vcluster
vCluster configuration
| Type | object |
|---|---|
| File match |
vCluster.yml
vCluster.yaml
vcluster.yaml
vcluster.yml
|
| Schema URL | https://catalog.lintel.tools/schemas/schemastore/vcluster/latest.json |
| Source | https://raw.githubusercontent.com/loft-sh/vcluster/main/chart/values.schema.json |
Validate with Lintel
npx @lintel/lintel checkConfig is the vCluster config.
Properties
Global values shared across all (sub)charts
ExportKubeConfig describes how vCluster should export the vCluster kubeconfig.
6 nested properties
Context is the name of the context within the generated kubeconfig to use.
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
If tls should get skipped for the server
3 nested properties
Name of the service account to be used to generate a service account token instead of the default certificates.
Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.
ClusterRole to assign to the service account.
Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
2 nested properties
Name is the name of the secret where the kubeconfig should get stored.
Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the generated virtual cluster kubeconfigs.
2 nested properties
20 nested properties
9 nested properties
Enabled defines if pod syncing should be enabled.
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite a certain image that is used within the virtual cluster to be another image on the host cluster
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a pod annotation.
RuntimeClassName is the runtime class to set for synced pods.
PriorityClassName is the priority class to set for synced pods.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup. vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.
SyncToHostNamespaces defines how namespaces should be synced from the virtual cluster to the host cluster.
5 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
ExtraLabels are additional labels to add to the namespace in the host cluster.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
14 nested properties
5 nested properties
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
Integrations holds config for vCluster integrations with other operators or tools running on the host cluster
6 nested properties
MetricsServer reuses the metrics server from the host cluster within the vCluster.
4 nested properties
Enabled signals the metrics server integration should be enabled.
APIService holds configuration related to the api server
1 nested properties
APIServiceService holds the service name and namespace of the host apiservice.
Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.
Pods defines if metrics-server pods api should get proxied from host to virtual cluster.
KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster
4 nested properties
Enabled signals if the integration should be enabled
APIService holds configuration related to the api server
1 nested properties
APIServiceService holds the service name and namespace of the host apiservice.
1 nested properties
Enabled defines if this option should be enabled.
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster
4 nested properties
Enabled defines whether the external secret integration is enabled or not
Version defines the version of the external secrets operator to use. If empty, the storage version will be used.
1 nested properties
Enabled defines if this option should be enabled.
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster
NetrisIntegration holds netris integration configuration.
3 nested properties
Enabled defines if netris integration is enabled +optional
Connector specifies the netris connector name +optional
NetrisKubeVipConfig holds kube-vip configuration for netris integration
3 nested properties
ServerCluster specifies the server cluster name +optional
Bridge specifies the bridge interface name +optional
IPRange specifies the IP range for kube-vip +optional
7 nested properties
9 nested properties
Enabled defines if the kube proxy should be enabled.
Image is the image for the kube-proxy.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the kube-proxy.
PriorityClassName is the priority class name for the kube-proxy.
Tolerations is the tolerations for the kube-proxy.
ExtraEnv is the extra environment variables for the kube-proxy.
ExtraArgs are additional arguments to pass to the kube-proxy.
Config is the config for the kube-proxy that will be merged into the default kube-proxy config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration
4 nested properties
Enabled defines if metallb should be enabled.
ControllerImage is the image for metallb controller.
SpeakerImage is the image for metallb speaker.
2 nested properties
Addresses is a list of IP addresses to use for the IP address pool.
L2Advertisement defines if L2 advertisement should be enabled for the IP address pool.
1 nested properties
4 nested properties
Enabled defines if Flannel should be enabled.
Image is the image for Flannel main container.
InitImage is the image for Flannel init container.
ImagePullPolicy is the policy how to pull the image.
4 nested properties
Enabled defines if LocalPathProvisioner should be enabled.
Image is the image for local path provisioner.
ImagePullPolicy is the policy how to pull the image.
NodePath is the path on the node where to create the persistent volume directories.
2 nested properties
Enabled defines if ingress-nginx should be enabled.
DefaultIngressClass defines if the deployed ingress class should be the default ingress class.
1 nested properties
Enabled defines if metrics server should be enabled.
VolumeSnapshotController defines CSI volumes snapshot-controller configuration.
1 nested properties
Enabled defines if the CSI volumes snapshot-controller should be enabled.
5 nested properties
ServiceCIDR holds the service cidr for the virtual cluster. This should only be set if privateNodes.enabled is true or vCluster cannot detect the host service cidr.
PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.
2 nested properties
ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace are required.
FromHost defines the services that should get synced from the host to the virtual cluster.
ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.
3 nested properties
ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace
2 nested properties
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work for all applications, e.g. Prometheus requires a node IP.
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to route traffic.
5 nested properties
6 nested properties
Enabled defines if the network policy should be deployed by vCluster.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
2 nested properties
Ingress rules for the vCluster control plane.
Egress rules for the vCluster control plane.
3 nested properties
Ingress rules for the vCluster workloads.
Egress rules for the vCluster workloads.
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
6 nested properties
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled, the resourceQuota will be enabled as well.
Quota are the quota options
ScopeSelector is the resource quota scope selector
Scopes are the resource quota scopes
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
7 nested properties
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled, the limitRange will be enabled as well.
Default are the default limits for the limit range
DefaultRequest are the default request options for the limit range
Max are the max limits for the limit range
Min are the min limits for the limit range
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
13 nested properties
Endpoint is the endpoint of the virtual cluster. This is used to connect to the virtual cluster.
1 nested properties
10 nested properties
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
Version is the Kubernetes version to use.
ImagePullPolicy is the pull policy for the distro image
Env are extra environment variables to use for the main container and NOT the init container.
Resources for the distro init container
Security options can be used for the distro init container
4 nested properties
Enabled defines if standalone mode should be enabled.
DataDir defines the data directory for the standalone mode.
3 nested properties
Provider is the node provider of the nodes in this pool.
Quantity is the number of nodes to deploy for standalone mode.
NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.
8 nested properties
Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
8 nested properties
Enabled defines if coredns is enabled
Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
3 nested properties
Spec holds extra options for the coredns service
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
10 nested properties
Image is the coredns image to use
Replicas is the amount of coredns pods to run.
NodeSelector is the node selector to use for coredns.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.
OverwriteConfig can be used to overwrite the coredns config
OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns
PriorityClassName specifies the priority class name for the CoreDNS pods.
3 nested properties
BindAddress under which vCluster will expose the proxy.
Port under which vCluster will expose the proxy. Changing port is currently not supported.
ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
2 nested properties
Enabled specifies if the host path mapper will be used
Central specifies if the central host path mapper will be used
6 nested properties
Enabled defines if the control plane ingress should be enabled
Host is the host where vCluster will be reachable
PathType is the path type of the ingress
Spec allows you to configure extra ingress options.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
7 nested properties
Enabled defines if the control plane should be exposed via a gateway api tls route. Make sure to enable tls passthrough in the gateway via tls.mode to "Passthrough"
APIVersion is the version of the gateway api tls route.
Host is the host where vCluster will be reachable
ParentRefs are the parent references for the TLS route
Spec allows you to configure extra tls route options.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
6 nested properties
Enabled defines if the control plane service should be enabled
Spec allows you to configure extra service options.
KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.
HTTPSNodePort is the node port where https is exposed. Defaults to 0.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
22 nested properties
4 nested properties
Replicas is the amount of replicas to use for the statefulSet.
LeaseDuration is the time to lease for the leader.
RenewDeadline is the deadline to renew a lease for the leader.
RetryPeriod is the time until a replica will retry to get a lease.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
6 nested properties
NodeSelector is the node selector to apply to the pod.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
PriorityClassName is the priority class name for the the pod.
PodManagementPolicy is the statefulSet pod management policy.
TopologySpreadConstraints are the topology spread constraints for the pod.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
6 nested properties
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.
BinariesVolume defines a binaries volume that is used to retrieve distro specific executables to be run by the syncer controller. This volume doesn't need to be persistent.
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
EnableServiceLinks for the StatefulSet pod
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the policy how to pull the image.
WorkingDir specifies in what folder the main process should get started.
Command allows you to override the main command.
Args allows you to override the main arguments.
Env are additional environment variables for the statefulSet container.
Set DNS policy for the pod.
PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.
3 nested properties
A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. +optional +listType=atomic
A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. +optional +listType=atomic
A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. +optional +listType=atomic
InitContainers are additional init containers for the statefulSet.
SidecarContainers are additional sidecar containers for the statefulSet.
HostAliases allows you to add custom entries to the /etc/hosts file of each Pod created.
RuntimeClassName is the runtime class to set for the statefulSet pods.
3 nested properties
Enabled configures if Helm should create the service monitor.
Labels are the extra labels to add to the service monitor.
Annotations are the extra annotations to add to the service monitor.
11 nested properties
DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.
1 nested properties
Enabled defines if this option should be enabled.
5 nested properties
Enabled specifies if the service account should get deployed.
Name specifies what name to use for the service account.
ImagePullSecrets defines extra image pull secrets for the service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
5 nested properties
Enabled specifies if the service account for the workloads should get deployed.
Name specifies what name to use for the service account for the virtual cluster workloads.
ImagePullSecrets defines extra image pull secrets for the workload service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
3 nested properties
Enabled defines if the embedded registry should be enabled.
AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.
Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.
1 nested properties
Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.
1 nested properties
Annotations are extra annotations for this resource.
3 nested properties
Enabled defines if embedded kube-vip should be enabled.
Interface is the network interface on which the VIP is announced.
Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24). This is used to configure policy-based routing for the VIP and must include the subnet prefix.
4 nested properties
Enabled defines if the pod disruption budget should be enabled.
MinAvailable describes the minimal number or percentage of available pods.
MaxUnavailable describes the minimal number or percentage of unavailable pods.
UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction. Currently supported values are:
- IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted and may be evicted even if the PodDisruptionBudget criteria are not met.
- AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met.
PrivateNodes enables private nodes for vCluster.
6 nested properties
Enabled defines if dedicated nodes should be enabled.
1 nested properties
Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration
7 nested properties
Enabled defines if auto upgrade should be enabled.
Image is the image for the auto upgrade pod started by vCluster. If empty defaults to the controlPlane.statefulSet.image.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the auto upgrade. If empty will select all worker nodes.
BinariesPath is the base path for the kubeadm binaries. Defaults to /usr/local/bin
CNIBinariesPath is the base path for the CNI binaries. Defaults to /opt/cni/bin
Concurrency is the number of nodes that can be upgraded at the same time.
7 nested properties
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
3 nested properties
Enabled defines if containerd should be installed and configured by vCluster.
PauseImage is the image for the pause container.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
5 nested properties
CRI socket is the socket for the CRI.
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
Taints are additional taints to set for the kubelet.
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
AutoNodes stores auto nodes configuration.
3 nested properties
3 nested properties
Enabled defines if the role should be enabled or disabled.
ExtraRules will add rules to the role.
OverwriteRules will overwrite the role rules completely.
3 nested properties
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
ExtraRules will add rules to the cluster role.
OverwriteRules will overwrite the cluster role rules completely.
1 nested properties
Enabled defines if this option should be enabled.
Define which vCluster plugins to load.
7 nested properties
2 nested properties
2 nested properties
Manifests are raw Kubernetes manifests that should get applied within the host cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.
3 nested properties
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
Helm are Helm charts that should get deployed into the virtual cluster
3 nested properties
SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
HostMetricsBindAddress is the bind address for the local manager
VirtualMetricsBindAddress is the bind address for the virtual manager
5 nested properties
KubeConfig is the virtual cluster kubeconfig path.
ServerCAKey is the server ca key path.
ServerCAKey is the server ca cert path.
ServerCAKey is the client ca cert path.
RequestHeaderCACert is the request header ca cert path.
DenyProxyRequests denies certain requests in the vCluster proxy.
1 nested properties
CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
10 nested properties
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
Ports defines extra port mappings to be added to the container.
Volumes defines extra volumes to be added to the container.
Env defines extra environment variables to be added to the container. Use key=value.
Args defines extra arguments to be added to the docker run command of the container.
Enabled defines if the vCluster was deployed using Docker. This is automatically set by vCluster and should not be set by the user.
Network defines the network to use for the vCluster. If not specified, the a network will be created for the vCluster.
Nodes defines the nodes of the vCluster.
1 nested properties
Enabled defines if this option should be enabled.
2 nested properties
Enabled defines if this option should be enabled.
ForwardPorts defines if the load balancer ips should be made available locally via port forwarding. This will be only done if necessary for example on macos when using docker desktop.
NodeMonitors allows you to create a service monitor for each node.
5 nested properties
Enabled specifies that the telemetry for the vCluster control plane should be enabled.
ServiceCIDR holds the service cidr for the virtual cluster. Do not use this option anymore.
Specifies whether to use vCluster Pro. This is automatically inferred in newer versions. Do not use that option anymore.
Plugin specifies which vCluster plugins to enable. Use "plugins" instead. Do not use this option anymore.
Logging holds the log encoding details
1 nested properties
Encoding specifies the format of vCluster logs, it can either be json or console.
Sleep holds configuration for automatically putting the virtual cluster to sleep.
1 nested properties
SleepAuto holds configuration for automatic sleep and wakeup
5 nested properties
AfterInactivity represents how long a vCluster can be idle before workloads are automatically put to sleep
Schedule represents a cron schedule for when to sleep workloads
SleepAutoExclusion holds conifiguration for excluding workloads from sleeping by label(s)
1 nested properties
SleepAutoWakeup holds the cron schedule to wake workloads automatically
1 nested properties
Timezone specifies time zone used for scheduled sleep operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York". +optional
Snapshots holds configuration for automatic vCluster snapshots.
1 nested properties
SnapshotsAuto holds automatic snapshot scheduling and retention configuration
5 nested properties
Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken +optional
Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York". +optional
SnapshotRetention holds snapshot retention configuration
2 nested properties
Period defines the number of days a snapshot will be kept +optional
MaxSnapshots defines the number of snapshots that can be taken +optional
SnapshotStorage holds snapshot storage configuration
4 nested properties
Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets +optional
SnapshotStorageS3 holds S3 storage configuration
SnapshotStorageOCI holds OCI registry storage configuration
SnapshotStorageContainer holds container local storage configuration
SnapshotVolumes holds volume snapshot configuration
1 nested properties
Enabled specifies whether a snapshot should also include volumes in the snapshot +optional
Deletion holds configuration for automatic vCluster deletion.
2 nested properties
Prevent prevents the vCluster from being deleted +optional
DeletionAuto holds automatic deletion configuration
1 nested properties
AfterInactivity specifies after how long of inactivity the virtual cluster will be deleted. Uses Go duration format (e.g., "720h" for 30 days). +optional
Platform holds vCluster Platform specific configuration.
2 nested properties
PlatformAPIKey defines where to find the platform access key.
3 nested properties
SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined. +optional
Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace. +optional
CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified in the above namespace, if specified. This defaults to true. +optional
Project specifies which platform project the vcluster should be imported to +optional
Definitions
APIService holds configuration related to the api server
APIServiceService holds the service name and namespace of the host apiservice.
3 nested properties
Name is the name of the host service of the apiservice.
Namespace is the name of the host service of the apiservice.
Port is the target port on the host service to connect to.
APIServiceService holds the service name and namespace of the host apiservice.
Name is the name of the host service of the apiservice.
Namespace is the name of the host service of the apiservice.
Port is the target port on the host service to connect to.
Enabled defines if auto upgrade should be enabled.
Image is the image for the auto upgrade pod started by vCluster. If empty defaults to the controlPlane.statefulSet.image.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the auto upgrade. If empty will select all worker nodes.
BinariesPath is the base path for the kubeadm binaries. Defaults to /usr/local/bin
CNIBinariesPath is the base path for the CNI binaries. Defaults to /opt/cni/bin
Concurrency is the number of nodes that can be upgraded at the same time.
3 nested properties
4 nested properties
Enabled defines if the embedded etcd should be used.
MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.
SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.
ExtraArgs are additional arguments to pass to the embedded etcd.
2 nested properties
7 nested properties
Enabled defines if the database should be used.
DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:
- aws: RDS IAM Authentication
KeyFile is the key file to use for the database. This is optional.
CertFile is the cert file to use for the database. This is optional.
CaFile is the ca file to use for the database. This is optional.
ExtraArgs are additional arguments to pass to Kine.
8 nested properties
Enabled defines if the database should be used.
DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:
- aws: RDS IAM Authentication
KeyFile is the key file to use for the database. This is optional.
CertFile is the cert file to use for the database. This is optional.
CaFile is the ca file to use for the database. This is optional.
ExtraArgs are additional arguments to pass to Kine.
Connector specifies a secret located in a connected vCluster Platform that contains database server connection information to be used by Platform to create a database and database user for the vCluster. and non-privileged user. A kine endpoint should be created using the database and user on Platform registration. This is optional.
4 nested properties
Enabled defines if Flannel should be enabled.
Image is the image for Flannel main container.
InitImage is the image for Flannel init container.
ImagePullPolicy is the policy how to pull the image.
Enabled defines if Flannel should be enabled.
Image is the image for Flannel main container.
InitImage is the image for Flannel init container.
ImagePullPolicy is the policy how to pull the image.
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster
Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.
Enabled defines if this option should be enabled.
1 nested properties
Labels defines what labels should be looked for
Enabled defines if containerd should be installed and configured by vCluster.
3 nested properties
ConfigPath is the path to the containerd registry config.
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
PauseImage is the image for the pause container.
Server is the fallback server to use for the containerd registry mirror. E.g. https://registry-1.docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
CACert are paths to CA certificates to use for the containerd registry mirror.
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
OverridePath is a boolean to override the path for the containerd registry mirror.
Hosts holds configuration for the containerd registry mirror hosts. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
Server is the server to use for the containerd registry mirror host. E.g. http://192.168.31.250:5000.
CACert are paths to CA certificates to use for the containerd registry mirror host.
SkipVerify is a boolean to skip the certificate verification for the containerd registry mirror and allows http connections.
Capabilities is a list of capabilities to enable for the containerd registry mirror. If empty, will use pull and resolve capabilities.
OverridePath is a boolean to override the path for the containerd registry mirror.
ConfigPath is the path to the containerd registry config.
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
Username is the username for the containerd registry.
Password is the password for the containerd registry.
IdentityToken is the token for the containerd registry.
Auth is the auth config for the containerd registry.
Endpoint is the endpoint of the virtual cluster. This is used to connect to the virtual cluster.
1 nested properties
10 nested properties
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
Version is the Kubernetes version to use.
ImagePullPolicy is the pull policy for the distro image
Env are extra environment variables to use for the main container and NOT the init container.
Resources for the distro init container
Security options can be used for the distro init container
4 nested properties
Enabled defines if standalone mode should be enabled.
DataDir defines the data directory for the standalone mode.
3 nested properties
Provider is the node provider of the nodes in this pool.
Quantity is the number of nodes to deploy for standalone mode.
NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.
8 nested properties
Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
8 nested properties
Enabled defines if coredns is enabled
Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
3 nested properties
Spec holds extra options for the coredns service
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
10 nested properties
Image is the coredns image to use
Replicas is the amount of coredns pods to run.
NodeSelector is the node selector to use for coredns.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.
OverwriteConfig can be used to overwrite the coredns config
OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns
PriorityClassName specifies the priority class name for the CoreDNS pods.
3 nested properties
BindAddress under which vCluster will expose the proxy.
Port under which vCluster will expose the proxy. Changing port is currently not supported.
ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
2 nested properties
Enabled specifies if the host path mapper will be used
Central specifies if the central host path mapper will be used
6 nested properties
Enabled defines if the control plane ingress should be enabled
Host is the host where vCluster will be reachable
PathType is the path type of the ingress
Spec allows you to configure extra ingress options.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
7 nested properties
Enabled defines if the control plane should be exposed via a gateway api tls route. Make sure to enable tls passthrough in the gateway via tls.mode to "Passthrough"
APIVersion is the version of the gateway api tls route.
Host is the host where vCluster will be reachable
ParentRefs are the parent references for the TLS route
Spec allows you to configure extra tls route options.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
6 nested properties
Enabled defines if the control plane service should be enabled
Spec allows you to configure extra service options.
KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.
HTTPSNodePort is the node port where https is exposed. Defaults to 0.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
22 nested properties
4 nested properties
Replicas is the amount of replicas to use for the statefulSet.
LeaseDuration is the time to lease for the leader.
RenewDeadline is the deadline to renew a lease for the leader.
RetryPeriod is the time until a replica will retry to get a lease.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
6 nested properties
NodeSelector is the node selector to apply to the pod.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
PriorityClassName is the priority class name for the the pod.
PodManagementPolicy is the statefulSet pod management policy.
TopologySpreadConstraints are the topology spread constraints for the pod.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
6 nested properties
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.
BinariesVolume defines a binaries volume that is used to retrieve distro specific executables to be run by the syncer controller. This volume doesn't need to be persistent.
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
EnableServiceLinks for the StatefulSet pod
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the policy how to pull the image.
WorkingDir specifies in what folder the main process should get started.
Command allows you to override the main command.
Args allows you to override the main arguments.
Env are additional environment variables for the statefulSet container.
Set DNS policy for the pod.
PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.
3 nested properties
A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. +optional +listType=atomic
A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. +optional +listType=atomic
A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. +optional +listType=atomic
InitContainers are additional init containers for the statefulSet.
SidecarContainers are additional sidecar containers for the statefulSet.
HostAliases allows you to add custom entries to the /etc/hosts file of each Pod created.
RuntimeClassName is the runtime class to set for the statefulSet pods.
3 nested properties
Enabled configures if Helm should create the service monitor.
Labels are the extra labels to add to the service monitor.
Annotations are the extra annotations to add to the service monitor.
11 nested properties
DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.
1 nested properties
Enabled defines if this option should be enabled.
5 nested properties
Enabled specifies if the service account should get deployed.
Name specifies what name to use for the service account.
ImagePullSecrets defines extra image pull secrets for the service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
5 nested properties
Enabled specifies if the service account for the workloads should get deployed.
Name specifies what name to use for the service account for the virtual cluster workloads.
ImagePullSecrets defines extra image pull secrets for the workload service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
3 nested properties
Enabled defines if the embedded registry should be enabled.
AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.
Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.
1 nested properties
Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.
1 nested properties
Annotations are extra annotations for this resource.
3 nested properties
Enabled defines if embedded kube-vip should be enabled.
Interface is the network interface on which the VIP is announced.
Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24). This is used to configure policy-based routing for the VIP and must include the subnet prefix.
4 nested properties
Enabled defines if the pod disruption budget should be enabled.
MinAvailable describes the minimal number or percentage of available pods.
MaxUnavailable describes the minimal number or percentage of unavailable pods.
UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction. Currently supported values are:
- IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted and may be evicted even if the PodDisruptionBudget criteria are not met.
- AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met.
DefaultImageRegistry will be used as a prefix for all internal images deployed by vCluster or Helm. This makes it easy to upload all required vCluster images to a single private repository and set this value. Workload images are not affected by this.
1 nested properties
Enabled defines if this option should be enabled.
5 nested properties
Enabled specifies if the service account should get deployed.
Name specifies what name to use for the service account.
ImagePullSecrets defines extra image pull secrets for the service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
5 nested properties
Enabled specifies if the service account for the workloads should get deployed.
Name specifies what name to use for the service account for the virtual cluster workloads.
ImagePullSecrets defines extra image pull secrets for the workload service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
2 nested properties
Enabled defines if the konnectivity server should be enabled.
ExtraArgs are additional arguments to pass to the konnectivity server.
9 nested properties
Enabled defines if the konnectivity agent should be enabled.
Replicas is the number of replicas for the konnectivity agent.
Image is the image for the konnectivity agent.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the konnectivity agent.
PriorityClassName is the priority class name for the konnectivity agent.
Tolerations is the tolerations for the konnectivity agent.
ExtraEnv is the extra environment variables for the konnectivity agent.
ExtraArgs are additional arguments to pass to the konnectivity agent.
3 nested properties
Enabled defines if the embedded registry should be enabled.
AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.
Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.
1 nested properties
Enabled defines if the embedded cloud controller manager should be enabled. This defaults to true, but can be disabled if you want to use an external cloud controller manager such as AWS or GCP. The cloud controller manager is responsible for setting the node's ip addresses as well as the provider id for the node and other node metadata.
1 nested properties
Annotations are extra annotations for this resource.
3 nested properties
Enabled defines if embedded kube-vip should be enabled.
Interface is the network interface on which the VIP is announced.
Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24). This is used to configure policy-based routing for the VIP and must include the subnet prefix.
4 nested properties
Enabled defines if the pod disruption budget should be enabled.
MinAvailable describes the minimal number or percentage of available pods.
MaxUnavailable describes the minimal number or percentage of unavailable pods.
UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction. Currently supported values are:
- IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted and may be evicted even if the PodDisruptionBudget criteria are not met.
- AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met.
Annotations are extra annotations for this resource.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Replicas is the amount of replicas to use for the statefulSet.
LeaseDuration is the time to lease for the leader.
RenewDeadline is the deadline to renew a lease for the leader.
RetryPeriod is the time until a replica will retry to get a lease.
Enabled defines if the control plane ingress should be enabled
Host is the host where vCluster will be reachable
PathType is the path type of the ingress
Spec allows you to configure extra ingress options.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
5 nested properties
Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine based on the chosen distro and other options if this is required.
AccessModes are the persistent volume claim access modes.
RetentionPolicy is the persistent volume claim retention policy.
Size is the persistent volume claim storage size.
StorageClass is the persistent volume claim storage class.
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.
BinariesVolume defines a binaries volume that is used to retrieve distro specific executables to be run by the syncer controller. This volume doesn't need to be persistent.
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
LivenessProbe defines the configuration for the liveness probe.
5 nested properties
Enabled defines if this option should be enabled.
Number of consecutive failures for the probe to be considered failed
Time (in seconds) to wait before starting the liveness probe
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
ReadinessProbe defines the configuration for the readiness probe.
4 nested properties
Enabled defines if this option should be enabled.
Number of consecutive failures for the probe to be considered failed
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
StartupProbe defines the configuration for the startup probe.
4 nested properties
Enabled defines if this option should be enabled.
Number of consecutive failures allowed before failing the pod
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
BindAddress under which vCluster will expose the proxy.
Port under which vCluster will expose the proxy. Changing port is currently not supported.
ExtraSANs are extra hostnames to sign the vCluster proxy certificate for.
NodeSelector is the node selector to apply to the pod.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
PriorityClassName is the priority class name for the the pod.
PodManagementPolicy is the statefulSet pod management policy.
TopologySpreadConstraints are the topology spread constraints for the pod.
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
Enabled defines if the control plane service should be enabled
Spec allows you to configure extra service options.
KubeletNodePort is the node port where the fake kubelet is exposed. Defaults to 0.
HTTPSNodePort is the node port where https is exposed. Defaults to 0.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Enabled specifies if the service account should get deployed.
Name specifies what name to use for the service account.
ImagePullSecrets defines extra image pull secrets for the service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
4 nested properties
Replicas is the amount of replicas to use for the statefulSet.
LeaseDuration is the time to lease for the leader.
RenewDeadline is the deadline to renew a lease for the leader.
RetryPeriod is the time until a replica will retry to get a lease.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
6 nested properties
NodeSelector is the node selector to apply to the pod.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
PriorityClassName is the priority class name for the the pod.
PodManagementPolicy is the statefulSet pod management policy.
TopologySpreadConstraints are the topology spread constraints for the pod.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
3 nested properties
LivenessProbe defines the configuration for the liveness probe.
5 nested properties
Enabled defines if this option should be enabled.
Number of consecutive failures for the probe to be considered failed
Time (in seconds) to wait before starting the liveness probe
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
ReadinessProbe defines the configuration for the readiness probe.
4 nested properties
Enabled defines if this option should be enabled.
Number of consecutive failures for the probe to be considered failed
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
StartupProbe defines the configuration for the startup probe.
4 nested properties
Enabled defines if this option should be enabled.
Number of consecutive failures allowed before failing the pod
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
6 nested properties
5 nested properties
Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine based on the chosen distro and other options if this is required.
AccessModes are the persistent volume claim access modes.
RetentionPolicy is the persistent volume claim retention policy.
Size is the persistent volume claim storage size.
StorageClass is the persistent volume claim storage class.
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
Allows you to override the dataVolume. Only works correctly if volumeClaim.enabled=false.
BinariesVolume defines a binaries volume that is used to retrieve distro specific executables to be run by the syncer controller. This volume doesn't need to be persistent.
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
EnableServiceLinks for the StatefulSet pod
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the policy how to pull the image.
WorkingDir specifies in what folder the main process should get started.
Command allows you to override the main command.
Args allows you to override the main arguments.
Env are additional environment variables for the statefulSet container.
Set DNS policy for the pod.
PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.
3 nested properties
A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. +optional +listType=atomic
A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. +optional +listType=atomic
A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. +optional +listType=atomic
InitContainers are additional init containers for the statefulSet.
SidecarContainers are additional sidecar containers for the statefulSet.
HostAliases allows you to add custom entries to the /etc/hosts file of each Pod created.
RuntimeClassName is the runtime class to set for the statefulSet pods.
Enabled defines if the control plane should be exposed via a gateway api tls route. Make sure to enable tls passthrough in the gateway via tls.mode to "Passthrough"
APIVersion is the version of the gateway api tls route.
Host is the host where vCluster will be reachable
ParentRefs are the parent references for the TLS route
Spec allows you to configure extra tls route options.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Enabled specifies if the service account for the workloads should get deployed.
Name specifies what name to use for the service account for the virtual cluster workloads.
ImagePullSecrets defines extra image pull secrets for the workload service account.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Enabled defines if coredns is enabled
Embedded defines if vCluster will start the embedded coredns service within the control-plane and not as a separate deployment. This is a PRO feature.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
3 nested properties
Spec holds extra options for the coredns service
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
10 nested properties
Image is the coredns image to use
Replicas is the amount of coredns pods to run.
NodeSelector is the node selector to use for coredns.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.
OverwriteConfig can be used to overwrite the coredns config
OverwriteManifests can be used to overwrite the coredns manifests used to deploy coredns
PriorityClassName specifies the priority class name for the CoreDNS pods.
Image is the coredns image to use
Replicas is the amount of coredns pods to run.
NodeSelector is the node selector to use for coredns.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
TopologySpreadConstraints are the topology spread constraints for the CoreDNS pod.
Spec holds extra options for the coredns service
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Enabled defines if this resource proxy should be enabled
VirtualClusterRef is a reference to a virtual cluster within the platform.
2 nested properties
Name is the name of the target virtual cluster.
Project is the project of the target virtual cluster. If empty, defaults to the same project as the source vCluster.
AccessResources defines which resources should be accessible in the proxy.
7 nested properties
Enabled defines if the database should be used.
DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:
- aws: RDS IAM Authentication
KeyFile is the key file to use for the database. This is optional.
CertFile is the cert file to use for the database. This is optional.
CaFile is the ca file to use for the database. This is optional.
ExtraArgs are additional arguments to pass to Kine.
8 nested properties
Enabled defines if the database should be used.
DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:
- aws: RDS IAM Authentication
KeyFile is the key file to use for the database. This is optional.
CertFile is the cert file to use for the database. This is optional.
CaFile is the ca file to use for the database. This is optional.
ExtraArgs are additional arguments to pass to Kine.
Connector specifies a secret located in a connected vCluster Platform that contains database server connection information to be used by Platform to create a database and database user for the vCluster. and non-privileged user. A kine endpoint should be created using the database and user on Platform registration. This is optional.
Enabled defines if the database should be used.
DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:
- aws: RDS IAM Authentication
KeyFile is the key file to use for the database. This is optional.
CertFile is the cert file to use for the database. This is optional.
CaFile is the ca file to use for the database. This is optional.
ExtraArgs are additional arguments to pass to Kine.
Deletion holds configuration for automatic vCluster deletion.
Prevent prevents the vCluster from being deleted +optional
DeletionAuto holds automatic deletion configuration
1 nested properties
AfterInactivity specifies after how long of inactivity the virtual cluster will be deleted. Uses Go duration format (e.g., "720h" for 30 days). +optional
DeletionAuto holds automatic deletion configuration
AfterInactivity specifies after how long of inactivity the virtual cluster will be deleted. Uses Go duration format (e.g., "720h" for 30 days). +optional
The name of the check.
Namespace describe a list of namespaces that will be affected by the check. An empty list means that all namespaces will be affected. In case of ClusterScoped rules, only the Namespace resource is affected.
Rules describes on which verbs and on what resources/subresources the webhook is enforced. The webhook is enforced if it matches any Rule. The version of the request must match the rule version exactly. Equivalent matching is not supported.
ExcludedUsers describe a list of users for which the checks will be skipped. Impersonation attempts on these users will still be subjected to the checks.
9 nested properties
Enabled defines if the kube proxy should be enabled.
Image is the image for the kube-proxy.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the kube-proxy.
PriorityClassName is the priority class name for the kube-proxy.
Tolerations is the tolerations for the kube-proxy.
ExtraEnv is the extra environment variables for the kube-proxy.
ExtraArgs are additional arguments to pass to the kube-proxy.
Config is the config for the kube-proxy that will be merged into the default kube-proxy config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration
4 nested properties
Enabled defines if metallb should be enabled.
ControllerImage is the image for metallb controller.
SpeakerImage is the image for metallb speaker.
2 nested properties
Addresses is a list of IP addresses to use for the IP address pool.
L2Advertisement defines if L2 advertisement should be enabled for the IP address pool.
1 nested properties
4 nested properties
Enabled defines if Flannel should be enabled.
Image is the image for Flannel main container.
InitImage is the image for Flannel init container.
ImagePullPolicy is the policy how to pull the image.
4 nested properties
Enabled defines if LocalPathProvisioner should be enabled.
Image is the image for local path provisioner.
ImagePullPolicy is the policy how to pull the image.
NodePath is the path on the node where to create the persistent volume directories.
2 nested properties
Enabled defines if ingress-nginx should be enabled.
DefaultIngressClass defines if the deployed ingress class should be the default ingress class.
1 nested properties
Enabled defines if metrics server should be enabled.
VolumeSnapshotController defines CSI volumes snapshot-controller configuration.
1 nested properties
Enabled defines if the CSI volumes snapshot-controller should be enabled.
Enabled defines if metrics server should be enabled.
10 nested properties
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
Version is the Kubernetes version to use.
3 nested properties
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
3 nested properties
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
3 nested properties
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the pull policy for the distro image
Env are extra environment variables to use for the main container and NOT the init container.
Resources for the distro init container
Security options can be used for the distro init container
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
Enabled specifies if the K8s distro should be enabled. Only one distro can be enabled at the same time.
Version is the Kubernetes version to use.
3 nested properties
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
3 nested properties
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
3 nested properties
Enabled signals this container should be enabled.
Command is the command to start the distro binary. This will override the existing command.
ExtraArgs are additional arguments to pass to the distro binary.
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the pull policy for the distro image
Env are extra environment variables to use for the main container and NOT the init container.
Resources for the distro init container
Security options can be used for the distro init container
Name is the name of this NodePool
NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.
Taints are the taints to apply to the nodes in this pool.
NodeLabels are the labels to apply to the nodes in this pool.
Limits specify the maximum resources that can be provisioned by this node pool, mapping to the 'limits' field in Karpenter's NodePool API.
3 nested properties
ConsolidateAfter is the duration the controller will wait before attempting to terminate nodes that are underutilized. Refer to ConsolidationPolicy for how underutilization is considered.
ConsolidationPolicy describes which nodes Karpenter can disrupt through its consolidation algorithm. This policy defaults to "WhenEmptyOrUnderutilized" if not specified
Budgets is a list of Budgets. If there are multiple active budgets, Karpenter uses the most restrictive value. If left undefined, this will default to one budget with a value to 10%.
TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.
Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.
This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period. When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.
Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod. If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout, that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.
The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks. Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.
The amount of time a Node can live on the cluster before being removed
Weight is the weight of this node pool.
ConsolidateAfter is the duration the controller will wait before attempting to terminate nodes that are underutilized. Refer to ConsolidationPolicy for how underutilization is considered.
ConsolidationPolicy describes which nodes Karpenter can disrupt through its consolidation algorithm. This policy defaults to "WhenEmptyOrUnderutilized" if not specified
Budgets is a list of Budgets. If there are multiple active budgets, Karpenter uses the most restrictive value. If left undefined, this will default to one budget with a value to 10%.
Nodes dictates the maximum number of NodeClaims owned by this NodePool that can be terminating at once. This is calculated by counting nodes that have a deletion timestamp set, or are actively being deleted by Karpenter. This field is required when specifying a budget.
Schedule specifies when a budget begins being active, following the upstream cronjob syntax. If omitted, the budget is always active. Timezones are not supported.
Duration determines how long a Budget is active since each Schedule hit. Only minutes and hours are accepted, as cron does not work in seconds. If omitted, the budget is always active. This is required if Schedule is set.
Enabled defines if this option should be enabled.
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
2 nested properties
Enabled defines if this option should be enabled.
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
1 nested properties
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
4 nested properties
Enabled defines if the embedded etcd should be used.
MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.
SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.
ExtraArgs are additional arguments to pass to the embedded etcd.
4 nested properties
Enabled defines that an external etcd should be deployed.
14 nested properties
Enabled defines if the statefulSet should be deployed
EnableServiceLinks for the StatefulSet pod
ImagePullPolicy is the pull policy for the external etcd image
Env are extra environment variables
ExtraArgs are appended to the etcd command.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Enabled defines if the etcd service should be deployed
Annotations are extra annotations for the external etcd service
1 nested properties
Annotations are extra annotations for the external etcd headless service
3 nested properties
Enabled defines if the external etcd should be used.
Endpoint holds the endpoint of the external etcd server, e.g. my-example-service:2379
EtcdExternalTLS defines tls for external etcd server
3 nested properties
CaFile is the path to the ca file
CertFile is the path to the cert file
KeyFile is the path to the key file
Enabled defines that an external etcd should be deployed.
14 nested properties
Enabled defines if the statefulSet should be deployed
EnableServiceLinks for the StatefulSet pod
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the pull policy for the external etcd image
Env are extra environment variables
ExtraArgs are appended to the etcd command.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
1 nested properties
Replicas are the amount of pods to use.
6 nested properties
NodeSelector is the node selector to apply to the pod.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
PriorityClassName is the priority class name for the the pod.
PodManagementPolicy is the statefulSet pod management policy.
TopologySpreadConstraints are the topology spread constraints for the pod.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
4 nested properties
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
Enabled defines if the etcd service should be deployed
Annotations are extra annotations for the external etcd service
1 nested properties
Annotations are extra annotations for the external etcd headless service
Annotations are extra annotations for the external etcd headless service
Enabled defines if the etcd service should be deployed
Annotations are extra annotations for the external etcd service
Enabled defines if the statefulSet should be deployed
EnableServiceLinks for the StatefulSet pod
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
ImagePullPolicy is the pull policy for the external etcd image
Env are extra environment variables
ExtraArgs are appended to the etcd command.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
2 nested properties
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
1 nested properties
Replicas are the amount of pods to use.
6 nested properties
NodeSelector is the node selector to apply to the pod.
Affinity is the affinity to apply to the pod.
Tolerations are the tolerations to apply to the pod.
PriorityClassName is the priority class name for the the pod.
PodManagementPolicy is the statefulSet pod management policy.
TopologySpreadConstraints are the topology spread constraints for the pod.
2 nested properties
PodSecurityContext specifies security context options on the pod level.
ContainerSecurityContext specifies security context options on the container level.
4 nested properties
5 nested properties
Enabled enables deploying a persistent volume claim.
AccessModes are the persistent volume claim access modes.
RetentionPolicy is the persistent volume claim retention policy.
Size is the persistent volume claim storage size.
StorageClass is the persistent volume claim storage class.
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Enabled defines if the embedded etcd should be used.
MigrateFromDeployedEtcd signals that vCluster should migrate from the deployed external etcd to embedded etcd.
SnapshotCount defines the number of snapshots to keep for the embedded etcd. Defaults to 10000 if less than 1.
ExtraArgs are additional arguments to pass to the embedded etcd.
Enabled defines if the external etcd should be used.
Endpoint holds the endpoint of the external etcd server, e.g. my-example-service:2379
EtcdExternalTLS defines tls for external etcd server
3 nested properties
CaFile is the path to the ca file
CertFile is the path to the cert file
KeyFile is the path to the key file
EtcdExternalTLS defines tls for external etcd server
CaFile is the path to the ca file
CertFile is the path to the cert file
KeyFile is the path to the key file
2 nested properties
2 nested properties
Manifests are raw Kubernetes manifests that should get applied within the host cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.
3 nested properties
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
Helm are Helm charts that should get deployed into the virtual cluster
3 nested properties
SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
HostMetricsBindAddress is the bind address for the local manager
VirtualMetricsBindAddress is the bind address for the virtual manager
5 nested properties
KubeConfig is the virtual cluster kubeconfig path.
ServerCAKey is the server ca key path.
ServerCAKey is the server ca cert path.
ServerCAKey is the client ca cert path.
RequestHeaderCACert is the request header ca cert path.
DenyProxyRequests denies certain requests in the vCluster proxy.
1 nested properties
CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
10 nested properties
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
Ports defines extra port mappings to be added to the container.
Volumes defines extra volumes to be added to the container.
Env defines extra environment variables to be added to the container. Use key=value.
Args defines extra arguments to be added to the docker run command of the container.
Enabled defines if the vCluster was deployed using Docker. This is automatically set by vCluster and should not be set by the user.
Network defines the network to use for the vCluster. If not specified, the a network will be created for the vCluster.
Nodes defines the nodes of the vCluster.
1 nested properties
Enabled defines if this option should be enabled.
2 nested properties
Enabled defines if this option should be enabled.
ForwardPorts defines if the load balancer ips should be made available locally via port forwarding. This will be only done if necessary for example on macos when using docker desktop.
NodeMonitors allows you to create a service monitor for each node.
2 nested properties
Manifests are raw Kubernetes manifests that should get applied within the host cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.
3 nested properties
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
Helm are Helm charts that should get deployed into the virtual cluster
6 nested properties
2 nested properties
Name of the release
Namespace of the release
Values defines what values should get used.
Timeout defines the timeout for Helm
Bundle allows to compress the Helm chart and specify this instead of an online chart
Name of the release
Namespace of the release
Manifests are raw Kubernetes manifests that should get applied within the host cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the host cluster.
Manifests are raw Kubernetes manifests that should get applied within the virtual cluster.
ManifestsTemplate is a Kubernetes manifest template that will be rendered with vCluster values before applying it within the virtual cluster.
Helm are Helm charts that should get deployed into the virtual cluster
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
Ports defines extra port mappings to be added to the container.
Volumes defines extra volumes to be added to the container.
Env defines extra environment variables to be added to the container. Use key=value.
Args defines extra arguments to be added to the docker run command of the container.
Enabled defines if the vCluster was deployed using Docker. This is automatically set by vCluster and should not be set by the user.
Network defines the network to use for the vCluster. If not specified, the a network will be created for the vCluster.
Nodes defines the nodes of the vCluster.
1 nested properties
Enabled defines if this option should be enabled.
2 nested properties
Enabled defines if this option should be enabled.
ForwardPorts defines if the load balancer ips should be made available locally via port forwarding. This will be only done if necessary for example on macos when using docker desktop.
Enabled defines if this option should be enabled.
ForwardPorts defines if the load balancer ips should be made available locally via port forwarding. This will be only done if necessary for example on macos when using docker desktop.
Image defines the image to use for the container. Defaults to ghcr.io/loft-sh/vm-container.
Ports defines extra port mappings to be added to the container.
Volumes defines extra volumes to be added to the container.
Env defines extra environment variables to be added to the container. Use key=value.
Args defines extra arguments to be added to the docker run command of the container.
Name defines the name of the node. If not specified, a random name will be generated.
Name is the name of the monitor. It will be suffixed with the node name.
NodeSelector defines the node selector for the service monitor.
Endpoints is a list of endpoints to add to the service monitor. By default, vCluster will relabel the node and instance label to the node name.
Spec allows you to configure extra service monitor options that will be merged into the spec.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Path is the kubelet path of the endpoint. vCluster will prepend /api/v1/nodes/NODE_NAME to the path.
Params allows you to configure extra parameters to add to the endpoint.
ExtraRelabelings allows you to configure extra relabelings to add to the endpoint. By default, vCluster will relabel the node and instance label to the node name.
MetricsRelabelings allows you to configure extra metrics relabelings to add to the endpoint.
Interval is the interval at which to scrape the endpoint.
ScrapeTimeout is the timeout for the scrape of the endpoint.
SetOwner specifies if vCluster should set an owner reference on the synced objects to the vCluster service. This allows for easy garbage collection.
HostMetricsBindAddress is the bind address for the local manager
VirtualMetricsBindAddress is the bind address for the virtual manager
ExportKubeConfig describes how vCluster should export the vCluster kubeconfig.
Context is the name of the context within the generated kubeconfig to use.
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
If tls should get skipped for the server
3 nested properties
Name of the service account to be used to generate a service account token instead of the default certificates.
Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.
ClusterRole to assign to the service account.
Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
2 nested properties
Name is the name of the secret where the kubeconfig should get stored.
Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
AdditionalSecrets specifies the additional host cluster secrets in which vCluster will store the generated virtual cluster kubeconfigs.
ExportKubeConfigAdditionalSecretReference defines the additional host cluster secret in which vCluster stores the generated virtual cluster kubeconfigs.
Context is the name of the context within the generated kubeconfig to use.
Override the default https://localhost:8443 and specify a custom hostname for the generated kubeconfig.
If tls should get skipped for the server
3 nested properties
Name of the service account to be used to generate a service account token instead of the default certificates.
Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.
ClusterRole to assign to the service account.
Name is the name of the secret where the kubeconfig is stored.
Namespace where vCluster stores the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
Declare in which host cluster secret vCluster should store the generated virtual cluster kubeconfig.
Name is the name of the secret where the kubeconfig should get stored.
Namespace where vCluster should store the kubeconfig secret. If this is not equal to the namespace where you deployed vCluster, you need to make sure vCluster has access to this other namespace.
Name of the service account to be used to generate a service account token instead of the default certificates.
Namespace of the service account to be used to generate a service account token instead of the default certificates. If omitted, will use the kube-system namespace.
ClusterRole to assign to the service account.
Enabled defines if the database should be used.
DataSource is the kine dataSource to use for the database. This depends on the database format. This is optional for the external database. Examples:
- mysql: mysql://username:password@tcp(hostname:3306)/vcluster
- postgres: postgres://username:password@hostname:5432/vcluster
IdentityProvider is the kine identity provider to use when generating temporary authentication tokens for enhanced security. This is optional for the external database. Examples:
- aws: RDS IAM Authentication
KeyFile is the key file to use for the database. This is optional.
CertFile is the cert file to use for the database. This is optional.
CaFile is the ca file to use for the database. This is optional.
ExtraArgs are additional arguments to pass to Kine.
Connector specifies a secret located in a connected vCluster Platform that contains database server connection information to be used by Platform to create a database and database user for the vCluster. and non-privileged user. A kine endpoint should be created using the database and user on Platform registration. This is optional.
Replicas are the amount of pods to use.
5 nested properties
Enabled enables deploying a persistent volume claim.
AccessModes are the persistent volume claim access modes.
RetentionPolicy is the persistent volume claim retention policy.
Size is the persistent volume claim storage size.
StorageClass is the persistent volume claim storage class.
VolumeClaimTemplates defines the volumeClaimTemplates for the statefulSet
AddVolumes defines extra volumes for the pod
AddVolumeMounts defines extra volume mounts for the container
Enabled enables deploying a persistent volume claim.
AccessModes are the persistent volume claim access modes.
RetentionPolicy is the persistent volume claim retention policy.
Size is the persistent volume claim storage size.
StorageClass is the persistent volume claim storage class.
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster
Enabled defines whether the external secret integration is enabled or not
Version defines the version of the external secrets operator to use. If empty, the storage version will be used.
1 nested properties
Enabled defines if this option should be enabled.
2 nested properties
2 nested properties
Enabled defines if this option should be enabled.
1 nested properties
2 nested properties
2 nested properties
2 nested properties
Enabled defines if this option should be enabled.
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
Enabled specifies if the host path mapper will be used
Central specifies if the central host path mapper will be used
Enabled specifies if hybrid scheduling is enabled.
HostSchedulers is a list of schedulers that are deployed on the host cluster.
IPBlock describes a particular CIDR (Ex.
CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64". +optional
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
Name of the image pull secret to use.
Enabled defines if ingress-nginx should be enabled.
DefaultIngressClass defines if the deployed ingress class should be the default ingress class.
Integrations holds config for vCluster integrations with other operators or tools running on the host cluster
MetricsServer reuses the metrics server from the host cluster within the vCluster.
4 nested properties
Enabled signals the metrics server integration should be enabled.
APIService holds configuration related to the api server
1 nested properties
APIServiceService holds the service name and namespace of the host apiservice.
Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.
Pods defines if metrics-server pods api should get proxied from host to virtual cluster.
KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster
4 nested properties
Enabled signals if the integration should be enabled
APIService holds configuration related to the api server
1 nested properties
APIServiceService holds the service name and namespace of the host apiservice.
1 nested properties
Enabled defines if this option should be enabled.
ExternalSecrets reuses a host external secret operator and makes certain CRDs from it available inside the vCluster
4 nested properties
Enabled defines whether the external secret integration is enabled or not
Version defines the version of the external secrets operator to use. If empty, the storage version will be used.
1 nested properties
Enabled defines if this option should be enabled.
CertManager reuses a host cert-manager and makes its CRDs from it available inside the vCluster
NetrisIntegration holds netris integration configuration.
3 nested properties
Enabled defines if netris integration is enabled +optional
Connector specifies the netris connector name +optional
NetrisKubeVipConfig holds kube-vip configuration for netris integration
3 nested properties
ServerCluster specifies the server cluster name +optional
Bridge specifies the bridge interface name +optional
IPRange specifies the IP range for kube-vip +optional
3 nested properties
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
3 nested properties
Enabled defines if containerd should be installed and configured by vCluster.
3 nested properties
ConfigPath is the path to the containerd registry config.
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
PauseImage is the image for the pause container.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
5 nested properties
CRI socket is the socket for the CRI.
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
Taints are additional taints to set for the kubelet.
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
2 nested properties
Enabled defines if the konnectivity server should be enabled.
ExtraArgs are additional arguments to pass to the konnectivity server.
9 nested properties
Enabled defines if the konnectivity agent should be enabled.
Replicas is the number of replicas for the konnectivity agent.
Image is the image for the konnectivity agent.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the konnectivity agent.
PriorityClassName is the priority class name for the konnectivity agent.
Tolerations is the tolerations for the konnectivity agent.
ExtraEnv is the extra environment variables for the konnectivity agent.
ExtraArgs are additional arguments to pass to the konnectivity agent.
Enabled defines if the konnectivity agent should be enabled.
Replicas is the number of replicas for the konnectivity agent.
Image is the image for the konnectivity agent.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the konnectivity agent.
PriorityClassName is the priority class name for the konnectivity agent.
Tolerations is the tolerations for the konnectivity agent.
ExtraEnv is the extra environment variables for the konnectivity agent.
ExtraArgs are additional arguments to pass to the konnectivity agent.
Enabled defines if the konnectivity server should be enabled.
ExtraArgs are additional arguments to pass to the konnectivity server.
Enabled defines if the kube proxy should be enabled.
Image is the image for the kube-proxy.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the kube-proxy.
PriorityClassName is the priority class name for the kube-proxy.
Tolerations is the tolerations for the kube-proxy.
ExtraEnv is the extra environment variables for the kube-proxy.
ExtraArgs are additional arguments to pass to the kube-proxy.
Config is the config for the kube-proxy that will be merged into the default kube-proxy config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/#kubeproxy-config-k8s-io-v1alpha1-KubeProxyConfiguration
Enabled defines if embedded kube-vip should be enabled.
Interface is the network interface on which the VIP is announced.
Gateway is the gateway address in CIDR notation (e.g., 10.100.0.1/24). This is used to configure policy-based routing for the VIP and must include the subnet prefix.
KubeVirt reuses a host kubevirt and makes certain CRDs from it available inside the vCluster
Enabled signals if the integration should be enabled
APIService holds configuration related to the api server
1 nested properties
APIServiceService holds the service name and namespace of the host apiservice.
3 nested properties
Name is the name of the host service of the apiservice.
Namespace is the name of the host service of the apiservice.
Port is the target port on the host service to connect to.
1 nested properties
Enabled defines if this option should be enabled.
KubeVirtSync are the crds that are supported by this integration
6 nested properties
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
KubeVirtSync are the crds that are supported by this integration
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
1 nested properties
Enabled defines if this option should be enabled.
Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration
KubeletExtraArg represents an argument with a name and a value.
Name is the name of the argument.
Value is the value of the argument.
Required. The taint key to be applied to a node.
The taint value corresponding to the taint key. +optional
Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.
Labels defines what labels should be looked for
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled, the limitRange will be enabled as well.
Default are the default limits for the limit range
DefaultRequest are the default request options for the limit range
Max are the max limits for the limit range
Min are the min limits for the limit range
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
LivenessProbe defines the configuration for the liveness probe.
Enabled defines if this option should be enabled.
Number of consecutive failures for the probe to be considered failed
Time (in seconds) to wait before starting the liveness probe
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
Enabled defines if LocalPathProvisioner should be enabled.
Image is the image for local path provisioner.
ImagePullPolicy is the policy how to pull the image.
NodePath is the path on the node where to create the persistent volume directories.
Logging holds the log encoding details
Encoding specifies the format of vCluster logs, it can either be json or console.
Enabled defines if metallb should be enabled.
ControllerImage is the image for metallb controller.
SpeakerImage is the image for metallb speaker.
2 nested properties
Addresses is a list of IP addresses to use for the IP address pool.
L2Advertisement defines if L2 advertisement should be enabled for the IP address pool.
Addresses is a list of IP addresses to use for the IP address pool.
L2Advertisement defines if L2 advertisement should be enabled for the IP address pool.
MetricsServer reuses the metrics server from the host cluster within the vCluster.
Enabled signals the metrics server integration should be enabled.
APIService holds configuration related to the api server
1 nested properties
APIServiceService holds the service name and namespace of the host apiservice.
3 nested properties
Name is the name of the host service of the apiservice.
Namespace is the name of the host service of the apiservice.
Port is the target port on the host service to connect to.
Nodes defines if metrics-server nodes api should get proxied from host to virtual cluster.
Pods defines if metrics-server pods api should get proxied from host to virtual cluster.
reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are "Never" and "IfNeeded".
The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
ValidatingWebhookClientConfig contains the information to make a TLS connection with the webhook
3 nested properties
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
4 nested properties
Namespace is the namespace of the service.
Name is the name of the service.
Path is an optional URL path which will be sent in any request to this service.
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.
SideEffects states whether this webhook has side effects.
TimeoutSeconds specifies the timeout for this webhook.
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.
3 nested properties
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
Webhooks is a list of webhooks and the affected resources and operations.
NetrisIntegration holds netris integration configuration.
Enabled defines if netris integration is enabled +optional
Connector specifies the netris connector name +optional
NetrisKubeVipConfig holds kube-vip configuration for netris integration
3 nested properties
ServerCluster specifies the server cluster name +optional
Bridge specifies the bridge interface name +optional
IPRange specifies the IP range for kube-vip +optional
NetrisKubeVipConfig holds kube-vip configuration for netris integration
ServerCluster specifies the server cluster name +optional
Bridge specifies the bridge interface name +optional
IPRange specifies the IP range for kube-vip +optional
Enabled defines if the network policy should be deployed by vCluster.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
2 nested properties
Ingress rules for the vCluster control plane.
Egress rules for the vCluster control plane.
3 nested properties
3 nested properties
Enabled defines if the workload public egress should be enabled or disabled.
CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64". +optional
Ingress rules for the vCluster workloads.
Egress rules for the vCluster workloads.
Ingress rules for the vCluster control plane.
Egress rules for the vCluster control plane.
NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector.
ports is a list of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. +optional +listType=atomic
to is a list of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. +optional +listType=atomic
NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector.
ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. +optional +listType=atomic
from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. +optional +listType=atomic
NetworkPolicyPeer describes a peer to allow traffic to/from.
2 nested properties
2 nested properties
IPBlock describes a particular CIDR (Ex.
2 nested properties
CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64". +optional
NetworkPolicyPort describes a port to allow traffic on
protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. +optional
port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched. +optional
endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. +optional
3 nested properties
Enabled defines if the workload public egress should be enabled or disabled.
CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64". +optional
Ingress rules for the vCluster workloads.
Egress rules for the vCluster workloads.
Enabled defines if the workload public egress should be enabled or disabled.
CIDR defines the allowed workload public egress destination. Valid examples are "0.0.0.0/0", "192.168.1.0/24" or "2001:db8::/64"
Except is a slice of CIDRs that should not be included. Items outside the cidr range will be rejected. Valid examples are "192.168.1.0/24" or "2001:db8::/64". +optional
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work for all applications, e.g. Prometheus requires a node IP.
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to route traffic.
ServiceCIDR holds the service cidr for the virtual cluster. This should only be set if privateNodes.enabled is true or vCluster cannot detect the host service cidr.
PodCIDR holds the pod cidr for the virtual cluster. This should only be set if privateNodes.enabled is true.
2 nested properties
ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace are required.
FromHost defines the services that should get synced from the host to the virtual cluster.
ResolveDNS allows to define extra DNS rules. This only works if embedded coredns is configured.
3 nested properties
ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace
2 nested properties
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work for all applications, e.g. Prometheus requires a node IP.
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to route traffic.
ClusterDomain is the Kubernetes cluster domain to use within the virtual cluster.
FallbackHostCluster allows to fallback dns to the host cluster. This is useful if you want to reach host services without any other modification. You will need to provide a namespace for the service, e.g. my-other-service.my-other-namespace
2 nested properties
ByHostname will add a special vCluster hostname to the nodes where the node can be reached at. This doesn't work for all applications, e.g. Prometheus requires a node IP.
ByIP will create a separate service in the host cluster for every node that will point to virtual cluster and will be used to route traffic.
CRI socket is the socket for the CRI.
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
Taints are additional taints to set for the kubelet.
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
Platform holds vCluster Platform specific configuration.
PlatformAPIKey defines where to find the platform access key.
3 nested properties
SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined. +optional
Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace. +optional
CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified in the above namespace, if specified. This defaults to true. +optional
Project specifies which platform project the vcluster should be imported to +optional
PlatformAPIKey defines where to find the platform access key.
SecretName is the name of the secret where the platform access key is stored. This defaults to vcluster-platform-api-key if undefined. +optional
Namespace defines the namespace where the access key secret should be retrieved from. If this is not equal to the namespace where the vCluster instance is deployed, you need to make sure vCluster has access to this other namespace. +optional
CreateRBAC will automatically create the necessary RBAC roles and role bindings to allow vCluster to read the secret specified in the above namespace, if specified. This defaults to true. +optional
Name is the name of the init-container and NOT the plugin name
Image is the container image that should be used for the plugin
ImagePullPolicy is the pull policy to use for the container image
Config is the plugin config to use. This can be arbitrary config used for the plugin.
2 nested properties
1 nested properties
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
1 nested properties
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
Command is the command that should be used for the init container
Args are the arguments that should be used for the init container
SecurityContext is the container security context used for the init container
Resources are the container resources used for the init container
VolumeMounts are extra volume mounts for the init container
Version is the plugin version, this is only needed for legacy plugins.
Name is the name of the init-container and NOT the plugin name
Image is the container image that should be used for the plugin
ImagePullPolicy is the pull policy to use for the container image
Config is the plugin config to use. This can be arbitrary config used for the plugin.
2 nested properties
1 nested properties
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
1 nested properties
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
Command is the command that should be used for the init container
Args are the arguments that should be used for the init container
SecurityContext is the container security context used for the init container
Resources are the container resources used for the init container
VolumeMounts are extra volume mounts for the init container
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
1 nested properties
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
1 nested properties
ExtraRules are extra rbac permissions roles that will be added to role or cluster role
PodDNSConfig defines the DNS parameters of a pod in addition to those generated from DNSPolicy.
A list of DNS name server IP addresses. This will be appended to the base nameservers generated from DNSPolicy. Duplicated nameservers will be removed. +optional +listType=atomic
A list of DNS search domains for host-name lookup. This will be appended to the base search paths generated from DNSPolicy. Duplicated search paths will be removed. +optional +listType=atomic
A list of DNS resolver options. This will be merged with the base options generated from DNSPolicy. Duplicated entries will be removed. Resolution options given in Options will override those that appear in the base DNSPolicy. +optional +listType=atomic
PodDNSConfigOption defines DNS resolver options of a pod.
Required.
+optional
Enabled defines if the pod disruption budget should be enabled.
MinAvailable describes the minimal number or percentage of available pods.
MaxUnavailable describes the minimal number or percentage of unavailable pods.
UnhealthyPodEvictionPolicy defines the criteria when unhealthy pods should be considered for eviction. Currently supported values are:
- IfHealthyBudget - pods that are in the Running phase but not yet healthy are considered disrupted and may be evicted even if the PodDisruptionBudget criteria are not met.
- AlwaysAllow - pods that are in the Running phase but not yet healthy are considered disrupted and can be evicted regardless of whether the criteria in a PDB is met.
6 nested properties
Enabled defines if the network policy should be deployed by vCluster.
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
FallbackDNS is the fallback DNS server to use if the virtual cluster does not have a DNS server.
2 nested properties
Ingress rules for the vCluster control plane.
Egress rules for the vCluster control plane.
3 nested properties
Ingress rules for the vCluster workloads.
Egress rules for the vCluster workloads.
PodSecurityStandard that can be enforced can be one of: empty (""), baseline, restricted or privileged
6 nested properties
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled, the resourceQuota will be enabled as well.
Quota are the quota options
ScopeSelector is the resource quota scope selector
Scopes are the resource quota scopes
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
7 nested properties
Enabled defines if the limit range should be deployed by vCluster. "auto" means that if resourceQuota is enabled, the limitRange will be enabled as well.
Default are the default limits for the limit range
DefaultRequest are the default request options for the limit range
Max are the max limits for the limit range
Min are the min limits for the limit range
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
2 nested properties
ValidatingWebhooks are validating webhooks that should be enforced in the virtual cluster
MutatingWebhooks are mutating webhooks that should be enforced in the virtual cluster
PrivateNodes enables private nodes for vCluster.
Enabled defines if dedicated nodes should be enabled.
1 nested properties
Config is the config for the kubelet that will be merged into the default kubelet config. More information can be found here: https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/#kubelet-config-k8s-io-v1beta1-KubeletConfiguration
7 nested properties
Enabled defines if auto upgrade should be enabled.
Image is the image for the auto upgrade pod started by vCluster. If empty defaults to the controlPlane.statefulSet.image.
ImagePullPolicy is the policy how to pull the image.
NodeSelector is the node selector for the auto upgrade. If empty will select all worker nodes.
BinariesPath is the base path for the kubeadm binaries. Defaults to /usr/local/bin
CNIBinariesPath is the base path for the CNI binaries. Defaults to /opt/cni/bin
Concurrency is the number of nodes that can be upgraded at the same time.
7 nested properties
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
3 nested properties
Enabled defines if containerd should be installed and configured by vCluster.
PauseImage is the image for the pause container.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
5 nested properties
CRI socket is the socket for the CRI.
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
Taints are additional taints to set for the kubelet.
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
AutoNodes stores auto nodes configuration.
PrivateNodesAutoNodes defines auto nodes
Provider is the node provider of the nodes in this pool.
Properties are the node provider properties. This is a simple key value map and can contain things like region, subscription, etc. that is then used by the node provider to create the nodes and node environment.
Static defines static node pools. Static node pools have a fixed size and are not scaled automatically.
Dynamic defines dynamic node pools. Dynamic node pools are scaled automatically based on the requirements within the cluster. Karpenter is used under the hood to handle the scheduling of the nodes.
Enabled defines if the private nodes vpn should be enabled.
1 nested properties
Enabled defines if the node to node vpn should be enabled.
Enabled defines if the node to node vpn should be enabled.
CustomResources is a map of resource keys (format: "kind.apiGroup/version") to proxy configuration
3 nested properties
Enabled defines if the role should be enabled or disabled.
ExtraRules will add rules to the role.
OverwriteRules will overwrite the role rules completely.
3 nested properties
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
ExtraRules will add rules to the cluster role.
OverwriteRules will overwrite the cluster role rules completely.
1 nested properties
Enabled defines if this option should be enabled.
Enabled defines if the cluster role should be enabled or disabled. If auto, vCluster automatically determines whether the virtual cluster requires a cluster role.
ExtraRules will add rules to the cluster role.
OverwriteRules will overwrite the cluster role rules completely.
Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.
APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
Resources is a list of resources this rule applies to. '*' represents all resources.
ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.
NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.
Enabled defines if the role should be enabled or disabled.
ExtraRules will add rules to the role.
OverwriteRules will overwrite the role rules completely.
ReadinessProbe defines the configuration for the readiness probe.
Enabled defines if this option should be enabled.
Number of consecutive failures for the probe to be considered failed
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
Enabled defines if the embedded registry should be enabled.
AnonymousPull allows enabling anonymous pull for the embedded registry. This allows anybody to pull images from the registry without authentication.
Config is the regular docker registry config. See https://distribution.github.io/distribution/about/configuration/ for more details.
ToHost defines the services that should get synced from virtual cluster to the host cluster. If services are synced to a different namespace than the virtual cluster is in, additional permissions for the other namespace are required.
FromHost defines the services that should get synced from the host to the virtual cluster.
KarpenterRequirement defines a scheduling requirement for a dynamic node pool.
Property is the property on the node type to select.
Operator is the comparison operator, such as "In", "NotIn", "Exists". If empty, defaults to "In".
Values is the list of values to use for comparison. This is mutually exclusive with value.
Value is the value to use for comparison. This is mutually exclusive with values.
Hostname is the hostname within the vCluster that should be resolved from.
Service is the virtual cluster service that should be resolved from.
Namespace is the virtual cluster namespace that should be resolved from.
5 nested properties
Hostname to use as a DNS target
IP to use as a DNS target
HostService to target, format is hostNamespace/hostService
HostNamespace to target
VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService
Hostname to use as a DNS target
IP to use as a DNS target
HostService to target, format is hostNamespace/hostService
HostNamespace to target
VClusterService format is hostNamespace/vClusterName/vClusterNamespace/vClusterService
Enabled defines if the resource quota should be enabled. "auto" means that if limitRange is enabled, the resourceQuota will be enabled as well.
Quota are the quota options
ScopeSelector is the resource quota scope selector
Scopes are the resource quota scopes
Annotations are extra annotations for this resource.
Labels are extra labels for this resource.
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
APIGroups is the API groups the resources belong to. '*' is all groups.
APIVersions is the API versions the resources belong to. '*' is all versions.
Resources is a list of resources this rule applies to.
Scope specifies the scope of this rule.
Verb is the kube verb associated with the request for API requests, not the http verb. This includes things like list and watch. For non-resource requests, this is the lowercase http verb. If '*' is present, the length of the slice must be one.
2 nested properties
From is the service that should get synced. Can be either in the form name or namespace/name.
To is the target service that it should get synced to. Can be either in the form name or namespace/name.
Enabled configures if Helm should create the service monitor.
Labels are the extra labels to add to the service monitor.
Annotations are the extra annotations to add to the service monitor.
Sleep holds configuration for automatically putting the virtual cluster to sleep.
SleepAuto holds configuration for automatic sleep and wakeup
5 nested properties
AfterInactivity represents how long a vCluster can be idle before workloads are automatically put to sleep
Schedule represents a cron schedule for when to sleep workloads
SleepAutoExclusion holds conifiguration for excluding workloads from sleeping by label(s)
1 nested properties
SleepAutoWakeup holds the cron schedule to wake workloads automatically
1 nested properties
Timezone specifies time zone used for scheduled sleep operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York". +optional
SleepAuto holds configuration for automatic sleep and wakeup
AfterInactivity represents how long a vCluster can be idle before workloads are automatically put to sleep
Schedule represents a cron schedule for when to sleep workloads
SleepAutoExclusion holds conifiguration for excluding workloads from sleeping by label(s)
1 nested properties
1 nested properties
Labels defines what labels should be looked for
SleepAutoWakeup holds the cron schedule to wake workloads automatically
1 nested properties
Timezone specifies time zone used for scheduled sleep operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York". +optional
SleepAutoExclusion holds conifiguration for excluding workloads from sleeping by label(s)
1 nested properties
Labels defines what labels should be looked for
SleepAutoWakeup holds the cron schedule to wake workloads automatically
SnapshotRetention holds snapshot retention configuration
Period defines the number of days a snapshot will be kept +optional
MaxSnapshots defines the number of snapshots that can be taken +optional
SnapshotSecretCredential holds secret reference for credentials
SecretName is the secret name with credential +optional
SecretNamespace is the secret namespace with credential +optional
SnapshotStorage holds snapshot storage configuration
Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets +optional
SnapshotStorageS3 holds S3 storage configuration
2 nested properties
Url specifies url to the storage service +optional
SnapshotSecretCredential holds secret reference for credentials
2 nested properties
SecretName is the secret name with credential +optional
SecretNamespace is the secret namespace with credential +optional
SnapshotStorageOCI holds OCI registry storage configuration
4 nested properties
Repository OCI repository to store the snapshot +optional
SnapshotSecretCredential holds secret reference for credentials
2 nested properties
SecretName is the secret name with credential +optional
SecretNamespace is the secret namespace with credential +optional
Username to authenticate with the OCI registry +optional
Password to authenticate with the OCI registry +optional
SnapshotStorageContainer holds container local storage configuration
2 nested properties
Path specifies directory to store the snapshot +optional
SnapshotStorageContainerVolume holds volume mount configuration
2 nested properties
Name to be used to mount the volume +optional
Path to the volume mount +optional
SnapshotStorageContainer holds container local storage configuration
Path specifies directory to store the snapshot +optional
SnapshotStorageContainerVolume holds volume mount configuration
2 nested properties
Name to be used to mount the volume +optional
Path to the volume mount +optional
SnapshotStorageContainerVolume holds volume mount configuration
Name to be used to mount the volume +optional
Path to the volume mount +optional
SnapshotStorageOCI holds OCI registry storage configuration
Repository OCI repository to store the snapshot +optional
SnapshotSecretCredential holds secret reference for credentials
2 nested properties
SecretName is the secret name with credential +optional
SecretNamespace is the secret namespace with credential +optional
Username to authenticate with the OCI registry +optional
Password to authenticate with the OCI registry +optional
SnapshotStorageS3 holds S3 storage configuration
Url specifies url to the storage service +optional
SnapshotSecretCredential holds secret reference for credentials
2 nested properties
SecretName is the secret name with credential +optional
SecretNamespace is the secret namespace with credential +optional
SnapshotVolumes holds volume snapshot configuration
Enabled specifies whether a snapshot should also include volumes in the snapshot +optional
Snapshots holds configuration for automatic vCluster snapshots.
SnapshotsAuto holds automatic snapshot scheduling and retention configuration
5 nested properties
Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken +optional
Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York". +optional
SnapshotRetention holds snapshot retention configuration
2 nested properties
Period defines the number of days a snapshot will be kept +optional
MaxSnapshots defines the number of snapshots that can be taken +optional
SnapshotStorage holds snapshot storage configuration
4 nested properties
Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets +optional
SnapshotStorageS3 holds S3 storage configuration
SnapshotStorageOCI holds OCI registry storage configuration
SnapshotStorageContainer holds container local storage configuration
SnapshotVolumes holds volume snapshot configuration
1 nested properties
Enabled specifies whether a snapshot should also include volumes in the snapshot +optional
SnapshotsAuto holds automatic snapshot scheduling and retention configuration
Schedule specifies a scheduled time in Cron format, see https://en.wikipedia.org/wiki/Cron for a virtual cluster snapshot to be taken +optional
Timezone specifies time zone used for scheduled snapshot operations. Defaults to UTC. Accepts the same format as time.LoadLocation() in Go (https://pkg.go.dev/time#LoadLocation). The value should be a location name corresponding to a file in the IANA Time Zone database, such as "America/New_York". +optional
SnapshotRetention holds snapshot retention configuration
2 nested properties
Period defines the number of days a snapshot will be kept +optional
MaxSnapshots defines the number of snapshots that can be taken +optional
SnapshotStorage holds snapshot storage configuration
4 nested properties
Type specifies supported type of storage services for a snapshot S3/OCI/Container, see https://www.vcluster.com/docs/vcluster/manage/backup-restore#store-snapshots-in-s3-buckets +optional
SnapshotStorageS3 holds S3 storage configuration
2 nested properties
Url specifies url to the storage service +optional
SnapshotSecretCredential holds secret reference for credentials
SnapshotStorageOCI holds OCI registry storage configuration
4 nested properties
Repository OCI repository to store the snapshot +optional
SnapshotSecretCredential holds secret reference for credentials
Username to authenticate with the OCI registry +optional
Password to authenticate with the OCI registry +optional
SnapshotVolumes holds volume snapshot configuration
1 nested properties
Enabled specifies whether a snapshot should also include volumes in the snapshot +optional
Enabled defines if standalone mode should be enabled.
DataDir defines the data directory for the standalone mode.
3 nested properties
Provider is the node provider of the nodes in this pool.
Quantity is the number of nodes to deploy for standalone mode.
NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.
8 nested properties
Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
3 nested properties
Enabled defines if containerd should be installed and configured by vCluster.
PauseImage is the image for the pause container.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
5 nested properties
CRI socket is the socket for the CRI.
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
Taints are additional taints to set for the kubelet.
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
Provider is the node provider of the nodes in this pool.
Quantity is the number of nodes to deploy for standalone mode.
NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.
Enabled defines if the standalone node should be joined into the cluster. If false, only the control plane binaries will be executed and no node will show up in the actual cluster.
PreInstallCommands are commands that will be executed before containerd, kubelet etc. is installed.
PreJoinCommands are commands that will be executed before kubeadm join is executed.
PostJoinCommands are commands that will be executed after kubeadm join is executed.
3 nested properties
Enabled defines if containerd should be installed and configured by vCluster.
3 nested properties
ConfigPath is the path to the containerd registry config.
Mirrors holds configuration for the containerd registry mirrors. E.g. myregistry.io:5000 or docker.io. See https://github.com/containerd/containerd/blob/main/docs/hosts.md for more details.
Auth holds configuration for the containerd registry auth. See https://github.com/containerd/containerd/blob/main/docs/cri/registry.md#configure-registry-credentials for more details.
PauseImage is the image for the pause container.
CACertPath is the path to the SSL certificate authority used to secure communications between node and control-plane. Defaults to "/etc/kubernetes/pki/ca.crt".
SkipPhases is a list of phases to skip during command execution. The list of phases can be obtained with the "kubeadm join --help" command.
5 nested properties
CRI socket is the socket for the CRI.
KubeletExtraArgs passes through extra arguments to the kubelet. The arguments here are passed to the kubelet command line via the environment file kubeadm writes at runtime for the kubelet to source. This overrides the generic base-level configuration in the kubelet-config ConfigMap Flags have higher priority when parsing. These values are local and specific to the node kubeadm is executing on. An argument name in this list is the flag name as it appears on the command line except without leading dash(es). Extra arguments will override existing default arguments. Duplicate extra arguments are allowed.
Taints are additional taints to set for the kubelet.
IgnorePreflightErrors provides a slice of pre-flight errors to be ignored when the current node is registered, e.g. 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
ImagePullPolicy specifies the policy for image pulling during kubeadm "init" and "join" operations. The value of this field must be one of "Always", "IfNotPresent" or "Never". If this field is unset kubeadm will default it to "IfNotPresent", or pull the required images if not present on the host.
StartupProbe defines the configuration for the startup probe.
Enabled defines if this option should be enabled.
Number of consecutive failures allowed before failing the pod
Maximum duration (in seconds) that the probe will wait for a response.
Frequency (in seconds) to perform the probe
Name is the name of this static nodePool
Quantity is the number of desired nodes in this pool.
NodeTypeSelector filters the types of nodes that can be provisioned by this pool. All requirements must be met for a node type to be eligible.
Taints are the taints to apply to the nodes in this pool.
NodeLabels are the labels to apply to the nodes in this pool.
TerminationGracePeriod is the maximum duration the controller will wait before forcefully deleting the pods on a node, measured from when deletion is first initiated.
Warning: this feature takes precedence over a Pod's terminationGracePeriodSeconds value, and bypasses any blocked PDBs or the karpenter.sh/do-not-disrupt annotation.
This field is intended to be used by cluster administrators to enforce that nodes can be cycled within a given time period. When set, drifted nodes will begin draining even if there are pods blocking eviction. Draining will respect PDBs and the do-not-disrupt annotation until the TGP is reached.
Karpenter will preemptively delete pods so their terminationGracePeriodSeconds align with the node's terminationGracePeriod. If a pod would be terminated without being granted its full terminationGracePeriodSeconds prior to the node timeout, that pod will be deleted at T = node timeout - pod terminationGracePeriodSeconds.
The feature can also be used to allow maximum time limits for long-running jobs which can delay node termination with preStop hooks. Defaults to 30s. Set to Never to wait indefinitely for pods to be drained.
20 nested properties
9 nested properties
Enabled defines if pod syncing should be enabled.
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite a certain image that is used within the virtual cluster to be another image on the host cluster
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a pod annotation.
RuntimeClassName is the runtime class to set for synced pods.
PriorityClassName is the priority class to set for synced pods.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup. vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.
SyncToHostNamespaces defines how namespaces should be synced from the virtual cluster to the host cluster.
5 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
ExtraLabels are additional labels to add to the namespace in the host cluster.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
14 nested properties
5 nested properties
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
5 nested properties
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
2 nested properties
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
CustomResources defines what custom resources should get synced read-only to the virtual cluster from the host cluster. vCluster will automatically add any required RBAC to the vCluster cluster role.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
1 nested properties
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
1 nested properties
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
3 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Scope defines the scope of the resource
Patches patch the resource according to the provided specification.
1 nested properties
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
Enabled specifies if syncing real nodes should be enabled. If this is disabled, vCluster will create fake nodes instead.
SyncBackChanges enables syncing labels and taints from the virtual cluster to the host cluster. If this is enabled someone within the virtual cluster will be able to change the labels and taints of the host cluster node.
ClearImageStatus will erase the image status when syncing a node. This allows to hide images that are pulled by the node.
2 nested properties
All specifies if all nodes should get synced by vCluster from the host to the virtual cluster or only the ones where pods are assigned to.
Labels are the node labels used to sync nodes from host cluster to virtual cluster. This will also set the node selector when syncing a pod from virtual cluster to host cluster to the same value.
Patches patch the resource according to the provided specification.
Enabled defines if pod syncing should be enabled.
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite a certain image that is used within the virtual cluster to be another image on the host cluster
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a pod annotation.
RuntimeClassName is the runtime class to set for synced pods.
PriorityClassName is the priority class to set for synced pods.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled specifies if hybrid scheduling is enabled.
HostSchedulers is a list of schedulers that are deployed on the host cluster.
Enabled specifies if rewriting stateful set pods should be enabled.
2 nested properties
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
3 nested properties
Registry is the registry of the container image, e.g. my-registry.com or ghcr.io. This setting can be globally overridden via the controlPlane.advanced.defaultImageRegistry option. Empty means docker hub.
Repository is the repository of the container image, e.g. my-repo/my-image
Tag is the tag of the container image, and is the default version.
2 nested properties
Limits are resource limits for the container
Requests are minimal resources that will be consumed by the container
9 nested properties
Enabled defines if pod syncing should be enabled.
TranslateImage maps an image to another image that should be used instead. For example this can be used to rewrite a certain image that is used within the virtual cluster to be another image on the host cluster
EnforceTolerations will add the specified tolerations to all pods synced by the virtual cluster.
UseSecretsForSATokens will use secrets to save the generated service account tokens by virtual cluster instead of using a pod annotation.
RuntimeClassName is the runtime class to set for synced pods.
PriorityClassName is the priority class to set for synced pods.
2 nested properties
Enabled specifies if rewriting stateful set pods should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled specifies if hybrid scheduling is enabled.
HostSchedulers is a list of schedulers that are deployed on the host cluster.
3 nested properties
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
3 nested properties
Enabled defines if this option should be enabled.
All defines if all resources of that type should get synced or only the necessary ones that are needed.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
CustomResources defines what custom resources should get synced from the virtual cluster to the host cluster. vCluster will copy the definition automatically from host cluster to virtual cluster on startup. vCluster will also automatically add any required RBAC permissions to the vCluster role for this to work.
SyncToHostNamespaces defines how namespaces should be synced from the virtual cluster to the host cluster.
5 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
1 nested properties
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
ExtraLabels are additional labels to add to the namespace in the host cluster.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
2 nested properties
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
Enabled defines if this option should be enabled.
Scope defines the scope of the resource. If undefined, will use Namespaced. Currently only Namespaced is supported.
Patches patch the resource according to the provided specification.
SyncToHostNamespaces defines how namespaces should be synced from the virtual cluster to the host cluster.
Enabled defines if this option should be enabled.
Patches patch the resource according to the provided specification.
1 nested properties
ByName is a map of host-object-namespace/host-object-name: virtual-object-namespace/virtual-object-name. There are several wildcards supported:
- To match all objects in host namespace and sync them to different namespace in vCluster: byName: "foo/": "foo-in-virtual/"
- To match specific object in the host namespace and sync it to the same namespace with the same name: byName: "foo/my-object": "foo/my-object"
- To match specific object in the host namespace and sync it to the same namespace with different name: byName: "foo/my-object": "foo/my-virtual-object"
- To match all objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "": "my-virtual-namespace/*"
- To match specific objects in the vCluster host namespace and sync them to a different namespace in vCluster: byName: "/my-object": "my-virtual-namespace/my-object"
MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
ExtraLabels are additional labels to add to the namespace in the host cluster.
Enabled specifies that the telemetry for the vCluster control plane should be enabled.
Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.
Expression transforms the value according to the given JavaScript expression.
ReverseExpression transforms the value according to the given JavaScript expression.
6 nested properties
APIVersion is the apiVersion of the referenced object.
Kind is the kind of the referenced object.
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
NamePath is the optional relative path to the reference name within the object.
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.
APIVersion is the apiVersion of the referenced object.
Kind is the kind of the referenced object.
APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.
KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.
NamePath is the optional relative path to the reference name within the object.
NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.
The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where "imagepolicy" is the name of the webhook, and kubernetes.io is the name of the organization.
ValidatingWebhookClientConfig contains the information to make a TLS connection with the webhook
3 nested properties
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
4 nested properties
Namespace is the namespace of the service.
Name is the name of the service.
Path is an optional URL path which will be sent in any request to this service.
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches any Rule.
FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.
matchPolicy defines how the "rules" list is used to match incoming requests. Allowed values are "Exact" or "Equivalent".
NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.
ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector.
SideEffects states whether this webhook has side effects.
TimeoutSeconds specifies the timeout for this webhook.
AdmissionReviewVersions is an ordered list of preferred AdmissionReview
versions the Webhook expects.
MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.
ValidatingWebhookClientConfig contains the information to make a TLS connection with the webhook
URL gives the location of the webhook, in standard URL form
(scheme://host:port/path). Exactly one of url or service
must be specified.
4 nested properties
Namespace is the namespace of the service.
Name is the name of the service.
Path is an optional URL path which will be sent in any request to this service.
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
CABundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.
Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to.
APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values.
3 nested properties
Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition.
Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services.
Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata.
Webhooks is a list of webhooks and the affected resources and operations.
Namespace is the namespace of the service.
Name is the name of the service.
Path is an optional URL path which will be sent in any request to this service.
If specified, the port on the service that hosting webhook.
Default to 443 for backward compatibility.
port should be a valid port number (1-65535, inclusive).
KubeConfig is the virtual cluster kubeconfig path.
ServerCAKey is the server ca key path.
ServerCAKey is the server ca cert path.
ServerCAKey is the client ca cert path.
RequestHeaderCACert is the request header ca cert path.
VirtualClusterRef is a reference to a virtual cluster within the platform.
Name is the name of the target virtual cluster.
Project is the project of the target virtual cluster. If empty, defaults to the same project as the source vCluster.
Enabled enables deploying a persistent volume claim. If auto, vCluster will automatically determine based on the chosen distro and other options if this is required.
AccessModes are the persistent volume claim access modes.
RetentionPolicy is the persistent volume claim retention policy.
Size is the persistent volume claim storage size.
StorageClass is the persistent volume claim storage class.
VolumeMount describes a mounting of a Volume within a container.
This must match the Name of a Volume.
Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.
Path within the container at which the volume should be mounted. Must not contain ':'.
Path within the volume from which the container's volume should be mounted. Defaults to "" (volume's root).
mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.
Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to "" (volume's root). SubPathExpr and SubPath are mutually exclusive.
VolumeSnapshotController defines CSI volumes snapshot-controller configuration.
Enabled defines if the CSI volumes snapshot-controller should be enabled.