forked from openshift/hypershift
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hypershift.openshift.io_hostedclusters.yaml
3038 lines (3037 loc) · 179 KB
/
hypershift.openshift.io_hostedclusters.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: hostedclusters.hypershift.openshift.io
spec:
group: hypershift.openshift.io
names:
kind: HostedCluster
listKind: HostedClusterList
plural: hostedclusters
shortNames:
- hc
- hcs
singular: hostedcluster
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Version
jsonPath: .status.version.history[?(@.state=="Completed")].version
name: Version
type: string
- description: KubeConfig Secret
jsonPath: .status.kubeconfig.name
name: KubeConfig
type: string
- description: Progress
jsonPath: .status.version.history[?(@.state!="")].state
name: Progress
type: string
- description: Available
jsonPath: .status.conditions[?(@.type=="Available")].status
name: Available
type: string
- description: Reason
jsonPath: .status.conditions[?(@.type=="Available")].reason
name: Reason
type: string
- description: Message
jsonPath: .status.conditions[?(@.type=="Available")].message
name: Message
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: HostedCluster is the primary representation of a HyperShift cluster
and encapsulates the control plane and common data plane configuration.
Creating a HostedCluster results in a fully functional OpenShift control
plane with no attached nodes. To support workloads (e.g. pods), a HostedCluster
may have one or more associated NodePool resources.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec is the desired behavior of the HostedCluster.
properties:
additionalTrustBundle:
description: AdditionalTrustBundle is a reference to a ConfigMap containing
a PEM-encoded X.509 certificate bundle that will be added to the
hosted controlplane and nodes
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
auditWebhook:
description: "AuditWebhook contains metadata for configuring an audit
webhook endpoint for a cluster to process cluster audit events.
It references a secret that contains the webhook information for
the audit webhook endpoint. It is a secret because if the endpoint
has mTLS the kubeconfig will contain client keys. The kubeconfig
needs to be stored in the secret with a secret key name that corresponds
to the constant AuditWebhookKubeconfigKey. \n This field is currently
only supported on the IBMCloud platform."
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
autoscaling:
description: Autoscaling specifies auto-scaling behavior that applies
to all NodePools associated with the control plane.
properties:
maxNodeProvisionTime:
description: MaxNodeProvisionTime is the maximum time to wait
for node provisioning before considering the provisioning to
be unsuccessful, expressed as a Go duration string. The default
is 15 minutes.
pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$
type: string
maxNodesTotal:
description: MaxNodesTotal is the maximum allowable number of
nodes across all NodePools for a HostedCluster. The autoscaler
will not grow the cluster beyond this number.
format: int32
minimum: 0
type: integer
maxPodGracePeriod:
description: MaxPodGracePeriod is the maximum seconds to wait
for graceful pod termination before scaling down a NodePool.
The default is 600 seconds.
format: int32
minimum: 0
type: integer
podPriorityThreshold:
description: "PodPriorityThreshold enables users to schedule \"best-effort\"
pods, which shouldn't trigger autoscaler actions, but only run
when there are spare resources available. The default is -10.
\n See the following for more details: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption"
format: int32
type: integer
type: object
clusterID:
description: ClusterID uniquely identifies this cluster. This is expected
to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
in hexadecimal values). As with a Kubernetes metadata.uid, this
ID uniquely identifies this cluster in space and time. This value
identifies the cluster in metrics pushed to telemetry and metrics
produced by the control plane operators. If a value is not specified,
an ID is generated. After initial creation, the value is immutable.
pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}'
type: string
configuration:
description: Configuration specifies configuration for individual
OCP components in the cluster, represented as embedded resources
that correspond to the openshift configuration API.
properties:
apiServer:
description: APIServer holds configuration (like serving certificates,
client CA and CORS domains) shared by all API servers in the
system, among them especially kube-apiserver and openshift-apiserver.
properties:
additionalCORSAllowedOrigins:
description: additionalCORSAllowedOrigins lists additional,
user-defined regular expressions describing hosts for which
the API server allows access using the CORS headers. This
may be needed to access the API and the integrated OAuth
server from JavaScript applications. The values are regular
expressions that correspond to the Golang regular expression
language.
items:
type: string
type: array
audit:
default:
profile: Default
description: audit specifies the settings for audit configuration
to be applied to all OpenShift-provided API servers in the
cluster.
properties:
customRules:
description: customRules specify profiles per group. These
profile take precedence over the top-level profile field
if they apply. They are evaluation from top to bottom
and the first one that matches, applies.
items:
description: AuditCustomRule describes a custom rule
for an audit profile that takes precedence over the
top-level profile.
properties:
group:
description: group is a name of group a request
user must be member of in order to this profile
to apply.
minLength: 1
type: string
profile:
description: "profile specifies the name of the
desired audit policy configuration to be deployed
to all OpenShift-provided API servers in the cluster.
\n The following profiles are provided: - Default:
the existing default policy. - WriteRequestBodies:
like 'Default', but logs request and response
HTTP payloads for write requests (create, update,
patch). - AllRequestBodies: like 'WriteRequestBodies',
but also logs request and response HTTP payloads
for read requests (get, list). - None: no requests
are logged at all, not even oauthaccesstokens
and oauthauthorizetokens. \n If unset, the 'Default'
profile is used as the default."
enum:
- Default
- WriteRequestBodies
- AllRequestBodies
- None
type: string
required:
- group
- profile
type: object
type: array
x-kubernetes-list-map-keys:
- group
x-kubernetes-list-type: map
profile:
default: Default
description: "profile specifies the name of the desired
top-level audit profile to be applied to all requests
sent to any of the OpenShift-provided API servers in
the cluster (kube-apiserver, openshift-apiserver and
oauth-apiserver), with the exception of those requests
that match one or more of the customRules. \n The following
profiles are provided: - Default: default policy which
means MetaData level logging with the exception of events
\ (not logged at all), oauthaccesstokens and oauthauthorizetokens
(both logged at RequestBody level). - WriteRequestBodies:
like 'Default', but logs request and response HTTP payloads
for write requests (create, update, patch). - AllRequestBodies:
like 'WriteRequestBodies', but also logs request and
response HTTP payloads for read requests (get, list).
- None: no requests are logged at all, not even oauthaccesstokens
and oauthauthorizetokens. \n Warning: It is not recommended
to disable audit logging by using the `None` profile
unless you are fully aware of the risks of not logging
data that can be beneficial when troubleshooting issues.
If you disable audit logging and a support situation
arises, you might need to enable audit logging and reproduce
the issue in order to troubleshoot properly. \n If unset,
the 'Default' profile is used as the default."
enum:
- Default
- WriteRequestBodies
- AllRequestBodies
- None
type: string
type: object
clientCA:
description: 'clientCA references a ConfigMap containing a
certificate bundle for the signers that will be recognized
for incoming client certificates in addition to the operator
managed signers. If this is empty, then only operator managed
signers are valid. You usually only have to set this if
you have your own PKI you wish to honor client certificates
from. The ConfigMap must exist in the openshift-config namespace
and contain the following required fields: - ConfigMap.Data["ca-bundle.crt"]
- CA bundle.'
properties:
name:
description: name is the metadata.name of the referenced
config map
type: string
required:
- name
type: object
encryption:
description: encryption allows the configuration of encryption
of resources at the datastore layer.
properties:
type:
description: "type defines what encryption type should
be used to encrypt resources at the datastore layer.
When this field is unset (i.e. when it is set to the
empty string), identity is implied. The behavior of
unset can and will change over time. Even if encryption
is enabled by default, the meaning of unset may change
to a different encryption type based on changes in best
practices. \n When encryption is enabled, all sensitive
resources shipped with the platform are encrypted. This
list of sensitive resources can and will change over
time. The current authoritative list is: \n 1. secrets
\ 2. configmaps 3. routes.route.openshift.io 4.
oauthaccesstokens.oauth.openshift.io 5. oauthauthorizetokens.oauth.openshift.io"
enum:
- ""
- identity
- aescbc
type: string
type: object
servingCerts:
description: servingCert is the TLS cert info for serving
secure traffic. If not specified, operator managed certificates
will be used for serving secure traffic.
properties:
namedCertificates:
description: namedCertificates references secrets containing
the TLS cert info for serving secure traffic to specific
hostnames. If no named certificates are provided, or
no named certificates match the server name as understood
by a client, the defaultServingCertificate will be used.
items:
description: APIServerNamedServingCert maps a server
DNS name, as understood by a client, to a certificate.
properties:
names:
description: names is a optional list of explicit
DNS names (leading wildcards allowed) that should
use this certificate to serve secure traffic.
If no names are provided, the implicit names will
be extracted from the certificates. Exact names
trump over wildcard names. Explicit names defined
here trump over extracted implicit names.
items:
type: string
type: array
servingCertificate:
description: 'servingCertificate references a kubernetes.io/tls
type secret containing the TLS cert info for serving
secure traffic. The secret must exist in the openshift-config
namespace and contain the following required fields:
- Secret.Data["tls.key"] - TLS private key. -
Secret.Data["tls.crt"] - TLS certificate.'
properties:
name:
description: name is the metadata.name of the
referenced secret
type: string
required:
- name
type: object
type: object
type: array
type: object
tlsSecurityProfile:
description: "tlsSecurityProfile specifies settings for TLS
connections for externally exposed servers. \n If unset,
a default (which may change between releases) is chosen.
Note that only Old, Intermediate and Custom profiles are
currently supported, and the maximum available MinTLSVersions
is VersionTLS12."
properties:
custom:
description: "custom is a user-defined TLS security profile.
Be extremely careful using a custom profile as invalid
configurations can be catastrophic. An example custom
profile looks like this: \n ciphers: - ECDHE-ECDSA-CHACHA20-POLY1305
\ - ECDHE-RSA-CHACHA20-POLY1305 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 minTLSVersion:
TLSv1.1"
nullable: true
properties:
ciphers:
description: "ciphers is used to specify the cipher
algorithms that are negotiated during the TLS handshake.
\ Operators may remove entries their operands do
not support. For example, to use DES-CBC3-SHA (yaml):
\n ciphers: - DES-CBC3-SHA"
items:
type: string
type: array
minTLSVersion:
description: "minTLSVersion is used to specify the
minimal version of the TLS protocol that is negotiated
during the TLS handshake. For example, to use TLS
versions 1.1, 1.2 and 1.3 (yaml): \n minTLSVersion:
TLSv1.1 \n NOTE: currently the highest minTLSVersion
allowed is VersionTLS12"
enum:
- VersionTLS10
- VersionTLS11
- VersionTLS12
- VersionTLS13
type: string
type: object
intermediate:
description: "intermediate is a TLS security profile based
on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ minTLSVersion: TLSv1.2"
nullable: true
type: object
modern:
description: "modern is a TLS security profile based on:
\n https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ minTLSVersion: TLSv1.3 \n NOTE: Currently unsupported."
nullable: true
type: object
old:
description: "old is a TLS security profile based on:
\n https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility
\n and looks like this (yaml): \n ciphers: - TLS_AES_128_GCM_SHA256
\ - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256
\ - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
\ - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\ - ECDHE-ECDSA-CHACHA20-POLY1305 - ECDHE-RSA-CHACHA20-POLY1305
\ - DHE-RSA-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384
\ - DHE-RSA-CHACHA20-POLY1305 - ECDHE-ECDSA-AES128-SHA256
\ - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA
\ - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384
\ - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA
\ - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256
\ - DHE-RSA-AES256-SHA256 - AES128-GCM-SHA256
\ - AES256-GCM-SHA384 - AES128-SHA256 - AES256-SHA256
\ - AES128-SHA - AES256-SHA - DES-CBC3-SHA
\ minTLSVersion: TLSv1.0"
nullable: true
type: object
type:
description: "type is one of Old, Intermediate, Modern
or Custom. Custom provides the ability to specify individual
TLS security profile parameters. Old, Intermediate and
Modern are TLS security profiles based on: \n https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
\n The profiles are intent based, so they may change
over time as new ciphers are developed and existing
ciphers are found to be insecure. Depending on precisely
which ciphers are available to a process, the list may
be reduced. \n Note that the Modern profile is currently
not supported because it is not yet well adopted by
common software libraries."
enum:
- Old
- Intermediate
- Modern
- Custom
type: string
type: object
type: object
authentication:
description: Authentication specifies cluster-wide settings for
authentication (like OAuth and webhook token authenticators).
properties:
oauthMetadata:
description: 'oauthMetadata contains the discovery endpoint
data for OAuth 2.0 Authorization Server Metadata for an
external OAuth server. This discovery document can be viewed
from its served location: oc get --raw ''/.well-known/oauth-authorization-server''
For further details, see the IETF Draft: https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2
If oauthMetadata.name is non-empty, this value has precedence
over any metadata reference stored in status. The key "oauthMetadata"
is used to locate the data. If specified and the config
map or expected key is not found, no metadata is served.
If the specified metadata is not valid, no metadata is served.
The namespace for this config map is openshift-config.'
properties:
name:
description: name is the metadata.name of the referenced
config map
type: string
required:
- name
type: object
serviceAccountIssuer:
description: 'serviceAccountIssuer is the identifier of the
bound service account token issuer. The default is https://kubernetes.default.svc
WARNING: Updating this field will result in the invalidation
of all bound tokens with the previous issuer value. Unless
the holder of a bound token has explicit support for a change
in issuer, they will not request a new bound token until
pod restart or until their existing token exceeds 80% of
its duration.'
type: string
type:
description: type identifies the cluster managed, user facing
authentication mode in use. Specifically, it manages the
component that responds to login attempts. The default is
IntegratedOAuth.
type: string
webhookTokenAuthenticator:
description: webhookTokenAuthenticator configures a remote
token reviewer. These remote authentication webhooks can
be used to verify bearer tokens via the tokenreviews.authentication.k8s.io
REST API. This is required to honor bearer tokens that are
provisioned by an external authentication service.
properties:
kubeConfig:
description: "kubeConfig references a secret that contains
kube config file data which describes how to access
the remote webhook service. The namespace for the referenced
secret is openshift-config. \n For further details,
see: \n https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
\n The key \"kubeConfig\" is used to locate the data.
If the secret or expected key is not found, the webhook
is not honored. If the specified kube config data is
not valid, the webhook is not honored."
properties:
name:
description: name is the metadata.name of the referenced
secret
type: string
required:
- name
type: object
required:
- kubeConfig
type: object
webhookTokenAuthenticators:
description: webhookTokenAuthenticators is DEPRECATED, setting
it has no effect.
items:
description: deprecatedWebhookTokenAuthenticator holds the
necessary configuration options for a remote token authenticator.
It's the same as WebhookTokenAuthenticator but it's missing
the 'required' validation on KubeConfig field.
properties:
kubeConfig:
description: 'kubeConfig contains kube config file data
which describes how to access the remote webhook service.
For further details, see: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication
The key "kubeConfig" is used to locate the data. If
the secret or expected key is not found, the webhook
is not honored. If the specified kube config data
is not valid, the webhook is not honored. The namespace
for this secret is determined by the point of use.'
properties:
name:
description: name is the metadata.name of the referenced
secret
type: string
required:
- name
type: object
type: object
type: array
type: object
configMapRefs:
description: "ConfigMapRefs holds references to any configmaps
referenced by configuration entries. Entries can reference the
configmaps using local object references. \n Deprecated This
field is deprecated and will be removed in a future release"
items:
description: LocalObjectReference contains enough information
to let you locate the referenced object inside the same namespace.
properties:
name:
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
TODO: Add other useful fields. apiVersion, kind, uid?'
type: string
type: object
type: array
featureGate:
description: FeatureGate holds cluster-wide information about
feature gates.
properties:
customNoUpgrade:
description: customNoUpgrade allows the enabling or disabling
of any feature. Turning this feature set on IS NOT SUPPORTED,
CANNOT BE UNDONE, and PREVENTS UPGRADES. Because of its
nature, this setting cannot be validated. If you have any
typos or accidentally apply invalid combinations your cluster
may fail in an unrecoverable way. featureSet must equal
"CustomNoUpgrade" must be set to use this field.
nullable: true
properties:
disabled:
description: disabled is a list of all feature gates that
you want to force off
items:
type: string
type: array
enabled:
description: enabled is a list of all feature gates that
you want to force on
items:
type: string
type: array
type: object
featureSet:
description: featureSet changes the list of features in the
cluster. The default is empty. Be very careful adjusting
this setting. Turning on or off features may cause irreversible
changes in your cluster which cannot be undone.
type: string
type: object
image:
description: Image governs policies related to imagestream imports
and runtime configuration for external registries. It allows
cluster admins to configure which registries OpenShift is allowed
to import images from, extra CA trust bundles for external registries,
and policies to block or allow registry hostnames. When exposing
OpenShift's image registry to the public, this also lets cluster
admins specify the external hostname.
properties:
additionalTrustedCA:
description: additionalTrustedCA is a reference to a ConfigMap
containing additional CAs that should be trusted during
imagestream import, pod image pull, build image pull, and
imageregistry pullthrough. The namespace for this config
map is openshift-config.
properties:
name:
description: name is the metadata.name of the referenced
config map
type: string
required:
- name
type: object
allowedRegistriesForImport:
description: allowedRegistriesForImport limits the container
image registries that normal users may import images from.
Set this list to the registries that you trust to contain
valid Docker images and that you want applications to be
able to import from. Users with permission to create Images
or ImageStreamMappings via the API are not affected by this
policy - typically only administrators or system integrations
will have those permissions.
items:
description: RegistryLocation contains a location of the
registry specified by the registry domain name. The domain
name might include wildcards, like '*' or '??'.
properties:
domainName:
description: domainName specifies a domain name for
the registry In case the registry use non-standard
(80 or 443) port, the port should be included in the
domain name as well.
type: string
insecure:
description: insecure indicates whether the registry
is secure (https) or insecure (http) By default (if
not specified) the registry is assumed as secure.
type: boolean
type: object
type: array
externalRegistryHostnames:
description: externalRegistryHostnames provides the hostnames
for the default external image registry. The external hostname
should be set only when the image registry is exposed externally.
The first value is used in 'publicDockerImageRepository'
field in ImageStreams. The value must be in "hostname[:port]"
format.
items:
type: string
type: array
registrySources:
description: registrySources contains configuration that determines
how the container runtime should treat individual registries
when accessing images for builds+pods. (e.g. whether or
not to allow insecure access). It does not contain configuration
for the internal cluster registry.
properties:
allowedRegistries:
description: "allowedRegistries are the only registries
permitted for image pull and push actions. All other
registries are denied. \n Only one of BlockedRegistries
or AllowedRegistries may be set."
items:
type: string
type: array
blockedRegistries:
description: "blockedRegistries cannot be used for image
pull and push actions. All other registries are permitted.
\n Only one of BlockedRegistries or AllowedRegistries
may be set."
items:
type: string
type: array
containerRuntimeSearchRegistries:
description: 'containerRuntimeSearchRegistries are registries
that will be searched when pulling images that do not
have fully qualified domains in their pull specs. Registries
will be searched in the order provided in the list.
Note: this search list only works with the container
runtime, i.e CRI-O. Will NOT work with builds or imagestream
imports.'
format: hostname
items:
type: string
minItems: 1
type: array
x-kubernetes-list-type: set
insecureRegistries:
description: insecureRegistries are registries which do
not have a valid TLS certificates or only support HTTP
connections.
items:
type: string
type: array
type: object
type: object
ingress:
description: Ingress holds cluster-wide information about ingress,
including the default ingress domain used for routes.
properties:
appsDomain:
description: appsDomain is an optional domain to use instead
of the one specified in the domain field when a Route is
created without specifying an explicit host. If appsDomain
is nonempty, this value is used to generate default host
values for Route. Unlike domain, appsDomain may be modified
after installation. This assumes a new ingresscontroller
has been setup with a wildcard certificate.
type: string
componentRoutes:
description: "componentRoutes is an optional list of routes
that are managed by OpenShift components that a cluster-admin
is able to configure the hostname and serving certificate
for. The namespace and name of each route in this list should
match an existing entry in the status.componentRoutes list.
\n To determine the set of configurable Routes, look at
namespace and name of entries in the .status.componentRoutes
list, where participating operators write the status of
configurable routes."
items:
description: ComponentRouteSpec allows for configuration
of a route's hostname and serving certificate.
properties:
hostname:
description: hostname is the hostname that should be
used by the route.
pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$
type: string
name:
description: "name is the logical name of the route
to customize. \n The namespace and name of this componentRoute
must match a corresponding entry in the list of status.componentRoutes
if the route is to be customized."
maxLength: 256
minLength: 1
type: string
namespace:
description: "namespace is the namespace of the route
to customize. \n The namespace and name of this componentRoute
must match a corresponding entry in the list of status.componentRoutes
if the route is to be customized."
maxLength: 63
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
servingCertKeyPairSecret:
description: servingCertKeyPairSecret is a reference
to a secret of type `kubernetes.io/tls` in the openshift-config
namespace. The serving cert/key pair must match and
will be used by the operator to fulfill the intent
of serving with this name. If the custom hostname
uses the default routing suffix of the cluster, the
Secret specification for a serving certificate will
not be needed.
properties:
name:
description: name is the metadata.name of the referenced
secret
type: string
required:
- name
type: object
required:
- hostname
- name
- namespace
type: object
type: array
domain:
description: "domain is used to generate a default host name
for a route when the route's host name is empty. The generated
host name will follow this pattern: \"<route-name>.<route-namespace>.<domain>\".
\n It is also used as the default wildcard domain suffix
for ingress. The default ingresscontroller domain will follow
this pattern: \"*.<domain>\". \n Once set, changing domain
is not currently supported."
type: string
requiredHSTSPolicies:
description: "requiredHSTSPolicies specifies HSTS policies
that are required to be set on newly created or updated
routes matching the domainPattern/s and namespaceSelector/s
that are specified in the policy. Each requiredHSTSPolicy
must have at least a domainPattern and a maxAge to validate
a route HSTS Policy route annotation, and affect route admission.
\n A candidate route is checked for HSTS Policies if it
has the HSTS Policy route annotation: \"haproxy.router.openshift.io/hsts_header\"
E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains
\n - For each candidate route, if it matches a requiredHSTSPolicy
domainPattern and optional namespaceSelector, then the maxAge,
preloadPolicy, and includeSubdomainsPolicy must be valid
to be admitted. Otherwise, the route is rejected. - The
first match, by domainPattern and optional namespaceSelector,
in the ordering of the RequiredHSTSPolicies determines the
route's admission status. - If the candidate route doesn't
match any requiredHSTSPolicy domainPattern and optional
namespaceSelector, then it may use any HSTS Policy annotation.
\n The HSTS policy configuration may be changed after routes
have already been created. An update to a previously admitted
route may then fail if the updated route does not conform
to the updated HSTS policy configuration. However, changing
the HSTS policy configuration will not cause a route that
is already admitted to stop working. \n Note that if there
are no RequiredHSTSPolicies, any HSTS Policy annotation
on the route is valid."
items:
properties:
domainPatterns:
description: "domainPatterns is a list of domains for
which the desired HSTS annotations are required. If
domainPatterns is specified and a route is created
with a spec.host matching one of the domains, the
route must specify the HSTS Policy components described
in the matching RequiredHSTSPolicy. \n The use of
wildcards is allowed like this: *.foo.com matches
everything under foo.com. foo.com only matches foo.com,
so to cover foo.com and everything under it, you must
specify *both*."
items:
type: string
minItems: 1
type: array
includeSubDomainsPolicy:
description: 'includeSubDomainsPolicy means the HSTS
Policy should apply to any subdomains of the host''s
domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy
was set to RequireIncludeSubDomains: - the host app.bar.foo.com
would inherit the HSTS Policy of bar.foo.com - the
host bar.foo.com would inherit the HSTS Policy of
bar.foo.com - the host foo.com would NOT inherit the
HSTS Policy of bar.foo.com - the host def.foo.com
would NOT inherit the HSTS Policy of bar.foo.com'
enum:
- RequireIncludeSubDomains
- RequireNoIncludeSubDomains
- NoOpinion
type: string
maxAge:
description: maxAge is the delta time range in seconds
during which hosts are regarded as HSTS hosts. If
set to 0, it negates the effect, and hosts are removed
as HSTS hosts. If set to 0 and includeSubdomains is
specified, all subdomains of the host are also removed
as HSTS hosts. maxAge is a time-to-live value, and
if this policy is not refreshed on a client, the HSTS
policy will eventually expire on that client.
properties:
largestMaxAge:
description: The largest allowed value (in seconds)
of the RequiredHSTSPolicy max-age This value can
be left unspecified, in which case no upper limit
is enforced.
format: int32
maximum: 2147483647
minimum: 0
type: integer
smallestMaxAge:
description: The smallest allowed value (in seconds)
of the RequiredHSTSPolicy max-age Setting max-age=0
allows the deletion of an existing HSTS header
from a host. This is a necessary tool for administrators
to quickly correct mistakes. This value can be
left unspecified, in which case no lower limit
is enforced.
format: int32
maximum: 2147483647
minimum: 0
type: integer
type: object
namespaceSelector:
description: namespaceSelector specifies a label selector
such that the policy applies only to those routes
that are in namespaces with labels that match the
selector, and are in one of the DomainPatterns. Defaults
to the empty LabelSelector, which matches everything.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a
selector that contains values, a key, and an
operator that relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: operator represents a key's relationship
to a set of values. Valid operators are
In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string
values. If the operator is In or NotIn,
the values array must be non-empty. If the
operator is Exists or DoesNotExist, the
values array must be empty. This array is
replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value}
pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions,
whose key field is "key", the operator is "In",
and the values array contains only "value". The
requirements are ANDed.
type: object
type: object
preloadPolicy:
description: preloadPolicy directs the client to include
hosts in its host preload list so that it never needs
to do an initial load to get the HSTS header (note
that this is not defined in RFC 6797 and is therefore
client implementation-dependent).
enum:
- RequirePreload
- RequireNoPreload
- NoOpinion
type: string
required:
- domainPatterns
type: object
type: array
type: object
items:
description: "Items embeds the serialized configuration resources.
\n Deprecated This field is deprecated and will be removed in
a future release"
items:
type: object
type: array
x-kubernetes-preserve-unknown-fields: true
network:
description: 'Network holds cluster-wide information about the
network. It is used to configure the desired network configuration,
such as: IP address pools for services/pod IPs, network plugin,
etc. Please view network.spec for an explanation on what applies
when configuring this resource. TODO (csrwng): Add validation
here to exclude changes that conflict with networking settings
in the HostedCluster.Spec.Networking field.'
properties:
clusterNetwork:
description: IP address pool to use for pod IPs. This field
is immutable after installation.
items:
description: ClusterNetworkEntry is a contiguous block of
IP addresses from which pod IPs are allocated.
properties:
cidr:
description: The complete block for pod IPs.
type: string
hostPrefix:
description: The size (prefix) of block to allocate
to each node. If this field is not used by the plugin,
it can be left unset.
format: int32
minimum: 0
type: integer
type: object
type: array
externalIP:
description: externalIP defines configuration for controllers
that affect Service.ExternalIP. If nil, then ExternalIP
is not allowed to be set.
properties:
autoAssignCIDRs:
description: autoAssignCIDRs is a list of CIDRs from which
to automatically assign Service.ExternalIP. These are
assigned when the service is of type LoadBalancer. In
general, this is only useful for bare-metal clusters.
In Openshift 3.x, this was misleadingly called "IngressIPs".
Automatically assigned External IPs are not affected
by any ExternalIPPolicy rules. Currently, only one entry
may be provided.
items:
type: string
type: array
policy:
description: policy is a set of restrictions applied to
the ExternalIP field. If nil or empty, then ExternalIP
is not allowed to be set.
properties:
allowedCIDRs:
description: allowedCIDRs is the list of allowed CIDRs.
items:
type: string
type: array
rejectedCIDRs:
description: rejectedCIDRs is the list of disallowed
CIDRs. These take precedence over allowedCIDRs.
items:
type: string
type: array
type: object
type: object
networkType:
description: 'NetworkType is the plugin that is to be deployed
(e.g. OpenShiftSDN). This should match a value that the
cluster-network-operator understands, or else no networking
will be installed. Currently supported values are: - OpenShiftSDN
This field is immutable after installation.'
type: string
serviceNetwork:
description: IP address pool for services. Currently, we only
support a single entry here. This field is immutable after