Skip to content

Compliant Kubernetes Apps Config Schema

Note

This is auto-generated documentation from a JSON schema that is under construction, this will improve over time.

https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml

This describes the structure of the config for both the service and workload clusters.

Keep in mind that this is evaluated on the merged config, and each config file will contain different properties.

Abstract Extensible Status Identifiable Custom Properties Additional Properties Access Restrictions Defined In
Can be instantiated No Unknown status No Forbidden Allowed none config/schemas/config.yaml

TYPE:

object (Compliant Kubernetes Apps Config)

PROPERTIES:

Property Type Required Nullable Defined by
global object Required cannot be null Compliant Kubernetes Apps Config
clusterApi object Optional cannot be null Compliant Kubernetes Apps Config
user object Optional cannot be null Compliant Kubernetes Apps Config
hnc object Optional cannot be null Compliant Kubernetes Apps Config
harbor object Optional cannot be null Compliant Kubernetes Apps Config
storageClasses object Optional cannot be null Compliant Kubernetes Apps Config
objectStorage object Optional cannot be null Compliant Kubernetes Apps Config
rookCeph object Optional cannot be null Compliant Kubernetes Apps Config
velero object Optional cannot be null Compliant Kubernetes Apps Config
clusterAdmin object Optional cannot be null Compliant Kubernetes Apps Config
dex object Optional cannot be null Compliant Kubernetes Apps Config
externalTrafficPolicy object Optional cannot be null Compliant Kubernetes Apps Config
falco object Optional cannot be null Compliant Kubernetes Apps Config
gatekeeper object Optional cannot be null Compliant Kubernetes Apps Config
kured object Optional cannot be null Compliant Kubernetes Apps Config
opa object Optional cannot be null Compliant Kubernetes Apps Config
trivy object Optional cannot be null Compliant Kubernetes Apps Config
alerts object Optional cannot be null Compliant Kubernetes Apps Config
grafana object Optional cannot be null Compliant Kubernetes Apps Config
grafanaLabelEnforcer object Optional cannot be null Compliant Kubernetes Apps Config
kubeStateMetrics object Optional cannot be null Compliant Kubernetes Apps Config
metricsServer object Optional cannot be null Compliant Kubernetes Apps Config
openstackMonitoring object Optional cannot be null Compliant Kubernetes Apps Config
prometheus object Optional cannot be null Compliant Kubernetes Apps Config
prometheusOperator object Optional cannot be null Compliant Kubernetes Apps Config
prometheusBlackboxExporter object Optional cannot be null Compliant Kubernetes Apps Config
prometheusNodeExporter object Optional cannot be null Compliant Kubernetes Apps Config
s3Exporter object Optional cannot be null Compliant Kubernetes Apps Config
thanos object Optional cannot be null Compliant Kubernetes Apps Config
wcProbeIngress object Optional cannot be null Compliant Kubernetes Apps Config
welcomingDashboard object Optional cannot be null Compliant Kubernetes Apps Config
fluentd object Optional cannot be null Compliant Kubernetes Apps Config
opensearch object Optional cannot be null Compliant Kubernetes Apps Config
calicoAccountant object Optional cannot be null Compliant Kubernetes Apps Config
calicoFelixMetrics object Optional cannot be null Compliant Kubernetes Apps Config
certmanager object Optional cannot be null Compliant Kubernetes Apps Config
ingressNginx object Optional cannot be null Compliant Kubernetes Apps Config
issuers object Optional cannot be null Compliant Kubernetes Apps Config
networkPolicies object Optional cannot be null Compliant Kubernetes Apps Config
nodeLocalDns object Optional cannot be null Compliant Kubernetes Apps Config
externalDns object Optional cannot be null Compliant Kubernetes Apps Config
Additional Properties object Optional cannot be null Compliant Kubernetes Apps Config

global

Some common options used in various helm charts.

global

TYPE:

object (Global options)

clusterApi

Set to true if kubernetes is installed with cluster-api.

clusterApi

TYPE:

object (ClusterAPI Config)

user

Configuration for Application Developers (users), that use the workload cluster

user

TYPE:

object (User Config)

hnc

Configuration for Hierarchical Namespace Controller.

Note

See upstream documentation for reference.

hnc

TYPE:

object (HNC (Hierarchical Namespace Controller) Config)

harbor

Configuration options for Harbor.

Harbor is a container registry that deployed for the application developers to use when deploying their applications.

Note

See upstream documentation for reference. All config variables that exists in harbor are not exposed via our config.

harbor

TYPE:

object (Harbor Config)

storageClasses

Configuration options for using block storage in Compliant Kubernetes

storageClasses

TYPE:

object (Storage Classes Config)

objectStorage

Configuration options for using object storage in Compliant Kubernetes

This is used for:

  • Fluentd audit logs
  • Fluentd service cluster logs
  • Harbor database backups and registry storage
  • OpenSearch workload cluster log snapshots
  • Rclone object storage sync source and restore destination
  • Thanos metrics storage
  • Velero resource backups and volume snapshots

Harbor, Rclone, and Thanos have additional configuration to use Swift.

objectStorage

TYPE:

object (Object Storage Config)

rookCeph

Configure support for Rook Ceph.

This is deprecated and should be configured via compliantkubernetes-kubespray if used.

rookCeph

TYPE:

object (Rook Ceph Config)

velero

Configure Velero, the backup and snapshot tool for Kubernetes resources and volumes.

This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.velero.

velero

TYPE:

object (Velero Config)

clusterAdmin

Configure the cluster admins.

clusterAdmin

TYPE:

object (Cluster Admin)

dex

Configure Dex, the federated OIDC Identity Provider.

Note

Dex is installed in the service cluster, so this configuration mainly applies there.

dex

TYPE:

object (Dex Config)

externalTrafficPolicy

Configure global ingress external traffic policy.

externalTrafficPolicy

TYPE:

object (External Traffic Policy)

falco

Configuration for Falco, runtime security tool and threat detection.

falco

TYPE:

object (Falco Config)

gatekeeper

Configure OPA Gatekeeper to give application developer access to Custom Resource Definitions.

Some preconfigured services can be found under the key user.

Note

See the admin docs for context.

gatekeeper

TYPE:

object (OPA Gatekeeper Config)

kured

Configuration for Kured (Kubernetes Reboot Daemon).

Kured orchestrates node reboots to allow nodes to automatically perform system updates and patches.

kured

TYPE:

object (Kured Config)

opa

Configure Open Policy Agent, constraints and mutations enforced by Gatekeeper.

Compliant Kubernetes contains multiple safeguards to make it easy to follow security best practices.

This includes an implementation of constraints and mutations with similar behaviour as Pod Security Policies, and application developer centric safeguards.

opa

TYPE:

object (Open Policy Agent Config)

trivy

Configure Trivy Operator.

Trivy automatically scans the cluster for vulnerabilities, misconfigurations, and exposed secrets.

trivy

TYPE:

object (Trivy Config)

alerts

Configure alerting.

alerts

TYPE:

object (Alerts Config)

grafana

Configure Grafana, the metrics visualisation dashboard.

Compliant Kubernetes hosts two instances of Grafana one for the Platform Administrator and one for the Application Developer.

Note

Grafana is installed in the service cluster, so this configuration mainly applies there.

grafana

TYPE:

object (Grafana Config)

grafanaLabelEnforcer

Configure Grafana Label Enforcer, responsible to filter metrics from different clusters for Grafana datasources.

grafanaLabelEnforcer

TYPE:

object (Grafana Label Enforcer Config)

kubeStateMetrics

Configure the kube-state-metrics exporter.

kubeStateMetrics

TYPE:

object (Kube State Metrics)

metricsServer

Configure the metrics-server exporter, used to provide for the metrics API in Kubernetes.

metricsServer

TYPE:

object (Metrics Server)

openstackMonitoring

Configure the collection of metrics for OpenStack components.

openstackMonitoring

TYPE:

object (Openstack Monitoring)

prometheus

Configure Prometheus.

Prometheus automatically collects metrics via ServiceMonitors, PodMonitors, and Probes, and pushes metrics to Thanos for long term storage. Additionally Prometheus evaluates recording rules for both service and workload cluster, and all alerting rules for the workload cluster.

Note

Prometheus is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.

prometheus

TYPE:

object (Prometheus Config)

prometheusOperator

Configure Prometheus Operator.

prometheusOperator

TYPE:

object (Prometheus Operator)

prometheusBlackboxExporter

Configure Prometheus Blackbox Exporter, the exporter used for probing endpoints.

prometheusBlackboxExporter

TYPE:

object (Prometheus Blackbox Exporter)

prometheusNodeExporter

Configure Prometheus Node Exporter, the exporter used for collecting node metrics.

prometheusNodeExporter

TYPE:

object (Prometheus Node Exporter)

s3Exporter

Configure S3 exporter, used to collect metrics about S3 usage.

s3Exporter

TYPE:

object (S3 Exporter)

thanos

Configuration for Thanos.

Thanos ingests metrics sent from Prometheus in both the service and workload clusters, and stores them in object storage.

This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.thanos.

Note

Thanos and its components are installed in the service cluster, so this configuration mainly applies there.

thanos

TYPE:

object (Thanos Config)

wcProbeIngress

Configure a probe for the workload cluster Ingress Controller.

wcProbeIngress

TYPE:

object (Workcload Cluster Ingress Probe)

welcomingDashboard

If you want to add extra text to the grafana/opensearch "welcoming dashboards" then write the text in these values as a one-line string. Note, first line of the string is a header, not all characters are supported. For newline in Grafana dashboard use format \\n

welcomingDashboard

TYPE:

object (Welcoming Dashboard)

fluentd

Configuration for Fluentd.

Fluentd automatically collects logs from all containers running in the environment.

In the service cluster audit, application, and platform logs can be shipped to object storage. In the workload cluster audit logs can be shipped to object storage and application and platform logs to OpenSearch running in the service cluster.

Logs are collected using a daemon set, and in the workload cluster two sets are deployed, one for the system nodes and one for the worker nodes. Application developer can modify two ConfigMaps to add additional configuration and plugins to the set running on the worker nodes.

When logs are shipped to object storage a stateful aggregator is deployed that buffers logs with persistence before they are shipped. When logs are shipped to OpenSearch it is done directly from the forwarder daemons.

Shipping audit and service cluster logs requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.audit and objectStorage.buckets.scLogs respectively.

Note

Fluentd is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.

fluentd

TYPE:

object (Fluentd Config)

opensearch

Configuration for OpenSearch.

OpenSearch ingests logs sent from Fluentd in the workload cluster, and presents them in OpenSearch Dashboards.

Note

OpenSearch and its components are installed in the service cluster, so this configuration mainly applies there.

opensearch

TYPE:

object (OpenSearch Config)

calicoAccountant

Configure Calico accountant, used to collect metrics about packets affected by Network Policies when using Calico.

calicoAccountant

TYPE:

object (Calico Accountant)

calicoFelixMetrics

Configure Calico Felix metrics, used to collect metrics about Calico.

calicoFelixMetrics

TYPE:

object (Calico Felix Metrics)

certmanager

Configure cert-manager, used to provision certificates either self-signed or via Let's Encrypt.

certmanager

TYPE:

object (cert-manager Config)

ingressNginx

Configure Ingress-NGINX, the ingress controller.

ingressNginx

TYPE:

object (Ingress-NGINX Controller Config)

issuers

Configure issuers for cert-manager.

issuers

TYPE:

object (Issuers Config)

networkPolicies

Configure Network Policies.

Most common Network Policy rules can be updated by running ./bin/ck8s update-ips <both|sc|wc>.

networkPolicies

TYPE:

object (Network Policies Config)

nodeLocalDns

Configure node-local-dns, node local DNS resolving and caching.

nodeLocalDns

TYPE:

object (Node Local DNS)

externalDns

Configure External DNS.

External DNS manages DNS records based on Kubernetes resources, and can automatically configure DNS records from:

  • CRD resources
  • Ingress resources
  • Service resources

Currently only AWS Route 53 is supported as the DNS provider.

Note

See the upstream documentation for reference.

externalDns

TYPE:

object (External DNS Config)

PROPERTIES:

Additional properties are allowed, as long as they follow this schema:

Configure additional properties not covered by the schema.

TYPE:

object (Additional Properties)

Definitions

component

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/component"}
Property Type Required Nullable Defined by
affinity object Optional cannot be null Compliant Kubernetes Apps Config
enabled boolean Optional cannot be null Compliant Kubernetes Apps Config
nodeSelector object Optional cannot be null Compliant Kubernetes Apps Config
resources object Optional cannot be null Compliant Kubernetes Apps Config
tolerations array Optional cannot be null Compliant Kubernetes Apps Config
topologySpreadConstraints array Optional cannot be null Compliant Kubernetes Apps Config
extraArgs array Optional cannot be null Compliant Kubernetes Apps Config

affinity

Affinity is a group of affinity scheduling rules.

affinity

TYPE:

object (Affinity)

enabled

enabled

TYPE:

boolean

nodeSelector

Kubernetes node selector

Kubernetes assign pod node

nodeSelector

TYPE:

object (Kubernetes Node Selector)

EXAMPLES:

kubernetes.io/os: linux

resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

resources

TYPE:

object (Kubernetes Resource Requirements)

EXAMPLES:

requests:
  memory: 128Mi
  cpu: 100m
limits:
  memory: 256Mi
  cpu: 250m

tolerations

Kubernetes Tolerations

Kubernetes taint and toleration

tolerations

TYPE:

an array of merged types (Details)

topologySpreadConstraints

TopologySpreadConstraints describes how pods should spread across topology domains.

topologySpreadConstraints

TYPE:

an array of merged types (Details)

extraArgs

Extra arguments passed to a container

extraArgs

TYPE:

string[]

cpumem

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/cpumem"}
Property Type Required Nullable Defined by
cpu Multiple Optional cannot be null Compliant Kubernetes Apps Config
memory Multiple Optional cannot be null Compliant Kubernetes Apps Config

cpu

cpu

TYPE:

any of the following: string or integer (Details)

CONSTRAINTS:

pattern: the string must match the following regular expression: 

^[1-9][0-9]*m?$

try pattern

DEFAULTS:

The default value is:

"100m"

memory

memory

TYPE:

any of the following: string or integer (Details)

CONSTRAINTS:

pattern: the string must match the following regular expression: 

^[0-9]+(\.[0-9]+)?([KMG]i)?$

try pattern

DEFAULTS:

The default value is:

"128Mi"

extraArgs

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/extraArgs"}
Property Type Required Nullable Defined by

fluentdBuffer

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/fluentdBuffer"}
Property Type Required Nullable Defined by
timekey string Optional cannot be null Compliant Kubernetes Apps Config
timekeyUseUtc boolean Optional cannot be null Compliant Kubernetes Apps Config
timekeyWait string Optional cannot be null Compliant Kubernetes Apps Config
chunkLimitSize string Optional cannot be null Compliant Kubernetes Apps Config
totalLimitSize string Optional cannot be null Compliant Kubernetes Apps Config
flushInterval string Optional cannot be null Compliant Kubernetes Apps Config
flushMode string Optional cannot be null Compliant Kubernetes Apps Config
flushThreadBurstInterval number Optional cannot be null Compliant Kubernetes Apps Config
flushThreadCount integer Optional cannot be null Compliant Kubernetes Apps Config
retryForever boolean Optional cannot be null Compliant Kubernetes Apps Config
retryType string Optional cannot be null Compliant Kubernetes Apps Config
retryMaxInterval integer Optional cannot be null Compliant Kubernetes Apps Config
Additional Properties Merged Optional cannot be null Compliant Kubernetes Apps Config

timekey

Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).

Common/Time parameters

timekey

TYPE:

string (Time Key)

EXAMPLES:

10m

timekeyUseUtc

Output plugin decides to use UTC or not to format placeholders using timekey.

Common/Time parameters

timekeyUseUtc

TYPE:

boolean (Timekey Use UTC)

timekeyWait

Output plugin will write chunks after timekey_wait seconds later after timekey expiration.

If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.

Common/Time parameters

timekeyWait

TYPE:

string (Timekey wait)

EXAMPLES:

1m

chunkLimitSize

Events will be written into chunks until the size of chunks become chunkLimitSize.

Buffering parameters

chunkLimitSize

TYPE:

string (Chunk Limit Size)

EXAMPLES:

50MB

totalLimitSize

The size limitation of this buffer plugin instance.

Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).

Buffering parameters

totalLimitSize

TYPE:

string (Total Limit Size)

EXAMPLES:

9GB

flushInterval

Flushes the buffer each flushInterval, if flushMode is equal to interval.

Flushing parameters

flushInterval

TYPE:

string (Flush Interval)

EXAMPLES:

15m

flushMode

The flush mode to use.

Flushing parameters

flushMode

TYPE:

string (Flush Mode)

CONSTRAINTS:

enum: the value of this property must be equal to one of the following values:

Value Explanation
"lazy" Flushes/writes chunks once per timekey
"interval" Flushes/writes chunks per specified time via flushInterval
"immediate" Flushes/writes chunks immediately after events are appended into chunks

flushThreadBurstInterval

The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.

Flushing parameters

flushThreadBurstInterval

TYPE:

number (Flush Thread Burst Interval)

flushThreadCount

The number of threads to flush/write chunks in parallel.

Flushing parameters

flushThreadCount

TYPE:

integer (Flush Thread Count)

retryForever

If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.

Retries parameters

retryForever

TYPE:

boolean (Retry Forever)

retryType

The retry algorithm type to use.

Retries parameters

retryType

TYPE:

string (Retry Type)

CONSTRAINTS:

enum: the value of this property must be equal to one of the following values:

Value Explanation
"exponential_backoff" Increase the wait time, in seconds, exponentially per failure
"periodic" Output plugin will retry periodically with fixed intervals (configured via retryWait)

retryMaxInterval

The maximum interval (seconds) for exponential backoff between retries while failing.

Retries parameters

retryMaxInterval

TYPE:

integer (Retry Max Interval)

PROPERTIES:

Additional properties are allowed, as long as they follow this schema:

Additional properties

Assuming that these are never structures, only scalars

TYPE:

any of the following: string or integer or boolean (Additional Properties)

not

goDuration

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/goDuration"}
Property Type Required Nullable Defined by

iplist

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/iplist"}
Property Type Required Nullable Defined by

netpolRule

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/netpolRule"}
Property Type Required Nullable Defined by
enabled boolean Optional cannot be null Compliant Kubernetes Apps Config
ips array Optional cannot be null Compliant Kubernetes Apps Config
ports array Optional cannot be null Compliant Kubernetes Apps Config

enabled

enabled

TYPE:

boolean

ips

List of IP netmasks

ips

TYPE:

string[]

ports

A 16 bit unsigned integer

ports

TYPE:

integer[]

kubernetesNodeSelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesNodeSelector"}
Property Type Required Nullable Defined by
Additional Properties string Optional cannot be null Compliant Kubernetes Apps Config

PROPERTIES:

Additional properties are allowed, as long as they follow this schema:

TYPE:

string

percentage

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/percentage"}
Property Type Required Nullable Defined by

port

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/port"}
Property Type Required Nullable Defined by

portlist

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/portlist"}
Property Type Required Nullable Defined by

kubernetesResourceRequirements

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesResourceRequirements"}
Property Type Required Nullable Defined by
requests object Optional cannot be null Compliant Kubernetes Apps Config
limits object Optional cannot be null Compliant Kubernetes Apps Config

requests

requests

TYPE:

object (Kubernetes Quantity Map)

limits

limits

TYPE:

object (Kubernetes Quantity Map)

timeRange

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/timeRange"}
Property Type Required Nullable Defined by

kubernetesTolerations

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesTolerations"}
Property Type Required Nullable Defined by

kubernetesTopologySpreadConstraints

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesTopologySpreadConstraints"}
Property Type Required Nullable Defined by

kubernetesQuantityMap

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesQuantityMap"}
Property Type Required Nullable Defined by
Additional Properties Multiple Optional cannot be null Compliant Kubernetes Apps Config

PROPERTIES:

Additional properties are allowed, as long as they follow this schema:

Used for CPU shares, memory and storage size etc.

See https://github.com/kubernetes/apimachinery/blob/master/pkg/api/resource/quantity.go

TYPE:

any of the following: string or number (Kubernetes Quantity)

kubernetesQuantity

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesQuantity"}
Property Type Required Nullable Defined by

kubernetesPersistentVolumeClaim

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/kubernetesPersistentVolumeClaim"}
Property Type Required Nullable Defined by
size string Optional cannot be null Compliant Kubernetes Apps Config

size

size

TYPE:

string

DEFAULTS:

The default value is:

"1Gi"

io.k8s.api.core.v1.Affinity

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.Affinity"}
Property Type Required Nullable Defined by
nodeAffinity Merged Optional cannot be null Compliant Kubernetes Apps Config
podAffinity Merged Optional cannot be null Compliant Kubernetes Apps Config
podAntiAffinity Merged Optional cannot be null Compliant Kubernetes Apps Config

nodeAffinity

Describes node affinity scheduling rules for the pod.

nodeAffinity

TYPE:

merged type (Details)

all of

podAffinity

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).

podAffinity

TYPE:

merged type (Details)

all of

podAntiAffinity

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).

podAntiAffinity

TYPE:

merged type (Details)

all of

io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"}
Property Type Required Nullable Defined by
key string Required cannot be null Compliant Kubernetes Apps Config
operator string Required cannot be null Compliant Kubernetes Apps Config
values array Optional cannot be null Compliant Kubernetes Apps Config

key

key is the label key that the selector applies to.

key

TYPE:

string

operator

operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

operator

TYPE:

string

values

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

values

TYPE:

string[]

io.k8s.api.core.v1.NodeAffinity

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.NodeAffinity"}
Property Type Required Nullable Defined by
preferredDuringSchedulingIgnoredDuringExecution array Optional cannot be null Compliant Kubernetes Apps Config
requiredDuringSchedulingIgnoredDuringExecution Merged Optional cannot be null Compliant Kubernetes Apps Config

preferredDuringSchedulingIgnoredDuringExecution

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.

preferredDuringSchedulingIgnoredDuringExecution

TYPE:

an array of merged types (Details)

requiredDuringSchedulingIgnoredDuringExecution

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to an update), the system may or may not try to eventually evict the pod from its node.

requiredDuringSchedulingIgnoredDuringExecution

TYPE:

merged type (Details)

all of

io.k8s.api.core.v1.PodAffinity

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.PodAffinity"}
Property Type Required Nullable Defined by
preferredDuringSchedulingIgnoredDuringExecution array Optional cannot be null Compliant Kubernetes Apps Config
requiredDuringSchedulingIgnoredDuringExecution array Optional cannot be null Compliant Kubernetes Apps Config

preferredDuringSchedulingIgnoredDuringExecution

The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

preferredDuringSchedulingIgnoredDuringExecution

TYPE:

an array of merged types (Details)

requiredDuringSchedulingIgnoredDuringExecution

If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

requiredDuringSchedulingIgnoredDuringExecution

TYPE:

an array of merged types (Details)

io.k8s.api.core.v1.PodAntiAffinity

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.PodAntiAffinity"}
Property Type Required Nullable Defined by
preferredDuringSchedulingIgnoredDuringExecution array Optional cannot be null Compliant Kubernetes Apps Config
requiredDuringSchedulingIgnoredDuringExecution array Optional cannot be null Compliant Kubernetes Apps Config

preferredDuringSchedulingIgnoredDuringExecution

The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.

preferredDuringSchedulingIgnoredDuringExecution

TYPE:

an array of merged types (Details)

requiredDuringSchedulingIgnoredDuringExecution

If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.

requiredDuringSchedulingIgnoredDuringExecution

TYPE:

an array of merged types (Details)

io.k8s.api.core.v1.PreferredSchedulingTerm

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.PreferredSchedulingTerm"}
Property Type Required Nullable Defined by
preference Merged Required cannot be null Compliant Kubernetes Apps Config
weight integer Required cannot be null Compliant Kubernetes Apps Config

preference

A node selector term, associated with the corresponding weight.

preference

TYPE:

merged type (Details)

all of

DEFAULTS:

The default value is:

{}

weight

Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.

weight

TYPE:

integer

CONSTRAINTS:

unknown format: the value of this string must follow the format: int32

io.k8s.api.core.v1.NodeSelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.NodeSelector"}
Property Type Required Nullable Defined by
nodeSelectorTerms array Required cannot be null Compliant Kubernetes Apps Config

nodeSelectorTerms

Required. A list of node selector terms. The terms are ORed.

nodeSelectorTerms

TYPE:

an array of merged types (Details)

io.k8s.api.core.v1.WeightedPodAffinityTerm

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.WeightedPodAffinityTerm"}
Property Type Required Nullable Defined by
podAffinityTerm Merged Required cannot be null Compliant Kubernetes Apps Config
weight integer Required cannot be null Compliant Kubernetes Apps Config

podAffinityTerm

Required. A pod affinity term, associated with the corresponding weight.

podAffinityTerm

TYPE:

merged type (Details)

all of

DEFAULTS:

The default value is:

{}

weight

weight associated with matching the corresponding podAffinityTerm, in the range 1-100.

weight

TYPE:

integer

CONSTRAINTS:

unknown format: the value of this string must follow the format: int32

io.k8s.api.core.v1.PodAffinityTerm

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.PodAffinityTerm"}
Property Type Required Nullable Defined by
labelSelector Merged Optional cannot be null Compliant Kubernetes Apps Config
matchLabelKeys array Optional cannot be null Compliant Kubernetes Apps Config
mismatchLabelKeys array Optional cannot be null Compliant Kubernetes Apps Config
namespaceSelector Merged Optional cannot be null Compliant Kubernetes Apps Config
namespaces array Optional cannot be null Compliant Kubernetes Apps Config
topologyKey string Required cannot be null Compliant Kubernetes Apps Config

labelSelector

A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods.

labelSelector

TYPE:

merged type (Details)

all of

matchLabelKeys

MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key in (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.

matchLabelKeys

TYPE:

string[]

mismatchLabelKeys

MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with labelSelector as key notin (value) to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate.

mismatchLabelKeys

TYPE:

string[]

namespaceSelector

A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces.

namespaceSelector

TYPE:

merged type (Details)

all of

namespaces

namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means "this pod's namespace".

namespaces

TYPE:

string[]

topologyKey

This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.

topologyKey

TYPE:

string

io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"}
Property Type Required Nullable Defined by
matchExpressions array Optional cannot be null Compliant Kubernetes Apps Config
matchLabels object Optional cannot be null Compliant Kubernetes Apps Config

matchExpressions

matchExpressions is a list of label selector requirements. The requirements are ANDed.

matchExpressions

TYPE:

an array of merged types (Details)

matchLabels

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

matchLabels

TYPE:

object (Details)

io.k8s.api.core.v1.NodeSelectorTerm

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.NodeSelectorTerm"}
Property Type Required Nullable Defined by
matchExpressions array Optional cannot be null Compliant Kubernetes Apps Config
matchFields array Optional cannot be null Compliant Kubernetes Apps Config

matchExpressions

A list of node selector requirements by node's labels.

matchExpressions

TYPE:

an array of merged types (Details)

matchFields

A list of node selector requirements by node's fields.

matchFields

TYPE:

an array of merged types (Details)

io.k8s.api.core.v1.NodeSelectorRequirement

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.NodeSelectorRequirement"}
Property Type Required Nullable Defined by
key string Required cannot be null Compliant Kubernetes Apps Config
operator string Required cannot be null Compliant Kubernetes Apps Config
values array Optional cannot be null Compliant Kubernetes Apps Config

key

The label key that the selector applies to.

key

TYPE:

string

operator

Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.

operator

TYPE:

string

values

An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.

values

TYPE:

string[]

io.k8s.api.core.v1.EnvVar

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.EnvVar"}
Property Type Required Nullable Defined by
name string Required cannot be null Compliant Kubernetes Apps Config
value string Optional cannot be null Compliant Kubernetes Apps Config
valueFrom object Optional cannot be null Compliant Kubernetes Apps Config

name

Name of the environment variable.

Must be a C_IDENTIFIER.

name

TYPE:

string (Environment Variable Name)

value

Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. $$(VAR_NAME) will produce the string literal $(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not.

value

TYPE:

string (Environment Variable Value)

valueFrom

Environment Variable Source represents a source for the value of an Environment Variable.

Imported from Kubernetes project

valueFrom

TYPE:

object (Environment Variable Source)

io.k8s.api.core.v1.EnvVarSource

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.EnvVarSource"}
Property Type Required Nullable Defined by
configMapKeyRef Not specified Optional cannot be null Compliant Kubernetes Apps Config
fieldRef Not specified Optional cannot be null Compliant Kubernetes Apps Config
resourceFieldRef Not specified Optional cannot be null Compliant Kubernetes Apps Config
secretKeyRef Not specified Optional cannot be null Compliant Kubernetes Apps Config

configMapKeyRef

configMapKeyRef

TYPE:

unknown

fieldRef

fieldRef

TYPE:

unknown

resourceFieldRef

resourceFieldRef

TYPE:

unknown

secretKeyRef

secretKeyRef

TYPE:

unknown

io.k8s.api.core.v1.ConfigMapKeySelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.ConfigMapKeySelector"}
Property Type Required Nullable Defined by
key string Required cannot be null Compliant Kubernetes Apps Config
name string Optional cannot be null Compliant Kubernetes Apps Config
optional boolean Optional cannot be null Compliant Kubernetes Apps Config

key

The key to select.

key

TYPE:

string (Config Map Key)

name

Name of the referent.

This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

name

TYPE:

string (Config Map Name)

optional

Specify whether the ConfigMap or its key must be defined.

optional

TYPE:

boolean (Config Map Optional)

io.k8s.api.core.v1.ObjectFieldSelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.ObjectFieldSelector"}
Property Type Required Nullable Defined by
apiVersion string Optional cannot be null Compliant Kubernetes Apps Config
fieldPath string Required cannot be null Compliant Kubernetes Apps Config

apiVersion

Version of the schema the FieldPath is written in terms of, defaults to v1.

apiVersion

TYPE:

string (API Version)

fieldPath

Path of the field to select in the specified API version.

fieldPath

TYPE:

string (Field Path)

io.k8s.api.core.v1.ResourceFieldSelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.ResourceFieldSelector"}
Property Type Required Nullable Defined by
containerName string Optional cannot be null Compliant Kubernetes Apps Config
divisor Not specified Optional cannot be null Compliant Kubernetes Apps Config
resource string Optional cannot be null Compliant Kubernetes Apps Config

containerName

Container name, required for volumes, optional for env vars

containerName

TYPE:

string (Container Name)

divisor

Specifies the output format of the exposed resources, defaults to 1.

divisor

TYPE:

unknown (Divisor)

resource

Required, resource to select.

resource

TYPE:

string (Resource)

io.k8s.api.core.v1.SecretKeySelector

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.SecretKeySelector"}
Property Type Required Nullable Defined by
key string Required cannot be null Compliant Kubernetes Apps Config
name string Optional cannot be null Compliant Kubernetes Apps Config
optional boolean Optional cannot be null Compliant Kubernetes Apps Config

key

The key of the secret to select from. Must be a valid secret key.

key

TYPE:

string

name

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

name

TYPE:

string

optional

Specify whether the Secret or its key must be defined

optional

TYPE:

boolean

io.k8s.api.core.v1.TopologySpreadConstraint

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.TopologySpreadConstraint"}
Property Type Required Nullable Defined by
labelSelector Merged Optional cannot be null Compliant Kubernetes Apps Config
matchLabelKeys array Optional cannot be null Compliant Kubernetes Apps Config
maxSkew integer Required cannot be null Compliant Kubernetes Apps Config
minDomains integer Optional cannot be null Compliant Kubernetes Apps Config
nodeAffinityPolicy string Optional cannot be null Compliant Kubernetes Apps Config
nodeTaintsPolicy string Optional cannot be null Compliant Kubernetes Apps Config
topologyKey string Required cannot be null Compliant Kubernetes Apps Config
whenUnsatisfiable string Required cannot be null Compliant Kubernetes Apps Config

labelSelector

LabelSelector is used to find matching pods. Pods that match this label selector are counted to determine the number of pods in their corresponding topology domain.

labelSelector

TYPE:

merged type (Details)

all of

matchLabelKeys

MatchLabelKeys is a set of pod label keys to select the pods over which spreading will be calculated. The keys are used to lookup values from the incoming pod labels, those key-value labels are ANDed with labelSelector to select the group of existing pods over which spreading will be calculated for the incoming pod. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. MatchLabelKeys cannot be set when LabelSelector isn't set. Keys that don't exist in the incoming pod labels will be ignored. A null or empty list means only match against labelSelector.

This is a beta field and requires the MatchLabelKeysInPodTopologySpread feature gate to be enabled (enabled by default).

matchLabelKeys

TYPE:

string[]

maxSkew

MaxSkew describes the degree to which pods may be unevenly distributed. When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. The global minimum is the minimum number of matching pods in an eligible domain or zero if the number of eligible domains is less than MinDomains. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 2/2/1: In this case, the global minimum is 1. | zone1 | zone2 | zone3 | | P P | P P | P | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 2/2/2; scheduling it onto zone1(zone2) would make the ActualSkew(3-1) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.

maxSkew

TYPE:

integer

CONSTRAINTS:

unknown format: the value of this string must follow the format: int32

minDomains

MinDomains indicates a minimum number of eligible domains. When the number of eligible domains with matching topology keys is less than minDomains, Pod Topology Spread treats "global minimum" as 0, and then the calculation of Skew is performed. And when the number of eligible domains with matching topology keys equals or greater than minDomains, this value has no effect on scheduling. As a result, when the number of eligible domains is less than minDomains, scheduler won't schedule more than maxSkew Pods to those domains. If value is nil, the constraint behaves as if MinDomains is equal to 1. Valid values are integers greater than 0. When value is not nil, WhenUnsatisfiable must be DoNotSchedule.

For example, in a 3-zone cluster, MaxSkew is set to 2, MinDomains is set to 5 and pods with the same labelSelector spread as 2/2/2: | zone1 | zone2 | zone3 | | P P | P P | P P | The number of domains is less than 5(MinDomains), so "global minimum" is treated as 0. In this situation, new pod with the same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it will violate MaxSkew.

minDomains

TYPE:

integer

CONSTRAINTS:

unknown format: the value of this string must follow the format: int32

nodeAffinityPolicy

NodeAffinityPolicy indicates how we will treat Pod's nodeAffinity/nodeSelector when calculating pod topology spread skew. Options are: - Honor: only nodes matching nodeAffinity/nodeSelector are included in the calculations. - Ignore: nodeAffinity/nodeSelector are ignored. All nodes are included in the calculations.

If this value is nil, the behavior is equivalent to the Honor policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.

nodeAffinityPolicy

TYPE:

string

nodeTaintsPolicy

NodeTaintsPolicy indicates how we will treat node taints when calculating pod topology spread skew. Options are: - Honor: nodes without taints, along with tainted nodes for which the incoming pod has a toleration, are included. - Ignore: node taints are ignored. All nodes are included.

If this value is nil, the behavior is equivalent to the Ignore policy. This is a beta-level feature default enabled by the NodeInclusionPolicyInPodTopologySpread feature flag.

nodeTaintsPolicy

TYPE:

string

topologyKey

TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each \ as a "bucket", and try to put balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible domain as a domain whose nodes meet the requirements of nodeAffinityPolicy and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's a required field.

topologyKey

TYPE:

string

whenUnsatisfiable

WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered "Unsatisfiable" for an incoming pod if and only if every possible node assignment for that pod would violate "MaxSkew" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it more imbalanced. It's a required field.

whenUnsatisfiable

TYPE:

string

io.k8s.api.core.v1.Toleration

Reference this group by using

{"$ref":"https://raw.githubusercontent.com/elastisys/compliantkubernetes-apps/main/config/schemas/config.yaml#/$defs/io.k8s.api.core.v1.Toleration"}
Property Type Required Nullable Defined by
effect string Optional cannot be null Compliant Kubernetes Apps Config
key string Optional cannot be null Compliant Kubernetes Apps Config
operator string Optional cannot be null Compliant Kubernetes Apps Config
tolerationSeconds integer Optional cannot be null Compliant Kubernetes Apps Config
value string Optional cannot be null Compliant Kubernetes Apps Config

effect

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

effect

TYPE:

string

key

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

key

TYPE:

string

operator

Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

operator

TYPE:

string

tolerationSeconds

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

tolerationSeconds

TYPE:

integer

CONSTRAINTS:

unknown format: the value of this string must follow the format: int64

value

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

value

TYPE:

string

Generated Sat Jun 15 03:48:11 UTC 2024 from elastisys/compliantkubernetes-apps@main