kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

API Reference multi-pages for v1.25

pull/35676/head
Philippe Martin 2022-08-03 18:01:40 +02:00
parent ca02c597b2
commit 939b45bb27
25 changed files with 239 additions and 10496 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9642
api-ref-assets/api/swagger.json
View File

File diff suppressed because it is too large Load Diff

19
api-ref-assets/config/fields.yaml
View File

@ -4,6 +4,7 @@
fields:
- containers
- initContainers
- ephemeralContainers
- imagePullSecrets
- enableServiceLinks
- os
@ -20,7 +21,9 @@
- runtimeClassName
- priorityClassName
- priority
- preemptionPolicy
- topologySpreadConstraints
- overhead
- name: Lifecycle
fields:
- restartPolicy
@ -48,11 +51,6 @@
- name: Security context
fields:
- securityContext
- name: Beta level
fields:
- ephemeralContainers
- preemptionPolicy
- overhead
- name: Deprecated
fields:
- serviceAccount
@ -396,7 +394,7 @@
- completedIndexes
- conditions
- uncountedTerminatedPods
- name: Alpha level
- name: Beta level
fields:
- ready
@ -525,6 +523,7 @@
- cephfs
- cinder
- csi
- ephemeral
- fc
- flexVolume
- flocker
@ -539,9 +538,6 @@
- scaleIO
- storageos
- vsphereVolume
- name: Alpha level
fields:
- ephemeral
- name: Deprecated
fields:
- gitRepo
@ -591,7 +587,7 @@
- volumeName
- storageClassName
- volumeMode
- name: Alpha level
- name: Beta level
fields:
- dataSource
- dataSourceRef
@ -714,6 +710,3 @@
- resourceVersion
- selfLink
- uid
- name: Ignored
fields:
- clusterName

3
api-ref-assets/config/toc.yaml
View File

@ -179,9 +179,6 @@ parts:
- name: PodDisruptionBudget
group: policy
version: v1
- name: PodSecurityPolicy
group: policy
version: v1beta1
- name: Extend Resources
chapters:
- name: CustomResourceDefinition

2
content/en/docs/reference/kubernetes-api/authentication-resources/token-request-v1.md
View File

@ -62,7 +62,7 @@ TokenRequestSpec contains client provided parameters of a token request.
- **audiences** ([]string), required
Audiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
- **boundObjectRef** (BoundObjectReference)

2
content/en/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1.md
View File

@ -62,7 +62,7 @@ ClusterRole is a cluster level, logical grouping of PolicyRules that can be refe
- **rules.apiGroups** ([]string)
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
- **rules.resources** ([]string)

2
content/en/docs/reference/kubernetes-api/authorization-resources/role-v1.md
View File

@ -51,7 +51,7 @@ Role is a namespaced, logical grouping of PolicyRules that can be referenced as
- **rules.apiGroups** ([]string)
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
- **rules.resources** ([]string)

2
content/en/docs/reference/kubernetes-api/cluster-resources/node-v1.md
View File

@ -356,7 +356,7 @@ NodeStatus is information about the current status of a node.
- **images.names** ([]string)
Names by which this image is known. e.g. ["registry.k8s.io/hyperkube:v1.0.7", "dockerhub.io/google_containers/hyperkube:v1.0.7"]
Names by which this image is known. e.g. ["k8s.gcr.io/hyperkube:v1.0.7", "dockerhub.io/google_containers/hyperkube:v1.0.7"]
- **images.sizeBytes** (int64)

4
content/en/docs/reference/kubernetes-api/cluster-resources/priority-level-configuration-v1beta2.md
View File

@ -70,8 +70,8 @@ PriorityLevelConfigurationSpec specifies the configuration of a priority level.
<a name="LimitedPriorityLevelConfiguration"></a>
*LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:
* How are requests for this priority level limited?
* What should be done with requests that exceed the limit?*
- How are requests for this priority level limited?
- What should be done with requests that exceed the limit?*
- **limited.assuredConcurrencyShares** (int32)

9
content/en/docs/reference/kubernetes-api/common-definitions/object-meta.md
View File

@ -188,14 +188,5 @@ ObjectMeta is metadata that all persisted resources must have, which includes al
Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids
### Ignored {#Ignored}
- **clusterName** (string)
Deprecated: ClusterName is a legacy field that was always cleared by the system and never used; it will be removed completely in 1.25.
The name in the go struct is changed to help clients detect accidental use.

26
content/en/docs/reference/kubernetes-api/common-definitions/quantity.md
View File

@ -30,27 +30,33 @@ Quantity is a fixed-point representation of a number. It provides convenient mar
The serialization format is:
\<quantity> ::= \<signedNumber>\<suffix>
(Note that \<suffix> may be empty, from the "" case in \<decimalSI>.)
``` \<quantity> ::= \<signedNumber>\<suffix>
(Note that \<suffix> may be empty, from the "" case in \<decimalSI>.)
\<digit> ::= 0 | 1 | ... | 9 \<digits> ::= \<digit> | \<digit>\<digits> \<number> ::= \<digits> | \<digits>.\<digits> | \<digits>. | .\<digits> \<sign> ::= "+" | "-" \<signedNumber> ::= \<number> | \<sign>\<number> \<suffix> ::= \<binarySI> | \<decimalExponent> | \<decimalSI> \<binarySI> ::= Ki | Mi | Gi | Ti | Pi | Ei
(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
(International System of units; See: http://physics.nist.gov/cuu/Units/binary.html)
\<decimalSI> ::= m | "" | k | M | G | T | P | E
(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
\<decimalExponent> ::= "e" \<signedNumber> | "E" \<signedNumber>
(Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.)
\<decimalExponent> ::= "e" \<signedNumber> | "E" \<signedNumber> ```
No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities.
When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized.
Before serializing, Quantity will be put in "canonical form". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that:
a. No precision is lost
b. No fractional digits will be emitted
c. The exponent (or suffix) is as large as possible.
- No precision is lost - No fractional digits will be emitted - The exponent (or suffix) is as large as possible.
The sign will be omitted unless the number is negative.
Examples:
1.5 will be serialized as "1500m"
1.5Gi will be serialized as "1536Mi"
- 1.5 will be serialized as "1500m" - 1.5Gi will be serialized as "1536Mi"
Note that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise.

2
content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-claim-v1.md
View File

@ -97,7 +97,7 @@ PersistentVolumeClaimSpec describes the common attributes of storage devices and
### Alpha level
### Beta level
- **dataSource** (<a href="{{< ref "../common-definitions/typed-local-object-reference#TypedLocalObjectReference" >}}">TypedLocalObjectReference</a>)

17
content/en/docs/reference/kubernetes-api/config-and-storage-resources/persistent-volume-v1.md
View File

@ -329,7 +329,7 @@ PersistentVolumeSpec is the specification of a persistent volume.
- **csi.controllerExpandSecretRef** (SecretReference)
controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an alpha field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
controllerExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI ControllerExpandVolume call. This is an beta field and requires enabling ExpandCSIVolumes feature gate. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.
<a name="SecretReference"></a>
*SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
@ -361,6 +361,21 @@ PersistentVolumeSpec is the specification of a persistent volume.
fsType to mount. Must be a filesystem type supported by the host operating system. Ex. "ext4", "xfs", "ntfs".
- **csi.nodeExpandSecretRef** (SecretReference)
nodeExpandSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodeExpandVolume call. This is an alpha field and requires enabling CSINodeExpandSecret feature gate. This field is optional, may be omitted if no secret is required. If the secret object contains more than one secret, all secrets are passed.
<a name="SecretReference"></a>
*SecretReference represents a Secret Reference. It has enough information to retrieve secret in any namespace*
- **csi.nodeExpandSecretRef.name** (string)
name is unique within a namespace to reference a secret resource.
- **csi.nodeExpandSecretRef.namespace** (string)
namespace defines the space within which the secret name must be unique.
- **csi.nodePublishSecretRef** (SecretReference)
nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secrets are passed.

85
content/en/docs/reference/kubernetes-api/config-and-storage-resources/volume.md
View File

@ -406,6 +406,47 @@ Volume represents a named volume in a pod that may be accessed by any container
volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.
- **ephemeral** (EphemeralVolumeSource)
ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.
Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity
tracking are needed,
c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through
a PersistentVolumeClaim (see EphemeralVolumeSource for more
information on the connection between this volume type
and PersistentVolumeClaim).
Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.
A pod can use both types of ephemeral volumes and persistent volumes at the same time.
<a name="EphemeralVolumeSource"></a>
*Represents an ephemeral volume that is handled by a normal storage driver.*
- **ephemeral.volumeClaimTemplate** (PersistentVolumeClaimTemplate)
Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be `\<pod name>-\<volume name>` where `\<volume name>` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).
An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.
This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.
Required, must not be nil.
<a name="PersistentVolumeClaimTemplate"></a>
*PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.*
- **ephemeral.volumeClaimTemplate.spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimSpec" >}}">PersistentVolumeClaimSpec</a>), required
The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.
- **ephemeral.volumeClaimTemplate.metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.
- **fc** (FCVolumeSource)
fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod.
@ -790,50 +831,6 @@ Volume represents a named volume in a pod that may be accessed by any container
storagePolicyName is the storage Policy Based Management (SPBM) profile name.
### Alpha level
- **ephemeral** (EphemeralVolumeSource)
ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.
Use this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity
tracking are needed,
c) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through
a PersistentVolumeClaim (see EphemeralVolumeSource for more
information on the connection between this volume type
and PersistentVolumeClaim).
Use PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.
Use CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.
A pod can use both types of ephemeral volumes and persistent volumes at the same time.
<a name="EphemeralVolumeSource"></a>
*Represents an ephemeral volume that is handled by a normal storage driver.*
- **ephemeral.volumeClaimTemplate** (PersistentVolumeClaimTemplate)
Will be used to create a stand-alone PVC to provision the volume. The pod in which this EphemeralVolumeSource is embedded will be the owner of the PVC, i.e. the PVC will be deleted together with the pod. The name of the PVC will be `\<pod name>-\<volume name>` where `\<volume name>` is the name from the `PodSpec.Volumes` array entry. Pod validation will reject the pod if the concatenated name is not valid for a PVC (for example, too long).
An existing PVC with that name that is not owned by the pod will *not* be used for the pod to avoid using an unrelated volume by mistake. Starting the pod is then blocked until the unrelated PVC is removed. If such a pre-created PVC is meant to be used by the pod, the PVC has to updated with an owner reference to the pod once the pod exists. Normally this should not be necessary, but it may be useful when manually reconstructing a broken cluster.
This field is read-only and no changes will be made by Kubernetes to the PVC after it has been created.
Required, must not be nil.
<a name="PersistentVolumeClaimTemplate"></a>
*PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.*
- **ephemeral.volumeClaimTemplate.spec** (<a href="{{< ref "../config-and-storage-resources/persistent-volume-claim-v1#PersistentVolumeClaimSpec" >}}">PersistentVolumeClaimSpec</a>), required
The specification for the PersistentVolumeClaim. The entire content is copied unchanged into the PVC that gets created from this template. The same fields as in a PersistentVolumeClaim are also valid here.
- **ephemeral.volumeClaimTemplate.metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
May contain labels and annotations that will be copied into the PVC when creating it. No other fields are allowed and will be rejected during validation.
### Deprecated

4
content/en/docs/reference/kubernetes-api/policy-resources/network-policy-v1.md
View File

@ -125,7 +125,7 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
- **ingress.ports.endPort** (int32)
If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
- **ingress.ports.protocol** (string)
@ -188,7 +188,7 @@ NetworkPolicySpec provides the specification of a NetworkPolicy
- **egress.ports.endPort** (int32)
If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.
- **egress.ports.protocol** (string)

739
content/en/docs/reference/kubernetes-api/policy-resources/pod-security-policy-v1beta1.md
View File

@ -1,739 +0,0 @@
---
api_metadata:
apiVersion: "policy/v1beta1"
import: "k8s.io/api/policy/v1beta1"
kind: "PodSecurityPolicy"
content_type: "api_reference"
description: "PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container."
title: "PodSecurityPolicy v1beta1"
weight: 5
auto_generated: true
---
<!--
The file is auto-generated from the Go source code of the component using a generic
[generator](https://github.com/kubernetes-sigs/reference-docs/). To learn how
to generate the reference documentation, please read
[Contributing to the reference documentation](/docs/contribute/generate-ref-docs/).
To update the reference content, please follow the
[Contributing upstream](/docs/contribute/generate-ref-docs/contribute-upstream/)
guide. You can file document formatting bugs against the
[reference-docs](https://github.com/kubernetes-sigs/reference-docs/) project.
-->
`apiVersion: policy/v1beta1`
`import "k8s.io/api/policy/v1beta1"`
## PodSecurityPolicy {#PodSecurityPolicy}
PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container. Deprecated in 1.21.
<hr>
- **apiVersion**: policy/v1beta1
- **kind**: PodSecurityPolicy
- **metadata** (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta</a>)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **spec** (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicySpec" >}}">PodSecurityPolicySpec</a>)
spec defines the policy enforced.
## PodSecurityPolicySpec {#PodSecurityPolicySpec}
PodSecurityPolicySpec defines the policy enforced.
<hr>
- **runAsUser** (RunAsUserStrategyOptions), required
runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
<a name="RunAsUserStrategyOptions"></a>
*RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.*
- **runAsUser.rule** (string), required
rule is the strategy that will dictate the allowable RunAsUser values that may be set.
- **runAsUser.ranges** ([]IDRange)
ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.
<a name="IDRange"></a>
*IDRange provides a min/max of an allowed range of IDs.*
- **runAsUser.ranges.max** (int64), required
max is the end of the range, inclusive.
- **runAsUser.ranges.min** (int64), required
min is the start of the range, inclusive.
- **runAsGroup** (RunAsGroupStrategyOptions)
RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
<a name="RunAsGroupStrategyOptions"></a>
*RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.*
- **runAsGroup.rule** (string), required
rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
- **runAsGroup.ranges** ([]IDRange)
ranges are the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs.
<a name="IDRange"></a>
*IDRange provides a min/max of an allowed range of IDs.*
- **runAsGroup.ranges.max** (int64), required
max is the end of the range, inclusive.
- **runAsGroup.ranges.min** (int64), required
min is the start of the range, inclusive.
- **fsGroup** (FSGroupStrategyOptions), required
fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
<a name="FSGroupStrategyOptions"></a>
*FSGroupStrategyOptions defines the strategy type and options used to create the strategy.*
- **fsGroup.ranges** ([]IDRange)
ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.
<a name="IDRange"></a>
*IDRange provides a min/max of an allowed range of IDs.*
- **fsGroup.ranges.max** (int64), required
max is the end of the range, inclusive.
- **fsGroup.ranges.min** (int64), required
min is the start of the range, inclusive.
- **fsGroup.rule** (string)
rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
- **supplementalGroups** (SupplementalGroupsStrategyOptions), required
supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
<a name="SupplementalGroupsStrategyOptions"></a>
*SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.*
- **supplementalGroups.ranges** ([]IDRange)
ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs.
<a name="IDRange"></a>
*IDRange provides a min/max of an allowed range of IDs.*
- **supplementalGroups.ranges.max** (int64), required
max is the end of the range, inclusive.
- **supplementalGroups.ranges.min** (int64), required
min is the start of the range, inclusive.
- **supplementalGroups.rule** (string)
rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
- **seLinux** (SELinuxStrategyOptions), required
seLinux is the strategy that will dictate the allowable labels that may be set.
<a name="SELinuxStrategyOptions"></a>
*SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.*
- **seLinux.rule** (string), required
rule is the strategy that will dictate the allowable labels that may be set.
- **seLinux.seLinuxOptions** (SELinuxOptions)
seLinuxOptions required to run as; required for MustRunAs More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
<a name="SELinuxOptions"></a>
*SELinuxOptions are the labels to be applied to the container*
- **seLinux.seLinuxOptions.level** (string)
Level is SELinux level label that applies to the container.
- **seLinux.seLinuxOptions.role** (string)
Role is a SELinux role label that applies to the container.
- **seLinux.seLinuxOptions.type** (string)
Type is a SELinux type label that applies to the container.
- **seLinux.seLinuxOptions.user** (string)
User is a SELinux user label that applies to the container.
- **readOnlyRootFilesystem** (boolean)
readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
- **privileged** (boolean)
privileged determines if a pod can request to be run as privileged.
- **allowPrivilegeEscalation** (boolean)
allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
- **defaultAllowPrivilegeEscalation** (boolean)
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
- **allowedCSIDrivers** ([]AllowedCSIDriver)
AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.
<a name="AllowedCSIDriver"></a>
*AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.*
- **allowedCSIDrivers.name** (string), required
Name is the registered name of the CSI driver
- **allowedCapabilities** ([]string)
allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
- **requiredDropCapabilities** ([]string)
requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
- **defaultAddCapabilities** ([]string)
defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
- **allowedFlexVolumes** ([]AllowedFlexVolume)
allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
<a name="AllowedFlexVolume"></a>
*AllowedFlexVolume represents a single Flexvolume that is allowed to be used.*
- **allowedFlexVolumes.driver** (string), required
driver is the name of the Flexvolume driver.
- **allowedHostPaths** ([]AllowedHostPath)
allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.
<a name="AllowedHostPath"></a>
*AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.*
- **allowedHostPaths.pathPrefix** (string)
pathPrefix is the path prefix that the host volume must match. It does not support `*`. Trailing slashes are trimmed when validating the path prefix with a host path.
Examples: `/foo` would allow `/foo`, `/foo/` and `/foo/bar` `/foo` would not allow `/food` or `/etc/foo`
- **allowedHostPaths.readOnly** (boolean)
when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
- **allowedProcMountTypes** ([]string)
AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
- **allowedUnsafeSysctls** ([]string)
allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- **forbiddenSysctls** ([]string)
forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- **hostIPC** (boolean)
hostIPC determines if the policy allows the use of HostIPC in the pod spec.
- **hostNetwork** (boolean)
hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
- **hostPID** (boolean)
hostPID determines if the policy allows the use of HostPID in the pod spec.
- **hostPorts** ([]HostPortRange)
hostPorts determines which host port ranges are allowed to be exposed.
<a name="HostPortRange"></a>
*HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.*
- **hostPorts.max** (int32), required
max is the end of the range, inclusive.
- **hostPorts.min** (int32), required
min is the start of the range, inclusive.
- **runtimeClass** (RuntimeClassStrategyOptions)
runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
<a name="RuntimeClassStrategyOptions"></a>
*RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.*
- **runtimeClass.allowedRuntimeClassNames** ([]string), required
allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.
- **runtimeClass.defaultRuntimeClassName** (string)
defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.
- **volumes** ([]string)
volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
## PodSecurityPolicyList {#PodSecurityPolicyList}
PodSecurityPolicyList is a list of PodSecurityPolicy objects.
<hr>
- **apiVersion**: policy/v1beta1
- **kind**: PodSecurityPolicyList
- **metadata** (<a href="{{< ref "../common-definitions/list-meta#ListMeta" >}}">ListMeta</a>)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
- **items** ([]<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>), required
items is a list of schema objects.
## Operations {#Operations}
<hr>
### `get` read the specified PodSecurityPolicy
#### HTTP Request
GET /apis/policy/v1beta1/podsecuritypolicies/{name}
#### Parameters
- **name** (*in path*): string, required
name of the PodSecurityPolicy
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
#### Response
200 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): OK
401: Unauthorized
### `list` list or watch objects of kind PodSecurityPolicy
#### HTTP Request
GET /apis/policy/v1beta1/podsecuritypolicies
#### Parameters
- **allowWatchBookmarks** (*in query*): boolean
<a href="{{< ref "../common-parameters/common-parameters#allowWatchBookmarks" >}}">allowWatchBookmarks</a>
- **continue** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
- **fieldSelector** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
- **labelSelector** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
- **limit** (*in query*): integer
<a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
- **resourceVersion** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
- **resourceVersionMatch** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
- **timeoutSeconds** (*in query*): integer
<a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
- **watch** (*in query*): boolean
<a href="{{< ref "../common-parameters/common-parameters#watch" >}}">watch</a>
#### Response
200 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicyList" >}}">PodSecurityPolicyList</a>): OK
401: Unauthorized
### `create` create a PodSecurityPolicy
#### HTTP Request
POST /apis/policy/v1beta1/podsecuritypolicies
#### Parameters
- **body**: <a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>, required
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
#### Response
200 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): OK
201 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): Created
202 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): Accepted
401: Unauthorized
### `update` replace the specified PodSecurityPolicy
#### HTTP Request
PUT /apis/policy/v1beta1/podsecuritypolicies/{name}
#### Parameters
- **name** (*in path*): string, required
name of the PodSecurityPolicy
- **body**: <a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>, required
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
#### Response
200 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): OK
201 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): Created
401: Unauthorized
### `patch` partially update the specified PodSecurityPolicy
#### HTTP Request
PATCH /apis/policy/v1beta1/podsecuritypolicies/{name}
#### Parameters
- **name** (*in path*): string, required
name of the PodSecurityPolicy
- **body**: <a href="{{< ref "../common-definitions/patch#Patch" >}}">Patch</a>, required
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldManager** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager</a>
- **fieldValidation** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldValidation" >}}">fieldValidation</a>
- **force** (*in query*): boolean
<a href="{{< ref "../common-parameters/common-parameters#force" >}}">force</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
#### Response
200 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): OK
201 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): Created
401: Unauthorized
### `delete` delete a PodSecurityPolicy
#### HTTP Request
DELETE /apis/policy/v1beta1/podsecuritypolicies/{name}
#### Parameters
- **name** (*in path*): string, required
name of the PodSecurityPolicy
- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **gracePeriodSeconds** (*in query*): integer
<a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
- **propagationPolicy** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
#### Response
200 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): OK
202 (<a href="{{< ref "../policy-resources/pod-security-policy-v1beta1#PodSecurityPolicy" >}}">PodSecurityPolicy</a>): Accepted
401: Unauthorized
### `deletecollection` delete collection of PodSecurityPolicy
#### HTTP Request
DELETE /apis/policy/v1beta1/podsecuritypolicies
#### Parameters
- **body**: <a href="{{< ref "../common-definitions/delete-options#DeleteOptions" >}}">DeleteOptions</a>
- **continue** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#continue" >}}">continue</a>
- **dryRun** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun</a>
- **fieldSelector** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#fieldSelector" >}}">fieldSelector</a>
- **gracePeriodSeconds** (*in query*): integer
<a href="{{< ref "../common-parameters/common-parameters#gracePeriodSeconds" >}}">gracePeriodSeconds</a>
- **labelSelector** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#labelSelector" >}}">labelSelector</a>
- **limit** (*in query*): integer
<a href="{{< ref "../common-parameters/common-parameters#limit" >}}">limit</a>
- **pretty** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty</a>
- **propagationPolicy** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#propagationPolicy" >}}">propagationPolicy</a>
- **resourceVersion** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#resourceVersion" >}}">resourceVersion</a>
- **resourceVersionMatch** (*in query*): string
<a href="{{< ref "../common-parameters/common-parameters#resourceVersionMatch" >}}">resourceVersionMatch</a>
- **timeoutSeconds** (*in query*): integer
<a href="{{< ref "../common-parameters/common-parameters#timeoutSeconds" >}}">timeoutSeconds</a>
#### Response
200 (<a href="{{< ref "../common-definitions/status#Status" >}}">Status</a>): OK
401: Unauthorized

2
content/en/docs/reference/kubernetes-api/service-resources/endpoint-slice-v1.md
View File

@ -112,7 +112,7 @@ EndpointSlice represents a subset of the endpoints that implement a service. For
- **endpoints.nodeName** (string)
nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node. This field can be enabled with the EndpointSliceNodeName feature gate.
nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node.
- **endpoints.targetRef** (<a href="{{< ref "../common-definitions/object-reference#ObjectReference" >}}">ObjectReference</a>)

38
content/en/docs/reference/kubernetes-api/service-resources/endpoints-v1.md
View File

@ -29,17 +29,18 @@ guide. You can file document formatting bugs against the
## Endpoints {#Endpoints}
Endpoints is a collection of endpoints that implement the actual service. Example:
Name: "mysvc",
Subsets: [
{
Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
},
{
Addresses: [{"ip": "10.10.3.3"}],
Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
},
]
Name: "mysvc",
Subsets: [
{
Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
},
{
Addresses: [{"ip": "10.10.3.3"}],
Ports: [{"name": "a", "port": 93}, {"name": "b", "port": 76}]
},
]
<hr>
@ -59,13 +60,16 @@ Endpoints is a collection of endpoints that implement the actual service. Exampl
<a name="EndpointSubset"></a>
*EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:
{
Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
}
{
Addresses: [{"ip": "10.10.1.1"}, {"ip": "10.10.2.2"}],
Ports: [{"name": "a", "port": 8675}, {"name": "b", "port": 309}]
}
The resulting set of endpoints can be viewed as:
a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
b: [ 10.10.1.1:309, 10.10.2.2:309 ]*
a: [ 10.10.1.1:8675, 10.10.2.2:8675 ],
b: [ 10.10.1.1:309, 10.10.2.2:309 ]*
- **subsets.addresses** ([]EndpointAddress)

2
content/en/docs/reference/kubernetes-api/service-resources/ingress-v1.md
View File

@ -66,7 +66,7 @@ IngressSpec describes the Ingress the user wishes to exist.
- **ingressClassName** (string)
IngressClassName is the name of the IngressClass cluster resource. The associated IngressClass defines which controller will implement the resource. This replaces the deprecated `kubernetes.io/ingress.class` annotation. For backwards compatibility, when that annotation is set, it must be given precedence over this field. The controller may emit a warning if the field and annotation have different values. Implementations of this API should ignore Ingresses without a class specified. An IngressClass resource may be marked as default, which can be used to set a default value for this field. For more information, refer to the IngressClass documentation.
IngressClassName is the name of an IngressClass cluster resource. Ingress controller implementations use this field to know whether they should be serving this Ingress resource, by a transitive connection (controller -> IngressClass -> Ingress resource). Although the `kubernetes.io/ingress.class` annotation (simple constant name) was never formally defined, it was widely supported by Ingress controllers to create a direct binding between Ingress controller and Ingress resources. Newly created Ingress resources should prefer using the field. However, even though the annotation is officially deprecated, for backwards compatibility reasons, ingress controllers should still honor that annotation if present.
- **rules** ([]IngressRule)

4
content/en/docs/reference/kubernetes-api/service-resources/service-v1.md
View File

@ -162,13 +162,13 @@ ServiceSpec describes the attributes that a user creates on a service.
- **externalTrafficPolicy** (string)
externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. "Local" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. "Cluster" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.
externalTrafficPolicy describes how nodes distribute service traffic they receive on one of the Service's "externally-facing" addresses (NodePorts, ExternalIPs, and LoadBalancer IPs). If set to "Local", the proxy will configure the service in a way that assumes that external load balancers will take care of balancing the service traffic between nodes, and so each node will deliver traffic only to the node-local endpoints of the service, without masquerading the client source IP. (Traffic mistakenly sent to a node with no endpoints will be dropped.) The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features). Note that traffic sent to an External IP or LoadBalancer IP from within the cluster will always get "Cluster" semantics, but clients sending to a NodePort from within the cluster may need to take traffic policy into account when picking a node.
- **internalTrafficPolicy** (string)
InternalTrafficPolicy specifies if the cluster internal traffic should be routed to all endpoints or node-local endpoints only. "Cluster" routes internal traffic to a Service to all endpoints. "Local" routes traffic to node-local endpoints only, traffic is dropped if no node-local endpoints are ready. The default value is "Cluster".
InternalTrafficPolicy describes how nodes distribute service traffic they receive on the ClusterIP. If set to "Local", the proxy will assume that pods only want to talk to endpoints of the service on the same node as the pod, dropping the traffic if there are no local endpoints. The default value, "Cluster", uses the standard behavior of routing to all endpoints evenly (possibly modified by topology and other features).
- **healthCheckNodePort** (int32)

50
content/en/docs/reference/kubernetes-api/workload-resources/controller-revision-v1.md
View File

@ -55,28 +55,38 @@ ControllerRevision implements an immutable snapshot of state data. Clients are r
To use this, make a field which has RawExtension as its type in your external, versioned struct, and Object in your internal struct. You also need to register your various plugin types.
// Internal package: type MyAPIObject struct {
runtime.TypeMeta `json:",inline"`
MyPlugin runtime.Object `json:"myPlugin"`
} type PluginA struct {
AOption string `json:"aOption"`
}
// Internal package:
// External package: type MyAPIObject struct {
runtime.TypeMeta `json:",inline"`
MyPlugin runtime.RawExtension `json:"myPlugin"`
} type PluginA struct {
AOption string `json:"aOption"`
}
type MyAPIObject struct {
runtime.TypeMeta `json:",inline"`
MyPlugin runtime.Object `json:"myPlugin"`
}
// On the wire, the JSON will look something like this: {
"kind":"MyAPIObject",
"apiVersion":"v1",
"myPlugin": {
"kind":"PluginA",
"aOption":"foo",
},
}
type PluginA struct {
AOption string `json:"aOption"`
}
// External package:
type MyAPIObject struct {
runtime.TypeMeta `json:",inline"`
MyPlugin runtime.RawExtension `json:"myPlugin"`
}
type PluginA struct {
AOption string `json:"aOption"`
}
// On the wire, the JSON will look something like this:
{
"kind":"MyAPIObject",
"apiVersion":"v1",
"myPlugin": {
"kind":"PluginA",
"aOption":"foo",
},
}
So what happens? Decode first uses json or yaml to unmarshal the serialized data into your external MyAPIObject. That causes the raw JSON to be stored, but not unpacked. The next step is to copy (using pkg/conversion) into the internal struct. The runtime package's DefaultScheme has conversion functions installed which will unpack the JSON stored in RawExtension, turning it into the correct object type, and storing it in the Object. (TODO: In the case where the object is of an unknown type, a runtime.Unknown object will be created and stored.)*

2
content/en/docs/reference/kubernetes-api/workload-resources/cron-job-v1.md
View File

@ -81,7 +81,7 @@ CronJobSpec describes how the job execution will look like and when it will actu
- **timeZone** (string)
The time zone for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will rely on the time zone of the kube-controller-manager process. ALPHA: This field is in alpha and must be enabled via the `CronJobTimeZone` feature gate.
The time zone name for the given schedule, see https://en.wikipedia.org/wiki/List_of_tz_database_time_zones. If not specified, this will default to the time zone of the kube-controller-manager process. The set of valid time zone names and the time zone offset is loaded from the system-wide time zone database by the API server during CronJob validation and the controller manager during execution. If no system-wide time zone database can be found a bundled version of the database is used instead. If the time zone name becomes invalid during the lifetime of a CronJob or due to a change in host configuration, the controller will stop creating new new Jobs and will create a system event with the reason UnknownTimeZone. More information can be found in https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#time-zones This is beta field and must be enabled via the `CronJobTimeZone` feature gate.
- **concurrencyPolicy** (string)

2
content/en/docs/reference/kubernetes-api/workload-resources/daemon-set-v1.md
View File

@ -94,7 +94,7 @@ DaemonSetSpec is the specification of a daemon set.
- **updateStrategy.rollingUpdate.maxSurge** (IntOrString)
The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediatedly created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption. This is beta field and enabled/disabled by DaemonSetUpdateSurge feature gate.
The maximum number of nodes with an existing available DaemonSet pod that can have an updated DaemonSet pod during during an update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up to a minimum of 1. Default value is 0. Example: when this is set to 30%, at most 30% of the total number of nodes that should be running the daemon pod (i.e. status.desiredNumberScheduled) can have their a new pod created before the old pod is marked as deleted. The update starts by launching new pods on 30% of nodes. Once an updated pod is available (Ready for at least minReadySeconds) the old DaemonSet pod on that node is marked deleted. If the old pod becomes unavailable for any reason (Ready transitions to false, is evicted, or is drained) an updated pod is immediatedly created on that node without considering surge limits. Allowing surge implies the possibility that the resources consumed by the daemonset on any given node can double if the readiness check fails, and so resource intensive daemonsets should take into account that they may cause evictions during disruption.
<a name="IntOrString"></a>
*IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.*

2
content/en/docs/reference/kubernetes-api/workload-resources/job-v1.md
View File

@ -222,7 +222,7 @@ JobStatus represents the current state of a Job.
### Alpha level
### Beta level
- **ready** (int32)

66
content/en/docs/reference/kubernetes-api/workload-resources/pod-v1.md
View File

@ -77,6 +77,12 @@ PodSpec is a description of a pod.
List of initialization containers belonging to the pod. Init containers are executed in order prior to containers being started. If any init container fails, the pod is considered to have failed and is handled according to its restartPolicy. The name for an init container or normal container must be unique among all containers. Init containers may not have Lifecycle actions, Readiness probes, Liveness probes, or Startup probes. The resourceRequirements of an init container are taken into account during scheduling by finding the highest request/limit for each resource type, and then using the max of of that value or the sum of the normal containers. Limits are applied to init containers in a similar fashion. Init containers cannot currently be added or removed. Cannot be updated. More info: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
- **ephemeralContainers** ([]<a href="{{< ref "../workload-resources/pod-v1#EphemeralContainer" >}}">EphemeralContainer</a>)
*Patch strategy: merge on key `name`*
List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource.
- **imagePullSecrets** ([]<a href="{{< ref "../common-definitions/local-object-reference#LocalObjectReference" >}}">LocalObjectReference</a>)
*Patch strategy: merge on key `name`*
@ -93,7 +99,7 @@ PodSpec is a description of a pod.
If the OS field is set to linux, the following fields must be unset: -securityContext.windowsOptions
If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup This is a beta field and requires the IdentifyPodOS feature
If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls - spec.shareProcessNamespace - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup
<a name="PodOS"></a>
*PodOS defines the OS parameters of a pod.*
@ -188,6 +194,10 @@ PodSpec is a description of a pod.
The priority value. Various system components use this field to find the priority of the pod. When Priority Admission Controller is enabled, it prevents users from setting this field. The admission controller populates this field from PriorityClassName. The higher the value, the higher the priority.
- **preemptionPolicy** (string)
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
- **topologySpreadConstraints** ([]TopologySpreadConstraint)
*Patch strategy: merge on key `topologyKey`*
@ -205,7 +215,7 @@ PodSpec is a description of a pod.
- **topologySpreadConstraints.topologyKey** (string), required
TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each \<key, value> as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes match the node selector. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field.
TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each \<key, value> as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field.
- **topologySpreadConstraints.whenUnsatisfiable** (string), required
@ -220,13 +230,35 @@ PodSpec is a description of a pod.
LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.
- **topologySpreadConstraints.matchLabelKeys** ([]string)
*Atomic: will be replaced during a merge*
MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.
- **topologySpreadConstraints.minDomains** (int32)
MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.
For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.
This is an alpha field and requires enabling MinDomainsInPodTopologySpread feature gate.
This is a beta field and requires the MinDomainsInPodTopologySpread feature gate to be enabled (enabled by default).
- **topologySpreadConstraints.nodeAffinityPolicy** (string)
NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.
If this value is nil, the behavior is equivalent to the Honor policy. This is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
- **topologySpreadConstraints.nodeTaintsPolicy** (string)
NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.
If this value is nil, the behavior is equivalent to the Ignore policy. This is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.
- **overhead** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
### Lifecycle
@ -471,23 +503,6 @@ PodSpec is a description of a pod.
The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
### Beta level
- **ephemeralContainers** ([]<a href="{{< ref "../workload-resources/pod-v1#EphemeralContainer" >}}">EphemeralContainer</a>)
*Patch strategy: merge on key `name`*
List of ephemeral containers run in this pod. Ephemeral containers may be run in an existing pod to perform user-initiated actions such as debugging. This list cannot be specified when creating a pod, and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. This field is beta-level and available on clusters that haven't disabled the EphemeralContainers feature gate.
- **preemptionPolicy** (string)
PreemptionPolicy is the Policy for preempting pods with lower priority. One of Never, PreemptLowerPriority. Defaults to PreemptLowerPriority if unset.
- **overhead** (map[string]<a href="{{< ref "../common-definitions/quantity#Quantity" >}}">Quantity</a>)
Overhead represents the resource overhead associated with running a pod for a given RuntimeClass. This field will be autopopulated at admission time by the RuntimeClass admission controller. If the RuntimeClass admission controller is enabled, overhead must not be set in Pod create requests. The RuntimeClass admission controller will reject Pod create requests which have the overhead already set. If RuntimeClass is configured and selected in the PodSpec, Overhead will be set to the value defined in the corresponding RuntimeClass, otherwise it will remain unset and treated as zero. More info: https://git.k8s.io/enhancements/keps/sig-node/688-pod-overhead/README.md
### Deprecated
@ -546,7 +561,7 @@ A single application container that you want to run within a pod.
*Map: unique values on keys `containerPort, protocol` will be kept during a merge*
List of ports to expose from the container. Exposing a port here gives the system additional information about the network connections a container uses, but is primarily informational. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Cannot be updated.
List of ports to expose from the container. Not specifying a port here DOES NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will be accessible from the network. Modifying this array with strategic merge patch may corrupt the data. For more information See https://github.com/kubernetes/kubernetes/issues/108255. Cannot be updated.
<a name="ContainerPort"></a>
*ContainerPort represents a network port in a single container.*
@ -943,8 +958,6 @@ An EphemeralContainer is a temporary container that you may add to an existing P
To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers may not be removed or restarted.
This is a beta feature available on clusters that haven't disabled the EphemeralContainers feature gate.
<hr>
- **name** (string), required
@ -1832,7 +1845,8 @@ PodStatus represents information about the status of a pod. Status may trail the
<a name="PodIP"></a>
*IP address information for entries in the (plural) PodIPs field. Each entry includes:
IP: An IP address allocated to the pod. Routable at least within the cluster.*
IP: An IP address allocated to the pod. Routable at least within the cluster.*
- **podIPs.ip** (string)
@ -1879,7 +1893,7 @@ PodStatus represents information about the status of a pod. Status may trail the
- **qosClass** (string)
The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/design-proposals-archive/node/resource-qos.md
The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://git.k8s.io/community/contributors/design-proposals/node/resource-qos.md
@ -2263,7 +2277,7 @@ PodStatus represents information about the status of a pod. Status may trail the
- **ephemeralContainerStatuses** ([]ContainerStatus)
Status for any ephemeral containers that have run in this pod. This field is beta-level and available on clusters that haven't disabled the EphemeralContainers feature gate.
Status for any ephemeral containers that have run in this pod.
<a name="ContainerStatus"></a>
*ContainerStatus contains details for the current status of this container.*

9
content/en/docs/reference/kubernetes-api/workload-resources/stateful-set-v1.md
View File

@ -29,8 +29,9 @@ guide. You can file document formatting bugs against the
## StatefulSet {#StatefulSet}
StatefulSet represents a set of pods with consistent identities. Identities are defined as:
- Network: A single stable DNS and hostname.
- Storage: As many VolumeClaims as requested.
- Network: A single stable DNS and hostname.
- Storage: As many VolumeClaims as requested.
The StatefulSet guarantees that a given network identity will always map to the same storage identity.
<hr>
@ -126,7 +127,7 @@ A StatefulSetSpec is the specification of a StatefulSet.
- **minReadySeconds** (int32)
Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready) This is an alpha field and requires enabling StatefulSetMinReadySeconds feature gate.
Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)
- **persistentVolumeClaimRetentionPolicy** (StatefulSetPersistentVolumeClaimRetentionPolicy)
@ -171,7 +172,7 @@ StatefulSetStatus represents the current state of a StatefulSet.
- **availableReplicas** (int32)
Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset. This is a beta field and enabled/disabled by StatefulSetMinReadySeconds feature gate.
Total number of available pods (ready for at least minReadySeconds) targeted by this statefulset.
- **collisionCount** (int32)