with the default labels
|
|
applied to the Pod by the Tailscale Kubernetes operator.
|
|
Label keys and values must be valid Kubernetes label keys and values.
|
|
https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>nodeName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Proxy Pod's node name.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>nodeSelector</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
Proxy Pod's node selector.
|
|
By default Tailscale Kubernetes operator does not apply any node
|
|
selector.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodsecuritycontext">securityContext</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Proxy Pod's security context.
|
|
By default Tailscale Kubernetes operator does not apply any Pod
|
|
security context.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainer">tailscaleContainer</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Configuration for the proxy container running tailscale.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainer">tailscaleInitContainer</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Configuration for the proxy init container that enables forwarding.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtolerationsindex">tolerations</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
Proxy Pod's tolerations.
|
|
By default Tailscale Kubernetes operator does not apply any
|
|
tolerations.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpod)</sup></sup>
|
|
|
|
|
|
|
|
Proxy Pod's affinity rules.
|
|
By default, the Tailscale Kubernetes operator does not apply any affinity rules.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#affinity
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinity">nodeAffinity</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Describes node affinity scheduling rules for the pod.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinity">podAffinity</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinity">podAntiAffinity</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinity)</sup></sup>
|
|
|
|
|
|
|
|
Describes node affinity scheduling rules for the pod.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindex">preferredDuringSchedulingIgnoredDuringExecution</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|
the affinity expressions specified by this field, but it may choose
|
|
a node that violates one or more of the expressions. The node that is
|
|
most preferred is the one with the greatest sum of weights, i.e.
|
|
for each node that meets all of the scheduling requirements (resource
|
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|
compute a sum by iterating through the elements of this field and adding
|
|
"weight" to the sum if the node matches the corresponding matchExpressions; the
|
|
node(s) with the highest sum are the most preferred.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecution">requiredDuringSchedulingIgnoredDuringExecution</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
If the affinity requirements specified by this field are not met at
|
|
scheduling time, the pod will not be scheduled onto the node.
|
|
If the affinity requirements specified by this field cease to be met
|
|
at some point during pod execution (e.g. due to an update), the system
|
|
may or may not try to eventually evict the pod from its node.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinity)</sup></sup>
|
|
|
|
|
|
|
|
An empty preferred scheduling term matches all objects with implicit weight 0
|
|
(i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindexpreference">preference</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A node selector term, associated with the corresponding weight.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>weight</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.<br/>
|
|
<br/>
|
|
<i>Format</i>: int32<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
A node selector term, associated with the corresponding weight.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindexpreferencematchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
A list of node selector requirements by node's labels.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindexpreferencematchfieldsindex">matchFields</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
A list of node selector requirements by node's fields.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindexpreference)</sup></sup>
|
|
|
|
|
|
|
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|
that relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
An array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|
array must have a single element, which will be interpreted as an integer.
|
|
This array is replaced during a strategic merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].preference.matchFields[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinitypreferredduringschedulingignoredduringexecutionindexpreference)</sup></sup>
|
|
|
|
|
|
|
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|
that relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
An array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|
array must have a single element, which will be interpreted as an integer.
|
|
This array is replaced during a strategic merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinity)</sup></sup>
|
|
|
|
|
|
|
|
If the affinity requirements specified by this field are not met at
|
|
scheduling time, the pod will not be scheduled onto the node.
|
|
If the affinity requirements specified by this field cease to be met
|
|
at some point during pod execution (e.g. due to an update), the system
|
|
may or may not try to eventually evict the pod from its node.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecutionnodeselectortermsindex">nodeSelectorTerms</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
Required. A list of node selector terms. The terms are ORed.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecution)</sup></sup>
|
|
|
|
|
|
|
|
A null or empty node selector term matches no objects. The requirements of
|
|
them are ANDed.
|
|
The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecutionnodeselectortermsindexmatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
A list of node selector requirements by node's labels.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecutionnodeselectortermsindexmatchfieldsindex">matchFields</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
A list of node selector requirements by node's fields.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecutionnodeselectortermsindex)</sup></sup>
|
|
|
|
|
|
|
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|
that relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
An array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|
array must have a single element, which will be interpreted as an integer.
|
|
This array is replaced during a strategic merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.nodeAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms[index].matchFields[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitynodeaffinityrequiredduringschedulingignoredduringexecutionnodeselectortermsindex)</sup></sup>
|
|
|
|
|
|
|
|
A node selector requirement is a selector that contains values, a key, and an operator
|
|
that relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
An array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. If the operator is Gt or Lt, the values
|
|
array must have a single element, which will be interpreted as an integer.
|
|
This array is replaced during a strategic merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinity)</sup></sup>
|
|
|
|
|
|
|
|
Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindex">preferredDuringSchedulingIgnoredDuringExecution</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|
the affinity expressions specified by this field, but it may choose
|
|
a node that violates one or more of the expressions. The node that is
|
|
most preferred is the one with the greatest sum of weights, i.e.
|
|
for each node that meets all of the scheduling requirements (resource
|
|
request, requiredDuringScheduling affinity expressions, etc.),
|
|
compute a sum by iterating through the elements of this field and adding
|
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|
node(s) with the highest sum are the most preferred.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindex">requiredDuringSchedulingIgnoredDuringExecution</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
If the affinity requirements specified by this field are not met at
|
|
scheduling time, the pod will not be scheduled onto the node.
|
|
If the affinity requirements specified by this field cease to be met
|
|
at some point during pod execution (e.g. due to a pod label update), the
|
|
system may or may not try to eventually evict the pod from its node.
|
|
When there are multiple elements, the lists of nodes corresponding to each
|
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinity)</sup></sup>
|
|
|
|
|
|
|
|
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinityterm">podAffinityTerm</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Required. A pod affinity term, associated with the corresponding weight.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>weight</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
weight associated with matching the corresponding podAffinityTerm,
|
|
in the range 1-100.<br/>
|
|
<br/>
|
|
<i>Format</i>: int32<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
Required. A pod affinity term, associated with the corresponding weight.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>topologyKey</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|
selected pods is running.
|
|
Empty topologyKey is not allowed.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermlabelselector">labelSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>mismatchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermnamespaceselector">namespaceSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>namespaces</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
namespaces specifies a static list of namespace names that the term applies to.
|
|
The term is applied to the union of the namespaces listed in this field
|
|
and the ones selected by namespaceSelector.
|
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinityterm)</sup></sup>
|
|
|
|
|
|
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermlabelselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermlabelselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinityterm)</sup></sup>
|
|
|
|
|
|
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermnamespaceselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermnamespaceselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinity)</sup></sup>
|
|
|
|
|
|
|
|
Defines a set of pods (namely those matching the labelSelector
|
|
relative to the given namespace(s)) that this pod should be
|
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|
where co-located is defined as running on a node whose value of
|
|
the label with key <topologyKey> matches that of any node on which
|
|
a pod of the set of pods is running
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>topologyKey</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|
selected pods is running.
|
|
Empty topologyKey is not allowed.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindexlabelselector">labelSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>mismatchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindexnamespaceselector">namespaceSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>namespaces</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
namespaces specifies a static list of namespace names that the term applies to.
|
|
The term is applied to the union of the namespaces listed in this field
|
|
and the ones selected by namespaceSelector.
|
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindexlabelselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindexlabelselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindexnamespaceselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodaffinityrequiredduringschedulingignoredduringexecutionindexnamespaceselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinity)</sup></sup>
|
|
|
|
|
|
|
|
Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindex">preferredDuringSchedulingIgnoredDuringExecution</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
The scheduler will prefer to schedule pods to nodes that satisfy
|
|
the anti-affinity expressions specified by this field, but it may choose
|
|
a node that violates one or more of the expressions. The node that is
|
|
most preferred is the one with the greatest sum of weights, i.e.
|
|
for each node that meets all of the scheduling requirements (resource
|
|
request, requiredDuringScheduling anti-affinity expressions, etc.),
|
|
compute a sum by iterating through the elements of this field and adding
|
|
"weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
|
|
node(s) with the highest sum are the most preferred.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindex">requiredDuringSchedulingIgnoredDuringExecution</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
If the anti-affinity requirements specified by this field are not met at
|
|
scheduling time, the pod will not be scheduled onto the node.
|
|
If the anti-affinity requirements specified by this field cease to be met
|
|
at some point during pod execution (e.g. due to a pod label update), the
|
|
system may or may not try to eventually evict the pod from its node.
|
|
When there are multiple elements, the lists of nodes corresponding to each
|
|
podAffinityTerm are intersected, i.e. all terms must be satisfied.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinity)</sup></sup>
|
|
|
|
|
|
|
|
The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinityterm">podAffinityTerm</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Required. A pod affinity term, associated with the corresponding weight.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>weight</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
weight associated with matching the corresponding podAffinityTerm,
|
|
in the range 1-100.<br/>
|
|
<br/>
|
|
<i>Format</i>: int32<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
Required. A pod affinity term, associated with the corresponding weight.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>topologyKey</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|
selected pods is running.
|
|
Empty topologyKey is not allowed.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermlabelselector">labelSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>mismatchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermnamespaceselector">namespaceSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>namespaces</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
namespaces specifies a static list of namespace names that the term applies to.
|
|
The term is applied to the union of the namespaces listed in this field
|
|
and the ones selected by namespaceSelector.
|
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinityterm)</sup></sup>
|
|
|
|
|
|
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermlabelselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.labelSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermlabelselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinityterm)</sup></sup>
|
|
|
|
|
|
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermnamespaceselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[index].podAffinityTerm.namespaceSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinitypreferredduringschedulingignoredduringexecutionindexpodaffinitytermnamespaceselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinity)</sup></sup>
|
|
|
|
|
|
|
|
Defines a set of pods (namely those matching the labelSelector
|
|
relative to the given namespace(s)) that this pod should be
|
|
co-located (affinity) or not co-located (anti-affinity) with,
|
|
where co-located is defined as running on a node whose value of
|
|
the label with key <topologyKey> matches that of any node on which
|
|
a pod of the set of pods is running
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>topologyKey</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching
|
|
the labelSelector in the specified namespaces, where co-located is defined as running on a node
|
|
whose value of the label with key topologyKey matches that of any node on which any of the
|
|
selected pods is running.
|
|
Empty topologyKey is not allowed.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindexlabelselector">labelSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both matchLabelKeys and labelSelector.
|
|
Also, matchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>mismatchLabelKeys</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
MismatchLabelKeys is a set of pod label keys to select which pods will
|
|
be taken into consideration. The keys are used to lookup values from the
|
|
incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)`
|
|
to select the group of existing pods which pods will be taken into consideration
|
|
for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming
|
|
pod labels will be ignored. The default value is empty.
|
|
The same key is forbidden to exist in both mismatchLabelKeys and labelSelector.
|
|
Also, mismatchLabelKeys cannot be set when labelSelector isn't set.
|
|
This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindexnamespaceselector">namespaceSelector</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>namespaces</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
namespaces specifies a static list of namespace names that the term applies to.
|
|
The term is applied to the union of the namespaces listed in this field
|
|
and the ones selected by namespaceSelector.
|
|
null or empty namespaces list and null namespaceSelector means "this pod's namespace".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
A label query over a set of resources, in this case pods.
|
|
If it's null, this PodAffinityTerm matches with no Pods.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindexlabelselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].labelSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindexlabelselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindex)</sup></sup>
|
|
|
|
|
|
|
|
A label query over the set of namespaces that the term applies to.
|
|
The term is applied to the union of the namespaces selected by this field
|
|
and the ones listed in the namespaces field.
|
|
null selector and null or empty namespaces list means "this pod's namespace".
|
|
An empty selector ({}) matches all namespaces.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindexnamespaceselectormatchexpressionsindex">matchExpressions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
matchExpressions is a list of label selector requirements. The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>matchLabels</b></td>
|
|
<td>map[string]string</td>
|
|
<td>
|
|
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
|
|
map is equivalent to an element of matchExpressions, whose key field is "key", the
|
|
operator is "In", and the values array contains only "value". The requirements are ANDed.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[index].namespaceSelector.matchExpressions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodaffinitypodantiaffinityrequiredduringschedulingignoredduringexecutionindexnamespaceselector)</sup></sup>
|
|
|
|
|
|
|
|
A label selector requirement is a selector that contains values, a key, and an operator that
|
|
relates the key and values.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
key is the label key that the selector applies to.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
operator represents a key's relationship to a set of values.
|
|
Valid operators are In, NotIn, Exists and DoesNotExist.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>values</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
values is an array of string values. If the operator is In or NotIn,
|
|
the values array must be non-empty. If the operator is Exists or DoesNotExist,
|
|
the values array must be empty. This array is replaced during a strategic
|
|
merge patch.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.imagePullSecrets[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpod)</sup></sup>
|
|
|
|
|
|
|
|
LocalObjectReference contains enough information to let you locate the
|
|
referenced object inside the same namespace.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>name</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Name of the referent.
|
|
This field is effectively required, but due to backwards compatibility is
|
|
allowed to be empty. Instances of this type with an empty value here are
|
|
almost certainly wrong.
|
|
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names<br/>
|
|
<br/>
|
|
<i>Default</i>: <br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.securityContext
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpod)</sup></sup>
|
|
|
|
|
|
|
|
Proxy Pod's security context.
|
|
By default Tailscale Kubernetes operator does not apply any Pod
|
|
security context.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-2
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodsecuritycontextapparmorprofile">appArmorProfile</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
appArmorProfile is the AppArmor options to use by the containers in this pod.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>fsGroup</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
A special supplemental group that applies to all containers in a pod.
|
|
Some volume types allow the Kubelet to change the ownership of that volume
|
|
to be owned by the pod:
|
|
|
|
1. The owning GID will be the FSGroup
|
|
2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
|
|
3. The permission bits are OR'd with rw-rw----
|
|
|
|
If unset, the Kubelet will not modify the ownership and permissions of any volume.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>fsGroupChangePolicy</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
|
|
before being exposed inside Pod. This field will only apply to
|
|
volume types which support fsGroup based ownership(and permissions).
|
|
It will have no effect on ephemeral volume types such as: secret, configmaps
|
|
and emptydir.
|
|
Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsGroup</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
The GID to run the entrypoint of the container process.
|
|
Uses runtime default if unset.
|
|
May also be set in SecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence
|
|
for that container.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsNonRoot</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Indicates that the container must run as a non-root user.
|
|
If true, the Kubelet will validate the image at runtime to ensure that it
|
|
does not run as UID 0 (root) and fail to start the container if it does.
|
|
If unset or false, no such validation will be performed.
|
|
May also be set in SecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsUser</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
The UID to run the entrypoint of the container process.
|
|
Defaults to user specified in image metadata if unspecified.
|
|
May also be set in SecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence
|
|
for that container.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodsecuritycontextselinuxoptions">seLinuxOptions</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The SELinux context to be applied to all containers.
|
|
If unspecified, the container runtime will allocate a random SELinux context for each
|
|
container. May also be set in SecurityContext. If set in
|
|
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
|
|
takes precedence for that container.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodsecuritycontextseccompprofile">seccompProfile</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The seccomp options to use by the containers in this pod.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>supplementalGroups</b></td>
|
|
<td>[]integer</td>
|
|
<td>
|
|
A list of groups applied to the first process run in each container, in addition
|
|
to the container's primary GID, the fsGroup (if specified), and group memberships
|
|
defined in the container image for the uid of the container process. If unspecified,
|
|
no additional groups are added to any container. Note that group memberships
|
|
defined in the container image for the uid of the container process are still effective,
|
|
even if they are not included in this list.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodsecuritycontextsysctlsindex">sysctls</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
|
|
sysctls (by the container runtime) might fail to launch.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodsecuritycontextwindowsoptions">windowsOptions</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The Windows specific settings applied to all containers.
|
|
If unspecified, the options within a container's SecurityContext will be used.
|
|
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is linux.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.securityContext.appArmorProfile
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
appArmorProfile is the AppArmor options to use by the containers in this pod.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type indicates which kind of AppArmor profile will be applied.
|
|
Valid options are:
|
|
Localhost - a profile pre-loaded on the node.
|
|
RuntimeDefault - the container runtime's default profile.
|
|
Unconfined - no AppArmor enforcement.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>localhostProfile</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
localhostProfile indicates a profile loaded on the node that should be used.
|
|
The profile must be preconfigured on the node to work.
|
|
Must match the loaded name of the profile.
|
|
Must be set if and only if type is "Localhost".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.securityContext.seLinuxOptions
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The SELinux context to be applied to all containers.
|
|
If unspecified, the container runtime will allocate a random SELinux context for each
|
|
container. May also be set in SecurityContext. If set in
|
|
both SecurityContext and PodSecurityContext, the value specified in SecurityContext
|
|
takes precedence for that container.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>level</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Level is SELinux level label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>role</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Role is a SELinux role label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Type is a SELinux type label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>user</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
User is a SELinux user label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.securityContext.seccompProfile
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The seccomp options to use by the containers in this pod.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type indicates which kind of seccomp profile will be applied.
|
|
Valid options are:
|
|
|
|
Localhost - a profile defined in a file on the node should be used.
|
|
RuntimeDefault - the container runtime default profile should be used.
|
|
Unconfined - no profile should be applied.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>localhostProfile</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
localhostProfile indicates a profile defined in a file on the node should be used.
|
|
The profile must be preconfigured on the node to work.
|
|
Must be a descending path, relative to the kubelet's configured seccomp profile location.
|
|
Must be set if type is "Localhost". Must NOT be set for any other type.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.securityContext.sysctls[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
Sysctl defines a kernel parameter to be set
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>name</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Name of a property to set<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>value</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Value of a property to set<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.securityContext.windowsOptions
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodsecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The Windows specific settings applied to all containers.
|
|
If unspecified, the options within a container's SecurityContext will be used.
|
|
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is linux.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>gmsaCredentialSpec</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
GMSACredentialSpec is where the GMSA admission webhook
|
|
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
|
|
GMSA credential spec named by the GMSACredentialSpecName field.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>gmsaCredentialSpecName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
GMSACredentialSpecName is the name of the GMSA credential spec to use.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>hostProcess</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
HostProcess determines if a container should be run as a 'Host Process' container.
|
|
All of a Pod's containers must have the same effective HostProcess value
|
|
(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
|
|
In addition, if HostProcess is true then HostNetwork must also be set to true.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsUserName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The UserName in Windows to run the entrypoint of the container process.
|
|
Defaults to the user specified in image metadata if unspecified.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpod)</sup></sup>
|
|
|
|
|
|
|
|
Configuration for the proxy container running tailscale.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainerenvindex">env</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
List of environment variables to set in the container.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
|
|
Note that environment variables provided here will take precedence
|
|
over Tailscale-specific environment variables set by the operator,
|
|
however running proxies with custom values for Tailscale environment
|
|
variables (i.e TS_USERSPACE) is not recommended and might break in
|
|
the future.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>image</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Container image name. By default images are pulled from
|
|
docker.io/tailscale/tailscale, but the official images are also
|
|
available at ghcr.io/tailscale/tailscale. Specifying image name here
|
|
will override any proxy image values specified via the Kubernetes
|
|
operator's Helm chart values or PROXY_IMAGE env var in the operator
|
|
Deployment.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>imagePullPolicy</b></td>
|
|
<td>enum</td>
|
|
<td>
|
|
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image<br/>
|
|
<br/>
|
|
<i>Enum</i>: Always, Never, IfNotPresent<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainerresources">resources</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Container resource requirements.
|
|
By default Tailscale Kubernetes operator does not apply any resource
|
|
requirements. The amount of resources required wil depend on the
|
|
amount of resources the operator needs to parse, usage patterns and
|
|
cluster size.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext">securityContext</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Container security context.
|
|
Security context specified here will override the security context by the operator.
|
|
By default the operator:
|
|
- sets 'privileged: true' for the init container
|
|
- set NET_ADMIN capability for tailscale container for proxies that
|
|
are created for Services or Connector.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.env[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainer)</sup></sup>
|
|
|
|
|
|
|
|
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>name</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Name of the environment variable. Must be a C_IDENTIFIER.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>value</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Variable references $(VAR_NAME) are expanded using the previously defined
|
|
environment variables in the container and any service environment
|
|
variables. If a variable cannot be resolved, the reference in the input
|
|
string will be unchanged. Double $$ are reduced to a single $, which
|
|
allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
|
|
produce the string literal "$(VAR_NAME)". Escaped references will never
|
|
be expanded, regardless of whether the variable exists or not. Defaults
|
|
to "".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.resources
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainer)</sup></sup>
|
|
|
|
|
|
|
|
Container resource requirements.
|
|
By default Tailscale Kubernetes operator does not apply any resource
|
|
requirements. The amount of resources required wil depend on the
|
|
amount of resources the operator needs to parse, usage patterns and
|
|
cluster size.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainerresourcesclaimsindex">claims</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
Claims lists the names of resources, defined in spec.resourceClaims,
|
|
that are used by this container.
|
|
|
|
This is an alpha field and requires enabling the
|
|
DynamicResourceAllocation feature gate.
|
|
|
|
This field is immutable. It can only be set for containers.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>limits</b></td>
|
|
<td>map[string]int or string</td>
|
|
<td>
|
|
Limits describes the maximum amount of compute resources allowed.
|
|
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>requests</b></td>
|
|
<td>map[string]int or string</td>
|
|
<td>
|
|
Requests describes the minimum amount of compute resources required.
|
|
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
|
|
otherwise to an implementation-defined value. Requests cannot exceed Limits.
|
|
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.resources.claims[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainerresources)</sup></sup>
|
|
|
|
|
|
|
|
ResourceClaim references one entry in PodSpec.ResourceClaims.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>name</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Name must match the name of one entry in pod.spec.resourceClaims of
|
|
the Pod where this field is used. It makes that resource available
|
|
inside a container.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainer)</sup></sup>
|
|
|
|
|
|
|
|
Container security context.
|
|
Security context specified here will override the security context by the operator.
|
|
By default the operator:
|
|
- sets 'privileged: true' for the init container
|
|
- set NET_ADMIN capability for tailscale container for proxies that
|
|
are created for Services or Connector.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>allowPrivilegeEscalation</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
AllowPrivilegeEscalation controls whether a process can gain more
|
|
privileges than its parent process. This bool directly controls if
|
|
the no_new_privs flag will be set on the container process.
|
|
AllowPrivilegeEscalation is true always when the container is:
|
|
1) run as Privileged
|
|
2) has CAP_SYS_ADMIN
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainersecuritycontextapparmorprofile">appArmorProfile</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
appArmorProfile is the AppArmor options to use by this container. If set, this profile
|
|
overrides the pod's appArmorProfile.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainersecuritycontextcapabilities">capabilities</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The capabilities to add/drop when running containers.
|
|
Defaults to the default set of capabilities granted by the container runtime.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>privileged</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Run container in privileged mode.
|
|
Processes in privileged containers are essentially equivalent to root on the host.
|
|
Defaults to false.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>procMount</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
procMount denotes the type of proc mount to use for the containers.
|
|
The default is DefaultProcMount which uses the container runtime defaults for
|
|
readonly paths and masked paths.
|
|
This requires the ProcMountType feature flag to be enabled.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>readOnlyRootFilesystem</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Whether this container has a read-only root filesystem.
|
|
Default is false.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsGroup</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
The GID to run the entrypoint of the container process.
|
|
Uses runtime default if unset.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsNonRoot</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Indicates that the container must run as a non-root user.
|
|
If true, the Kubelet will validate the image at runtime to ensure that it
|
|
does not run as UID 0 (root) and fail to start the container if it does.
|
|
If unset or false, no such validation will be performed.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsUser</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
The UID to run the entrypoint of the container process.
|
|
Defaults to user specified in image metadata if unspecified.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainersecuritycontextselinuxoptions">seLinuxOptions</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The SELinux context to be applied to the container.
|
|
If unspecified, the container runtime will allocate a random SELinux context for each
|
|
container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainersecuritycontextseccompprofile">seccompProfile</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The seccomp options to use by this container. If seccomp options are
|
|
provided at both the pod & container level, the container options
|
|
override the pod options.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscalecontainersecuritycontextwindowsoptions">windowsOptions</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The Windows specific settings applied to all containers.
|
|
If unspecified, the options from the PodSecurityContext will be used.
|
|
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is linux.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.appArmorProfile
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
appArmorProfile is the AppArmor options to use by this container. If set, this profile
|
|
overrides the pod's appArmorProfile.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type indicates which kind of AppArmor profile will be applied.
|
|
Valid options are:
|
|
Localhost - a profile pre-loaded on the node.
|
|
RuntimeDefault - the container runtime's default profile.
|
|
Unconfined - no AppArmor enforcement.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>localhostProfile</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
localhostProfile indicates a profile loaded on the node that should be used.
|
|
The profile must be preconfigured on the node to work.
|
|
Must match the loaded name of the profile.
|
|
Must be set if and only if type is "Localhost".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.capabilities
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The capabilities to add/drop when running containers.
|
|
Defaults to the default set of capabilities granted by the container runtime.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>add</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
Added capabilities<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>drop</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
Removed capabilities<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.seLinuxOptions
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The SELinux context to be applied to the container.
|
|
If unspecified, the container runtime will allocate a random SELinux context for each
|
|
container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>level</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Level is SELinux level label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>role</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Role is a SELinux role label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Type is a SELinux type label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>user</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
User is a SELinux user label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.seccompProfile
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The seccomp options to use by this container. If seccomp options are
|
|
provided at both the pod & container level, the container options
|
|
override the pod options.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type indicates which kind of seccomp profile will be applied.
|
|
Valid options are:
|
|
|
|
Localhost - a profile defined in a file on the node should be used.
|
|
RuntimeDefault - the container runtime default profile should be used.
|
|
Unconfined - no profile should be applied.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>localhostProfile</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
localhostProfile indicates a profile defined in a file on the node should be used.
|
|
The profile must be preconfigured on the node to work.
|
|
Must be a descending path, relative to the kubelet's configured seccomp profile location.
|
|
Must be set if type is "Localhost". Must NOT be set for any other type.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleContainer.securityContext.windowsOptions
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscalecontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The Windows specific settings applied to all containers.
|
|
If unspecified, the options from the PodSecurityContext will be used.
|
|
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is linux.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>gmsaCredentialSpec</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
GMSACredentialSpec is where the GMSA admission webhook
|
|
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
|
|
GMSA credential spec named by the GMSACredentialSpecName field.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>gmsaCredentialSpecName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
GMSACredentialSpecName is the name of the GMSA credential spec to use.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>hostProcess</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
HostProcess determines if a container should be run as a 'Host Process' container.
|
|
All of a Pod's containers must have the same effective HostProcess value
|
|
(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
|
|
In addition, if HostProcess is true then HostNetwork must also be set to true.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsUserName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The UserName in Windows to run the entrypoint of the container process.
|
|
Defaults to the user specified in image metadata if unspecified.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpod)</sup></sup>
|
|
|
|
|
|
|
|
Configuration for the proxy init container that enables forwarding.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainerenvindex">env</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
List of environment variables to set in the container.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables
|
|
Note that environment variables provided here will take precedence
|
|
over Tailscale-specific environment variables set by the operator,
|
|
however running proxies with custom values for Tailscale environment
|
|
variables (i.e TS_USERSPACE) is not recommended and might break in
|
|
the future.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>image</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Container image name. By default images are pulled from
|
|
docker.io/tailscale/tailscale, but the official images are also
|
|
available at ghcr.io/tailscale/tailscale. Specifying image name here
|
|
will override any proxy image values specified via the Kubernetes
|
|
operator's Helm chart values or PROXY_IMAGE env var in the operator
|
|
Deployment.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>imagePullPolicy</b></td>
|
|
<td>enum</td>
|
|
<td>
|
|
Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#image<br/>
|
|
<br/>
|
|
<i>Enum</i>: Always, Never, IfNotPresent<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainerresources">resources</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Container resource requirements.
|
|
By default Tailscale Kubernetes operator does not apply any resource
|
|
requirements. The amount of resources required wil depend on the
|
|
amount of resources the operator needs to parse, usage patterns and
|
|
cluster size.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext">securityContext</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
Container security context.
|
|
Security context specified here will override the security context by the operator.
|
|
By default the operator:
|
|
- sets 'privileged: true' for the init container
|
|
- set NET_ADMIN capability for tailscale container for proxies that
|
|
are created for Services or Connector.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.env[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainer)</sup></sup>
|
|
|
|
|
|
|
|
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>name</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Name of the environment variable. Must be a C_IDENTIFIER.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>value</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Variable references $(VAR_NAME) are expanded using the previously defined
|
|
environment variables in the container and any service environment
|
|
variables. If a variable cannot be resolved, the reference in the input
|
|
string will be unchanged. Double $$ are reduced to a single $, which
|
|
allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will
|
|
produce the string literal "$(VAR_NAME)". Escaped references will never
|
|
be expanded, regardless of whether the variable exists or not. Defaults
|
|
to "".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.resources
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainer)</sup></sup>
|
|
|
|
|
|
|
|
Container resource requirements.
|
|
By default Tailscale Kubernetes operator does not apply any resource
|
|
requirements. The amount of resources required wil depend on the
|
|
amount of resources the operator needs to parse, usage patterns and
|
|
cluster size.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainerresourcesclaimsindex">claims</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
Claims lists the names of resources, defined in spec.resourceClaims,
|
|
that are used by this container.
|
|
|
|
This is an alpha field and requires enabling the
|
|
DynamicResourceAllocation feature gate.
|
|
|
|
This field is immutable. It can only be set for containers.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>limits</b></td>
|
|
<td>map[string]int or string</td>
|
|
<td>
|
|
Limits describes the maximum amount of compute resources allowed.
|
|
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>requests</b></td>
|
|
<td>map[string]int or string</td>
|
|
<td>
|
|
Requests describes the minimum amount of compute resources required.
|
|
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
|
|
otherwise to an implementation-defined value. Requests cannot exceed Limits.
|
|
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.resources.claims[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainerresources)</sup></sup>
|
|
|
|
|
|
|
|
ResourceClaim references one entry in PodSpec.ResourceClaims.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>name</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Name must match the name of one entry in pod.spec.resourceClaims of
|
|
the Pod where this field is used. It makes that resource available
|
|
inside a container.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainer)</sup></sup>
|
|
|
|
|
|
|
|
Container security context.
|
|
Security context specified here will override the security context by the operator.
|
|
By default the operator:
|
|
- sets 'privileged: true' for the init container
|
|
- set NET_ADMIN capability for tailscale container for proxies that
|
|
are created for Services or Connector.
|
|
https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>allowPrivilegeEscalation</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
AllowPrivilegeEscalation controls whether a process can gain more
|
|
privileges than its parent process. This bool directly controls if
|
|
the no_new_privs flag will be set on the container process.
|
|
AllowPrivilegeEscalation is true always when the container is:
|
|
1) run as Privileged
|
|
2) has CAP_SYS_ADMIN
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontextapparmorprofile">appArmorProfile</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
appArmorProfile is the AppArmor options to use by this container. If set, this profile
|
|
overrides the pod's appArmorProfile.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontextcapabilities">capabilities</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The capabilities to add/drop when running containers.
|
|
Defaults to the default set of capabilities granted by the container runtime.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>privileged</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Run container in privileged mode.
|
|
Processes in privileged containers are essentially equivalent to root on the host.
|
|
Defaults to false.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>procMount</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
procMount denotes the type of proc mount to use for the containers.
|
|
The default is DefaultProcMount which uses the container runtime defaults for
|
|
readonly paths and masked paths.
|
|
This requires the ProcMountType feature flag to be enabled.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>readOnlyRootFilesystem</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Whether this container has a read-only root filesystem.
|
|
Default is false.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsGroup</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
The GID to run the entrypoint of the container process.
|
|
Uses runtime default if unset.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsNonRoot</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
Indicates that the container must run as a non-root user.
|
|
If true, the Kubelet will validate the image at runtime to ensure that it
|
|
does not run as UID 0 (root) and fail to start the container if it does.
|
|
If unset or false, no such validation will be performed.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsUser</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
The UID to run the entrypoint of the container process.
|
|
Defaults to user specified in image metadata if unspecified.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontextselinuxoptions">seLinuxOptions</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The SELinux context to be applied to the container.
|
|
If unspecified, the container runtime will allocate a random SELinux context for each
|
|
container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontextseccompprofile">seccompProfile</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The seccomp options to use by this container. If seccomp options are
|
|
provided at both the pod & container level, the container options
|
|
override the pod options.
|
|
Note that this field cannot be set when spec.os.name is windows.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b><a href="#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontextwindowsoptions">windowsOptions</a></b></td>
|
|
<td>object</td>
|
|
<td>
|
|
The Windows specific settings applied to all containers.
|
|
If unspecified, the options from the PodSecurityContext will be used.
|
|
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is linux.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.appArmorProfile
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
appArmorProfile is the AppArmor options to use by this container. If set, this profile
|
|
overrides the pod's appArmorProfile.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type indicates which kind of AppArmor profile will be applied.
|
|
Valid options are:
|
|
Localhost - a profile pre-loaded on the node.
|
|
RuntimeDefault - the container runtime's default profile.
|
|
Unconfined - no AppArmor enforcement.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>localhostProfile</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
localhostProfile indicates a profile loaded on the node that should be used.
|
|
The profile must be preconfigured on the node to work.
|
|
Must match the loaded name of the profile.
|
|
Must be set if and only if type is "Localhost".<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.capabilities
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The capabilities to add/drop when running containers.
|
|
Defaults to the default set of capabilities granted by the container runtime.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>add</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
Added capabilities<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>drop</b></td>
|
|
<td>[]string</td>
|
|
<td>
|
|
Removed capabilities<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.seLinuxOptions
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The SELinux context to be applied to the container.
|
|
If unspecified, the container runtime will allocate a random SELinux context for each
|
|
container. May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>level</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Level is SELinux level label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>role</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Role is a SELinux role label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Type is a SELinux type label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>user</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
User is a SELinux user label that applies to the container.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.seccompProfile
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The seccomp options to use by this container. If seccomp options are
|
|
provided at both the pod & container level, the container options
|
|
override the pod options.
|
|
Note that this field cannot be set when spec.os.name is windows.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type indicates which kind of seccomp profile will be applied.
|
|
Valid options are:
|
|
|
|
Localhost - a profile defined in a file on the node should be used.
|
|
RuntimeDefault - the container runtime default profile should be used.
|
|
Unconfined - no profile should be applied.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>localhostProfile</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
localhostProfile indicates a profile defined in a file on the node should be used.
|
|
The profile must be preconfigured on the node to work.
|
|
Must be a descending path, relative to the kubelet's configured seccomp profile location.
|
|
Must be set if type is "Localhost". Must NOT be set for any other type.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tailscaleInitContainer.securityContext.windowsOptions
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpodtailscaleinitcontainersecuritycontext)</sup></sup>
|
|
|
|
|
|
|
|
The Windows specific settings applied to all containers.
|
|
If unspecified, the options from the PodSecurityContext will be used.
|
|
If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
|
|
Note that this field cannot be set when spec.os.name is linux.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>gmsaCredentialSpec</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
GMSACredentialSpec is where the GMSA admission webhook
|
|
(https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
|
|
GMSA credential spec named by the GMSACredentialSpecName field.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>gmsaCredentialSpecName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
GMSACredentialSpecName is the name of the GMSA credential spec to use.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>hostProcess</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
HostProcess determines if a container should be run as a 'Host Process' container.
|
|
All of a Pod's containers must have the same effective HostProcess value
|
|
(it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
|
|
In addition, if HostProcess is true then HostNetwork must also be set to true.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>runAsUserName</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
The UserName in Windows to run the entrypoint of the container process.
|
|
Defaults to the user specified in image metadata if unspecified.
|
|
May also be set in PodSecurityContext. If set in both SecurityContext and
|
|
PodSecurityContext, the value specified in SecurityContext takes precedence.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.statefulSet.pod.tolerations[index]
|
|
<sup><sup>[↩ Parent](#proxyclassspecstatefulsetpod)</sup></sup>
|
|
|
|
|
|
|
|
The pod this Toleration is attached to tolerates any taint that matches
|
|
the triple <key,value,effect> using the matching operator <operator>.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>effect</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Effect indicates the taint effect to match. Empty means match all taint effects.
|
|
When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>key</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Key is the taint key that the toleration applies to. Empty means match all taint keys.
|
|
If the key is empty, operator must be Exists; this combination means to match all values and all keys.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>operator</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Operator represents a key's relationship to the value.
|
|
Valid operators are Exists and Equal. Defaults to Equal.
|
|
Exists is equivalent to wildcard for value, so that a pod can
|
|
tolerate all taints of a particular category.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>tolerationSeconds</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
TolerationSeconds represents the period of time the toleration (which must be
|
|
of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default,
|
|
it is not set, which means tolerate the taint forever (do not evict). Zero and
|
|
negative values will be treated as 0 (evict immediately) by the system.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr><tr>
|
|
<td><b>value</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
Value is the taint value the toleration matches to.
|
|
If the operator is Exists, the value should be empty, otherwise just a regular string.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.spec.tailscale
|
|
<sup><sup>[↩ Parent](#proxyclassspec)</sup></sup>
|
|
|
|
|
|
|
|
TailscaleConfig contains options to configure the tailscale-specific
|
|
parameters of proxies.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>acceptRoutes</b></td>
|
|
<td>boolean</td>
|
|
<td>
|
|
AcceptRoutes can be set to true to make the proxy instance accept
|
|
routes advertized by other nodes on the tailnet, such as subnet
|
|
routes.
|
|
This is equivalent of passing --accept-routes flag to a tailscale Linux client.
|
|
https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-machines
|
|
Defaults to false.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.status
|
|
<sup><sup>[↩ Parent](#proxyclass)</sup></sup>
|
|
|
|
|
|
|
|
Status of the ProxyClass. This is set and managed automatically.
|
|
https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b><a href="#proxyclassstatusconditionsindex">conditions</a></b></td>
|
|
<td>[]object</td>
|
|
<td>
|
|
List of status conditions to indicate the status of the ProxyClass.
|
|
Known condition types are `ProxyClassReady`.<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|
|
|
|
|
|
### ProxyClass.status.conditions[index]
|
|
<sup><sup>[↩ Parent](#proxyclassstatus)</sup></sup>
|
|
|
|
|
|
|
|
Condition contains details for one aspect of the current state of this API Resource.
|
|
|
|
<table>
|
|
<thead>
|
|
<tr>
|
|
<th>Name</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr>
|
|
<td><b>lastTransitionTime</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
lastTransitionTime is the last time the condition transitioned from one status to another.
|
|
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.<br/>
|
|
<br/>
|
|
<i>Format</i>: date-time<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>message</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
message is a human readable message indicating details about the transition.
|
|
This may be an empty string.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>reason</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
reason contains a programmatic identifier indicating the reason for the condition's last transition.
|
|
Producers of specific condition types may define expected values and meanings for this field,
|
|
and whether the values are considered a guaranteed API.
|
|
The value should be a CamelCase string.
|
|
This field may not be empty.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>status</b></td>
|
|
<td>enum</td>
|
|
<td>
|
|
status of the condition, one of True, False, Unknown.<br/>
|
|
<br/>
|
|
<i>Enum</i>: True, False, Unknown<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>type</b></td>
|
|
<td>string</td>
|
|
<td>
|
|
type of condition in CamelCase or in foo.example.com/CamelCase.<br/>
|
|
</td>
|
|
<td>true</td>
|
|
</tr><tr>
|
|
<td><b>observedGeneration</b></td>
|
|
<td>integer</td>
|
|
<td>
|
|
observedGeneration represents the .metadata.generation that the condition was set based upon.
|
|
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
|
|
with respect to the current state of the instance.<br/>
|
|
<br/>
|
|
<i>Format</i>: int64<br/>
|
|
<i>Minimum</i>: 0<br/>
|
|
</td>
|
|
<td>false</td>
|
|
</tr></tbody>
|
|
</table>
|