Skip to content

Config

This table was generated from config.yaml.

Cells marked with "—" mean "not specified in schema".

alerts

Configure alerting.

Key Type Default Description
alerts.alertTo string
alerts.customReceivers[] array See note
alerts.customRoutes[] array See note
alerts.opsGenie object Configure alerting to OpsGenie.
alerts.opsGenie.apiUrl string https://api.eu.opsgenie.com
alerts.opsGenie.updateAlerts boolean
alerts.opsGenieHeartbeat object Configure heartbeats to OpsGenie.
alerts.opsGenieHeartbeat.enabled boolean
alerts.runbookUrls object Configure runbooks for alerts

Runbooks can be configured on an alert group level or per individual alert
alerts.runbookUrls.alertmanager object See note
alerts.runbookUrls.alertmanager.group string
alerts.runbookUrls.backupStatus object See note
alerts.runbookUrls.backupStatus.group string
alerts.runbookUrls.blackbox object See note
alerts.runbookUrls.blackbox.group string
alerts.runbookUrls.certManager object See note
alerts.runbookUrls.certManager.group string
alerts.runbookUrls.clusterApi object See note
alerts.runbookUrls.clusterApi.group string
alerts.runbookUrls.clusterAutoscaler object See note
alerts.runbookUrls.clusterAutoscaler.group string
alerts.runbookUrls.clusterCapacityManagement object See note
alerts.runbookUrls.clusterCapacityManagement.group string
alerts.runbookUrls.configReloaders object See note
alerts.runbookUrls.configReloaders.group string
alerts.runbookUrls.coreDns object See note
alerts.runbookUrls.coreDns.group string
alerts.runbookUrls.dailyChecks object See note
alerts.runbookUrls.dailyChecks.group string
alerts.runbookUrls.diskPerf object See note
alerts.runbookUrls.diskPerf.group string
alerts.runbookUrls.falco object See note
alerts.runbookUrls.falco.group string
alerts.runbookUrls.fluentd object See note
alerts.runbookUrls.fluentd.group string
alerts.runbookUrls.general object See note
alerts.runbookUrls.general.group string
alerts.runbookUrls.harbor object See note
alerts.runbookUrls.harbor.group string
alerts.runbookUrls.hnc object See note
alerts.runbookUrls.hnc.group string
alerts.runbookUrls.kubeStateMetrics object See note
alerts.runbookUrls.kubeStateMetrics.group string
alerts.runbookUrls.kubernetesApps object See note
alerts.runbookUrls.kubernetesApps.group string
alerts.runbookUrls.kubernetesResources object See note
alerts.runbookUrls.kubernetesResources.group string
alerts.runbookUrls.kubernetesStorage object See note
alerts.runbookUrls.kubernetesStorage.group string
alerts.runbookUrls.kubernetesSystem object See note
alerts.runbookUrls.kubernetesSystem.group string
alerts.runbookUrls.kured object See note
alerts.runbookUrls.kured.group string
alerts.runbookUrls.missingMetrics object See note
alerts.runbookUrls.missingMetrics.group string
alerts.runbookUrls.nodeExporter object See note
alerts.runbookUrls.nodeExporter.group string
alerts.runbookUrls.nodeNetwork object See note
alerts.runbookUrls.nodeNetwork.group string
alerts.runbookUrls.opensearch object See note
alerts.runbookUrls.opensearch.group string
alerts.runbookUrls.openstack object See note
alerts.runbookUrls.openstack.group string
alerts.runbookUrls.packetsDropped object See note
alerts.runbookUrls.packetsDropped.group string
alerts.runbookUrls.prometheus object See note
alerts.runbookUrls.prometheus.group string
alerts.runbookUrls.prometheusOperator object See note
alerts.runbookUrls.prometheusOperator.group string
alerts.runbookUrls.thanos object See note
alerts.runbookUrls.thanos.group string
alerts.runbookUrls.webhook object See note
alerts.runbookUrls.webhook.group string
alerts.slack object Configure alerting to Slack.
alerts.slack.customTemplate string

Notes for alerts.customReceivers[]

Additional receivers that will be added to the configuration of alertmanager

Note

See the upstream documentation for reference.

Notes for alerts.customRoutes[]

Additional route receivers that will be added to the configuration of alertmanager

Note

See the upstream documentation for reference.

Notes for alerts.runbookUrls.alertmanager

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.backupStatus

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.blackbox

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.certManager

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.clusterApi

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.clusterAutoscaler

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.clusterCapacityManagement

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.configReloaders

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.coreDns

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.dailyChecks

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.diskPerf

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.falco

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.fluentd

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.general

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.harbor

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.hnc

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.kubeStateMetrics

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.kubernetesApps

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.kubernetesResources

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.kubernetesStorage

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.kubernetesSystem

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.kured

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.missingMetrics

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.nodeExporter

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.nodeNetwork

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.opensearch

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.openstack

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.packetsDropped

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

Notes for alerts.runbookUrls.prometheus

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.prometheusOperator

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://runbooks.prometheus-operator.dev/runbooks/

Notes for alerts.runbookUrls.thanos

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses upstream runbooks by default

https://github.com/thanos-io/thanos/tree/main/mixin/runbook.md

Notes for alerts.runbookUrls.webhook

Example:

group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook

Uses no upstream runbook by default

certmanager

Configure cert-manager, used to provision certificates either self-signed or via Let's Encrypt.

Key Type Default Description
certmanager.affinity object Affinity is a group of affinity scheduling rules.
certmanager.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
certmanager.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
certmanager.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
certmanager.cainjector object This is meant to describe the base class if you will, for Welkin resources.
certmanager.cainjector.affinity object Affinity is a group of affinity scheduling rules.
certmanager.cainjector.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
certmanager.cainjector.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
certmanager.cainjector.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
certmanager.cainjector.enabled boolean
certmanager.cainjector.extraArgs[] array of string Extra arguments passed to a container
certmanager.cainjector.nodeSelector object See note
certmanager.cainjector.resources object See note
certmanager.cainjector.resources.limits object
certmanager.cainjector.resources.requests object
certmanager.cainjector.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
certmanager.cainjector.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
certmanager.extraArgs[] array of string Extra arguments passed to a container
certmanager.nodeSelector object See note
certmanager.resources object See note
certmanager.resources.limits object
certmanager.resources.requests object
certmanager.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
certmanager.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
certmanager.webhook object This is meant to describe the base class if you will, for Welkin resources.
certmanager.webhook.affinity object Affinity is a group of affinity scheduling rules.
certmanager.webhook.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
certmanager.webhook.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
certmanager.webhook.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
certmanager.webhook.enabled boolean
certmanager.webhook.extraArgs[] array of string Extra arguments passed to a container
certmanager.webhook.nodeSelector object See note
certmanager.webhook.resources object See note
certmanager.webhook.resources.limits object
certmanager.webhook.resources.requests object
certmanager.webhook.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
certmanager.webhook.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.

Notes for certmanager.cainjector.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for certmanager.cainjector.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for certmanager.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for certmanager.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for certmanager.webhook.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for certmanager.webhook.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

clusterAdmin

Configure the cluster admins.

Key Type Default Description
clusterAdmin.groups[] array of string Configure the cluster admin groups.
clusterAdmin.users[] array of string Configure the cluster admin users.

clusterApi

Set to true if kubernetes is installed with cluster-api.

Key Type Default Description
clusterApi.clusters[] array of string List of clusters to monitor.

Used when monitoring clusters for autoscaling.
clusterApi.enabled boolean
clusterApi.monitoring object Enable autoscaling monitoring of cluster API clusters.
clusterApi.monitoring.enabled boolean

dex

Configure Dex, the federated OIDC Identity Provider.

Note

Dex is installed in the service cluster, so this configuration mainly applies there.

Key Type Default Description
dex.additionalKubeloginRedirects[] array of string Configure Dex with additional Kubelogin redirects.
dex.affinity object Affinity is a group of affinity scheduling rules.
dex.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
dex.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
dex.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
dex.enableStaticLogin boolean True Configure Dex with a static password login admin@example.com.
dex.expiry object Configure expiry when authenticating with Dex.
dex.expiry.deviceRequests string See note
dex.expiry.idToken string See note
dex.expiry.refreshTokens object Configure expiry of refresh tokens when authenticating with Dex.
dex.expiry.refreshTokens.absoluteLifetime string See note
dex.expiry.refreshTokens.reuseInterval string See note
dex.expiry.refreshTokens.validIfNotUsedFor string See note
dex.expiry.signingKeys string See note
dex.google object Configure Dex with specific options when using the Google connector.
dex.google.SASecretName string
dex.google.groupSupport boolean
dex.nodeSelector object See note
dex.replicaCount number 2
dex.resources object See note
dex.resources.limits object
dex.resources.requests object
dex.serviceMonitor object Configure the Service Monitor collecting metrics from Dex.
dex.serviceMonitor.enabled boolean True
dex.subdomain string dex See note
dex.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
dex.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.

Notes for dex.expiry.deviceRequests

An amount of time

Examples:

300s
72h
3d

Notes for dex.expiry.idToken

An amount of time

Examples:

300s
72h
3d

Notes for dex.expiry.refreshTokens.absoluteLifetime

An amount of time

Examples:

300s
72h
3d

Notes for dex.expiry.refreshTokens.reuseInterval

An amount of time

Examples:

300s
72h
3d

Notes for dex.expiry.refreshTokens.validIfNotUsedFor

An amount of time

Examples:

300s
72h
3d

Notes for dex.expiry.signingKeys

An amount of time

Examples:

300s
72h
3d

Notes for dex.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for dex.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for dex.subdomain

Subdomain of baseDomain that the Ingress to Dex will be created with.

Note

Must be set for both service and workload clusters.

externalDns

Configure External DNS.

External DNS manages DNS records based on Kubernetes resources, and can automatically configure DNS records from:

  • CRD resources
  • Ingress resources
  • Service resources

Currently only AWS Route 53 is supported as the DNS provider.

Note

See the upstream documentation for reference.

Key Type Default Description
externalDns.affinity object Affinity is a group of affinity scheduling rules.
externalDns.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
externalDns.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
externalDns.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
externalDns.domains[] array of string Configure the domains External DNS should manage.
externalDns.enabled boolean
externalDns.endpoints[] array of object See note
externalDns.extraArgs[] array of string Extra arguments passed to a container
externalDns.logLevel string See note
externalDns.namespaced boolean
externalDns.provider string See note
externalDns.resources object See note
externalDns.resources.limits object
externalDns.resources.requests object
externalDns.sources object Configure the sources External DNS should manage DNS records for.
externalDns.sources.crd boolean
externalDns.sources.ingress boolean
externalDns.sources.service boolean
externalDns.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
externalDns.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
externalDns.txtPrefix string Configure a prefix to TXT records.

This is required with AWS Route 53 if CNAME records are preferred over A/AAAA records as it cannot handle both at the same time.

Notes for externalDns.endpoints[]

Configure the endpoints to create DNS records for.

Requires externalDns.sources.crd to be enabled.

Configure an endpoint to create a DNS record for.

Notes for externalDns.logLevel

Examples:

info

Notes for externalDns.provider

Examples:

aws

Notes for externalDns.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

externalTrafficPolicy

Configure global ingress external traffic policy.

Key Type Default Description
externalTrafficPolicy.local boolean True
externalTrafficPolicy.whitelistRange object See note

Notes for externalTrafficPolicy.whitelistRange

Configure allowlist CIDR ranges for ingresses.

This is done via the ingress annotation nginx.ingress.kubernetes.io/whitelist-source-range.

Set to false to explicitly opt-out of this annotation.

falco

Configuration for Falco, runtime security tool and threat detection.

Key Type Default Description
falco.affinity object Affinity is a group of affinity scheduling rules.
falco.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
falco.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
falco.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
falco.alerts object Configure Falco alerts sent from Falco sidekick.
falco.alerts.enabled boolean
falco.alerts.hostPort string http://alertmanager-operated.monitoring:9093 Configure the notification channel for Falco alerts.
falco.alerts.priority string notice Configure the notification priority for Falco alerts.
falco.alerts.type string alertmanager See note
falco.artifact object Configure Falcoctl artefact management.

See the upstream repository for reference.
falco.artifact.install object Configure Falcoctl artefact install.
falco.artifact.install.enabled boolean Configure Falcoctl to install additional artifacts before Falco starts.

Set this to false in an air-gapped environment, unless artifacts are self-hosted and customIndexes are configured.
falco.customIndexes[] array of object Configure custom artefact indices for Falcoctl.

Configure custom artefact index for Falcoctl.
falco.customRules object See note
falco.driver object Configuration for the Falco syscall driver used to collect events.

See the upstream documentation for more information.
falco.driver.kind string kmod See note
falco.enabled boolean True
falco.falcoSidekick object Basic configuration for Falco Sidekick, the deployment that forwards Falco alerts to Alertmanager.
falco.falcoSidekick.affinity object Affinity is a group of affinity scheduling rules.
falco.falcoSidekick.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
falco.falcoSidekick.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
falco.falcoSidekick.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
falco.falcoSidekick.nodeSelector object See note
falco.falcoSidekick.resources object See note
falco.falcoSidekick.resources.limits object
falco.falcoSidekick.resources.requests object
falco.falcoSidekick.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
falco.nodeSelector object See note
falco.resources object See note
falco.resources.limits object
falco.resources.requests object
falco.rulesFiles object Configure standard rules to use in Falco.

See the upstream documentation for reference.
falco.rulesFiles.default object Configure Falco default rules
falco.rulesFiles.default.enabled boolean True
falco.rulesFiles.default.version string 3.0.1
falco.rulesFiles.incubating object Configure Falco incubating rules
falco.rulesFiles.incubating.enabled boolean
falco.rulesFiles.incubating.version string 3.0.1
falco.rulesFiles.sandbox object Configure Falco sandbox rules
falco.rulesFiles.sandbox.enabled boolean
falco.rulesFiles.sandbox.version string 3.0.1
falco.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
falco.tty boolean True Attach the Falco process to a TTY inside the container.

Needed to flush Falco logs as soon as they are emitted.
falco.useContainerEngine boolean True Use the new container engine collector that replaces the old docker, containerd, crio and podman collectors.

Notes for falco.alerts.type

Configure the notification channel for Falco alerts.

Possible values:

alertmanager
slack
none

Notes for falco.customRules

Configure custom rules to use in Falco.

Note

See the upstream documentation for reference.

The keys will become the file name of the generated rule file, and all files are parsed in alphabetical order.

Notes for falco.driver.kind

Possible values:

kmod
modern-bpf
ebpf

Notes for falco.falcoSidekick.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for falco.falcoSidekick.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for falco.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for falco.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

fluentd

Configuration for Fluentd.

Fluentd automatically collects logs from all containers running in the environment.

In the service cluster audit, application, and platform logs can be shipped to object storage. In the workload cluster audit logs can be shipped to object storage and application and platform logs to OpenSearch running in the service cluster.

Logs are collected using a daemon set, and in the workload cluster two sets are deployed, one for the system nodes and one for the worker nodes. Application developer can modify two ConfigMaps to add additional configuration and plugins to the set running on the worker nodes.

When logs are shipped to object storage a stateful aggregator is deployed that buffers logs with persistence before they are shipped. When logs are shipped to OpenSearch it is done directly from the forwarder daemons.

Shipping audit and service cluster logs requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.audit and objectStorage.buckets.scLogs respectively.

Note

Fluentd is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.

Key Type Default Description
fluentd.aggregator object Configure Fluentd aggregator, used to buffer logs with persistence before they are shipped to object storage.
fluentd.aggregator.affinity object Affinity is a group of affinity scheduling rules.
fluentd.aggregator.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
fluentd.aggregator.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
fluentd.aggregator.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
fluentd.aggregator.buffer object See note
fluentd.aggregator.buffer.chunkLimitSize string See note
fluentd.aggregator.buffer.flushInterval string See note
fluentd.aggregator.buffer.flushMode string See note
fluentd.aggregator.buffer.flushThreadBurstInterval number See note
fluentd.aggregator.buffer.flushThreadCount integer The number of threads to flush/write chunks in parallel.

Flushing parameters
fluentd.aggregator.buffer.retryForever boolean If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.

Retries parameters
fluentd.aggregator.buffer.retryMaxInterval integer The maximum interval (seconds) for exponential backoff between retries while failing.

Retries parameters
fluentd.aggregator.buffer.retryType string See note
fluentd.aggregator.buffer.timekey string See note
fluentd.aggregator.buffer.timekeyUseUtc boolean Output plugin decides to use UTC or not to format placeholders using timekey.

Common/Time parameters
fluentd.aggregator.buffer.timekeyWait string See note
fluentd.aggregator.buffer.totalLimitSize string See note
fluentd.aggregator.nodeSelector object See note
fluentd.aggregator.persistence object Configure Fluentd aggregator persistence.
fluentd.aggregator.persistence.storage string 10Gi
fluentd.aggregator.resources object See note
fluentd.aggregator.resources.limits object
fluentd.aggregator.resources.requests object
fluentd.aggregator.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
fluentd.audit object Configure Fluentd audit log collection.
fluentd.audit.compaction object Configure the compaction of logs stored in object storage.
fluentd.audit.compaction.days number Configure the days to consider for compaction or the days to retain.
fluentd.audit.compaction.enabled boolean True
fluentd.audit.compaction.ephemeralVolumes object Configure the job to run with an ephemeral volume if the nodes risk running out of storage.
fluentd.audit.compaction.ephemeralVolumes.enabled boolean
fluentd.audit.compaction.schedule string
fluentd.audit.enabled boolean
fluentd.audit.filters string Configure Fluentd audit log filter stages.

To capture audit logs label the logs with the @AUDIT label.
fluentd.audit.retention object Configure the retention of logs stored in object storage.
fluentd.audit.retention.days number Configure the days to consider for compaction or the days to retain.
fluentd.audit.retention.enabled boolean True
fluentd.audit.retention.schedule string
fluentd.enabled boolean True
fluentd.extraConfigMaps object See note
fluentd.forwarder object Configure Fluentd forwarder, used to collect and forward logs on system nodes.
fluentd.forwarder.affinity object Affinity is a group of affinity scheduling rules.
fluentd.forwarder.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
fluentd.forwarder.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
fluentd.forwarder.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
fluentd.forwarder.buffer object See note
fluentd.forwarder.buffer.chunkLimitSize string See note
fluentd.forwarder.buffer.flushInterval string See note
fluentd.forwarder.buffer.flushMode string See note
fluentd.forwarder.buffer.flushThreadBurstInterval number See note
fluentd.forwarder.buffer.flushThreadCount integer The number of threads to flush/write chunks in parallel.

Flushing parameters
fluentd.forwarder.buffer.retryForever boolean If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.

Retries parameters
fluentd.forwarder.buffer.retryMaxInterval integer The maximum interval (seconds) for exponential backoff between retries while failing.

Retries parameters
fluentd.forwarder.buffer.retryType string See note
fluentd.forwarder.buffer.timekey string See note
fluentd.forwarder.buffer.timekeyUseUtc boolean Output plugin decides to use UTC or not to format placeholders using timekey.

Common/Time parameters
fluentd.forwarder.buffer.timekeyWait string See note
fluentd.forwarder.buffer.totalLimitSize string See note
fluentd.forwarder.image object Configure Fluentd forwarder image repository and tag
fluentd.forwarder.image.repository string ghcr.io/elastisys/fluentd-forwarder
fluentd.forwarder.image.tag string v4.7.5-ck8s1
fluentd.forwarder.livenessThresholdSeconds number 900
fluentd.forwarder.nodeSelector object See note
fluentd.forwarder.requestTimeout string 60s
fluentd.forwarder.resources object See note
fluentd.forwarder.resources.limits object
fluentd.forwarder.resources.requests object
fluentd.forwarder.stuckThresholdSeconds number 1200
fluentd.forwarder.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
fluentd.logManager object Configure log-manager, used to manage compaction and retention of logs store in object storage.
fluentd.logManager.affinity object Affinity is a group of affinity scheduling rules.
fluentd.logManager.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
fluentd.logManager.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
fluentd.logManager.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
fluentd.logManager.compaction object Configure log-manager compaction.
fluentd.logManager.compaction.azureCopyBufferGB number Configure the memory buffer size in GB (accepts decimals) for Azure copy operations.
fluentd.logManager.compaction.azureCopyConcurrency number Configure the maximum number of concurrent download requests for Azure copy operations.
fluentd.logManager.compaction.resources object See note
fluentd.logManager.compaction.resources.limits object
fluentd.logManager.compaction.resources.requests object
fluentd.logManager.compaction.volume object Configure log-manager compaction volume.
fluentd.logManager.compaction.volume.storage string 5Gi Configure log-manager compaction volume size.
fluentd.logManager.nodeSelector object See note
fluentd.logManager.retention object Configure log-manager retention.
fluentd.logManager.retention.resources object See note
fluentd.logManager.retention.resources.limits object
fluentd.logManager.retention.resources.requests object
fluentd.logManager.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
fluentd.scLogs object Configure Fluentd service cluster log collection.
fluentd.scLogs.compaction object Configure the compaction of logs stored in object storage.
fluentd.scLogs.compaction.days number Configure the days to consider for compaction or the days to retain.
fluentd.scLogs.compaction.enabled boolean True
fluentd.scLogs.compaction.ephemeralVolumes object Configure the job to run with an ephemeral volume if the nodes risk running out of storage.
fluentd.scLogs.compaction.ephemeralVolumes.enabled boolean
fluentd.scLogs.compaction.schedule string
fluentd.scLogs.enabled boolean True
fluentd.scLogs.retention object Configure the retention of logs stored in object storage.
fluentd.scLogs.retention.days number Configure the days to consider for compaction or the days to retain.
fluentd.scLogs.retention.enabled boolean True
fluentd.scLogs.retention.schedule string
fluentd.user object Configure Fluentd forwarder, used to collect and forward logs on worker nodes that applications developers run their workload on.
fluentd.user.affinity object Affinity is a group of affinity scheduling rules.
fluentd.user.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
fluentd.user.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
fluentd.user.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
fluentd.user.nodeSelector object See note
fluentd.user.resources object See note
fluentd.user.resources.limits object
fluentd.user.resources.requests object
fluentd.user.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration

Notes for fluentd.aggregator.buffer

Fluentd buffer configuration parameters.

Note

See upstream documentation for reference, set keys will be converted from camelCase to snake_case.

Notes for fluentd.aggregator.buffer.chunkLimitSize

Events will be written into chunks until the size of chunks become chunkLimitSize.

Buffering parameters

Examples:

50MB

Notes for fluentd.aggregator.buffer.flushInterval

Flushes the buffer each flushInterval, if flushMode is equal to interval.

Flushing parameters

Examples:

15m

Notes for fluentd.aggregator.buffer.flushMode

The flush mode to use.

Flushing parameters

Possible values:

lazy
interval
immediate

Notes for fluentd.aggregator.buffer.flushThreadBurstInterval

The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.

Flushing parameters

Notes for fluentd.aggregator.buffer.retryType

The retry algorithm type to use.

Retries parameters

Possible values:

exponential_backoff
periodic

Notes for fluentd.aggregator.buffer.timekey

Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).

Common/Time parameters

Examples:

10m

Notes for fluentd.aggregator.buffer.timekeyWait

Output plugin will write chunks after timekey_wait seconds later after timekey expiration.

If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.

Common/Time parameters

Examples:

1m

Notes for fluentd.aggregator.buffer.totalLimitSize

The size limitation of this buffer plugin instance.

Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).

Buffering parameters

Examples:

9GB

Notes for fluentd.aggregator.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for fluentd.aggregator.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for fluentd.extraConfigMaps

Configure extra ConfigMaps for Fluentd.

Note

This is only applicable for Fluentd forwarder running on system nodes in the workload cluster.

Notes for fluentd.forwarder.buffer

Fluentd buffer configuration parameters.

Note

See upstream documentation for reference, set keys will be converted from camelCase to snake_case.

Notes for fluentd.forwarder.buffer.chunkLimitSize

Events will be written into chunks until the size of chunks become chunkLimitSize.

Buffering parameters

Examples:

50MB

Notes for fluentd.forwarder.buffer.flushInterval

Flushes the buffer each flushInterval, if flushMode is equal to interval.

Flushing parameters

Examples:

15m

Notes for fluentd.forwarder.buffer.flushMode

The flush mode to use.

Flushing parameters

Possible values:

lazy
interval
immediate

Notes for fluentd.forwarder.buffer.flushThreadBurstInterval

The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.

Flushing parameters

Notes for fluentd.forwarder.buffer.retryType

The retry algorithm type to use.

Retries parameters

Possible values:

exponential_backoff
periodic

Notes for fluentd.forwarder.buffer.timekey

Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).

Common/Time parameters

Examples:

10m

Notes for fluentd.forwarder.buffer.timekeyWait

Output plugin will write chunks after timekey_wait seconds later after timekey expiration.

If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.

Common/Time parameters

Examples:

1m

Notes for fluentd.forwarder.buffer.totalLimitSize

The size limitation of this buffer plugin instance.

Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).

Buffering parameters

Examples:

9GB

Notes for fluentd.forwarder.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for fluentd.forwarder.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for fluentd.logManager.compaction.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for fluentd.logManager.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for fluentd.logManager.retention.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for fluentd.user.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for fluentd.user.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

gatekeeper

Configure OPA Gatekeeper to give application developer access to Custom Resource Definitions.

Some preconfigured services can be found under the key user.

Note

See the admin docs for context.

Key Type Default Description
gatekeeper.allowUserCRDs object Configure access to Custom Resource Definitions for application developers.
gatekeeper.allowUserCRDs.adminConfUser string kubernetes-admin Configure the admin config user of the /etc/kubernetes/admin.conf found on the control plane nodes.

This is necessary if Kubespray is used for managing the cluster.
gatekeeper.allowUserCRDs.enabled boolean
gatekeeper.allowUserCRDs.enforcement string deny See note
gatekeeper.allowUserCRDs.extraCRDs[] array of object Configure extra CRDs to allow for application developers.

Configure extra CRDs to allow for application developers.
gatekeeper.allowUserCRDs.extraServiceAccounts[] array of object See note
gatekeeper.enabled boolean True

Notes for gatekeeper.allowUserCRDs.enforcement

Possible values:

deny
warn
dryrun

Notes for gatekeeper.allowUserCRDs.extraServiceAccounts[]

Configure extra service accounts to allow access to configured CRDs.

Configure an extra service account to allow access to configured CRDs.

Examples:

[{'namespace': 'example-namespace', 'name': 'example-controller'}]

global

Some common options used in various helm charts.

Key Type Default Description
global.baseDomain string See note
global.ck8sCloudProvider string See note
global.ck8sConfigSerial string See note
global.ck8sEnvironmentName string See note
global.ck8sFlavor string See note
global.ck8sK8sInstaller string See note
global.ck8sVersion string See note
global.clusterDns string 10.233.0.3 IP of the cluster DNS in kubernetes
global.clusterName string
global.clustersMonitoring[] array of string Configure the names of the workload clusters that sends metrics to the service cluster.

Mainly used to filter metrics.
global.containerRuntime string containerd See note
global.enforceIPFamilies boolean Enforce ipFamilyPolicy to all services that doesn't explicitly set it.
This is done using a mutating webhook to all services that doesn't set this.
The value it sets is taken from .global.ipFamilies
global.enforceIPFamilyPolicy boolean See note
global.ipFamilies[] array of string ['IPv4'] Used to set the ipFamilyPolicy for all configurable services.
global.ipFamilyPolicy string SingleStack See note
global.issuer string letsencrypt-staging See note
global.opsDomain string See note
global.scDomain string If baseDomain for wc and sc are not the same, set the domain of the sc cluster.
global.scOpsDomain string If opsDomain for wc and sc are not the same, set the ops domain of the sc cluster.
global.verifyTls boolean True Verify ingress certificates

Notes for global.baseDomain

Domain intended for ingress usage in the workload cluster and to reach application developer facing services such as Grafana, Harbor and OpenSearch Dashboards. E.g. with 'prod.domain.com', OpenSearch Dashboards is reached via 'opensearch.prod.domain.com'.

Notes for global.ck8sCloudProvider

Possible values:

aws
azure
baremetal
citycloud
elastx
exoscale
none
safespring
upcloud
openstack

Notes for global.ck8sConfigSerial

This property is used during migrations to track state and ensure that the same version is used during ck8s upgrade prepare as during ck8s upgrade apply.

Examples:

2025-04-29T08:34:21+00:00

Notes for global.ck8sEnvironmentName

Examples:

my-welkin-cluster

Notes for global.ck8sFlavor

Possible values:

prod
dev
air-gapped

Notes for global.ck8sK8sInstaller

Possible values:

capi
kubespray
none

Notes for global.ck8sVersion

Use version number if you are exactly at a release tag. Otherwise use full commit hash of current commit. any, can be used to disable this validation.

Examples:

v0.42.1
any
424442541a567646c232d949bad1af2b5b7cb885

Notes for global.containerRuntime

Possible values:

containerd
docker

Notes for global.enforceIPFamilyPolicy

Enforce ipFamilyPolicy to all services that doesn't explicitly set it. This is done using a mutating webhook to all services that doesn't set this. The value it sets is taken from .global.ipFamilyPolicy

Notes for global.ipFamilyPolicy

Used to set the ipFamilyPolicy for all configurable services.

Examples:

SingleStack
PreferDualStack
RequireDualStack

Possible values:

SingleStack
PreferDualStack
RequireDualStack

Notes for global.issuer

Default cert-manager issuer to use for issuing certificates for ingresses. Normally one of letsencrypt-staging or letsencrypt-prod.

Examples:

letsencrypt-staging
letsencrypt-prod
selfsigned

Notes for global.opsDomain

Domain intended for ingress usage in the service cluster and to reach non-user facing services such as Thanos and OpenSearch. E.g. with 'ops.prod.domain.com', OpenSearch is reached via 'opensearch.ops.prod.domain.com'.

gpu

Configure the GPU Operator and its dependencies

Key Type Default Description
gpu.daemonsets object Configure GPU Daemonsets
gpu.daemonsets.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
gpu.devicePlugin object Configuration for the device plugin, e.g. timeslicing
gpu.enabled boolean
gpu.extraMetrics boolean Adds some profiling metrics in DCGM if it's available in your GPU setup
gpu.mig object Configure MIG options like strategy
gpu.mig.strategy string See note
gpu.nodeFeatureDiscovery object Configure Node Feature Discovery
gpu.nodeFeatureDiscovery.controlPlane object Configure Node Feature Discovery Control Plane
gpu.nodeFeatureDiscovery.controlPlane.affinity object Affinity is a group of affinity scheduling rules.
gpu.nodeFeatureDiscovery.controlPlane.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
gpu.nodeFeatureDiscovery.controlPlane.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
gpu.nodeFeatureDiscovery.controlPlane.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
gpu.nodeFeatureDiscovery.controlPlane.resources object See note
gpu.nodeFeatureDiscovery.controlPlane.resources.limits object
gpu.nodeFeatureDiscovery.controlPlane.resources.requests object
gpu.nodeFeatureDiscovery.controlPlane.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
gpu.nodeFeatureDiscovery.worker object Configure Node Feature Discovery workers
gpu.nodeFeatureDiscovery.worker.affinity object Affinity is a group of affinity scheduling rules.
gpu.nodeFeatureDiscovery.worker.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
gpu.nodeFeatureDiscovery.worker.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
gpu.nodeFeatureDiscovery.worker.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
gpu.nodeFeatureDiscovery.worker.resources object See note
gpu.nodeFeatureDiscovery.worker.resources.limits object
gpu.nodeFeatureDiscovery.worker.resources.requests object
gpu.nodeFeatureDiscovery.worker.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
gpu.operator object Configure GPU Operator
gpu.operator.affinity object Affinity is a group of affinity scheduling rules.
gpu.operator.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
gpu.operator.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
gpu.operator.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
gpu.operator.resources object See note
gpu.operator.resources.limits object
gpu.operator.resources.requests object
gpu.operator.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration

Notes for gpu.mig.strategy

None ignores MIG entirely, single makes MIG devices a standard GPU resource, and shared creates one resource type for each MIG configuration

Possible values:

mixed
single
none

Notes for gpu.nodeFeatureDiscovery.controlPlane.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for gpu.nodeFeatureDiscovery.worker.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for gpu.operator.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

grafana

Configure Grafana, the metrics visualisation dashboard.

Welkin hosts two instances of Grafana one for the Platform Administrator and one for the Application Developer.

Note

Grafana is installed in the service cluster, so this configuration mainly applies there.

Key Type Default Description
grafana.ops object Configure Grafana.
grafana.ops.additionalConfigValues string
grafana.ops.additionalDatasources object
grafana.ops.affinity object Affinity is a group of affinity scheduling rules.
grafana.ops.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
grafana.ops.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
grafana.ops.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
grafana.ops.dataproxy object Configure Grafana dataproxy values
grafana.ops.dataproxy.timeout number 600
grafana.ops.enabled boolean True
grafana.ops.nodeSelector object See note
grafana.ops.oidc object Configure authentication to Grafana via Dex.
grafana.ops.oidc.allowedDomains[] array of string Configure the domains of the users allowed to authenticate to Grafana.
grafana.ops.oidc.enabled boolean True
grafana.ops.oidc.scopes string openid profile email groups
grafana.ops.oidc.skipRoleSync boolean When enabled the roles for user can be managed within Grafana.
grafana.ops.oidc.userGroups object Configure the roles for groups.
grafana.ops.oidc.userGroups.grafanaAdmin string grafana_admin
grafana.ops.oidc.userGroups.grafanaEditor string grafana_editor
grafana.ops.oidc.userGroups.grafanaViewer string grafana_viewer
grafana.ops.plugins[] array
grafana.ops.resources object See note
grafana.ops.resources.limits object
grafana.ops.resources.requests object
grafana.ops.sidecar object Configure the sidecar provisioning dashboards from ConfigMaps in Grafana.
grafana.ops.sidecar.resources object See note
grafana.ops.sidecar.resources.limits object
grafana.ops.sidecar.resources.requests object
grafana.ops.subdomain string grafana See note
grafana.ops.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
grafana.ops.trailingDots boolean True See note
grafana.ops.viewersCanEdit boolean True
grafana.user object Configure Grafana.
grafana.user.additionalConfigValues string
grafana.user.additionalDatasources object
grafana.user.affinity object Affinity is a group of affinity scheduling rules.
grafana.user.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
grafana.user.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
grafana.user.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
grafana.user.dataproxy object Configure Grafana dataproxy values
grafana.user.dataproxy.timeout number 600
grafana.user.enabled boolean True
grafana.user.nodeSelector object See note
grafana.user.oidc object Configure authentication to Grafana via Dex.
grafana.user.oidc.allowedDomains[] array of string Configure the domains of the users allowed to authenticate to Grafana.
grafana.user.oidc.enabled boolean True
grafana.user.oidc.scopes string openid profile email groups
grafana.user.oidc.skipRoleSync boolean When enabled the roles for user can be managed within Grafana.
grafana.user.oidc.userGroups object Configure the roles for groups.
grafana.user.oidc.userGroups.grafanaAdmin string grafana_admin
grafana.user.oidc.userGroups.grafanaEditor string grafana_editor
grafana.user.oidc.userGroups.grafanaViewer string grafana_viewer
grafana.user.plugins[] array
grafana.user.resources object See note
grafana.user.resources.limits object
grafana.user.resources.requests object
grafana.user.sidecar object Configure the sidecar provisioning dashboards from ConfigMaps in Grafana.
grafana.user.sidecar.resources object See note
grafana.user.sidecar.resources.limits object
grafana.user.sidecar.resources.requests object
grafana.user.subdomain string grafana See note
grafana.user.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
grafana.user.trailingDots boolean True See note
grafana.user.viewersCanEdit boolean True

Notes for grafana.ops.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for grafana.ops.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for grafana.ops.sidecar.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for grafana.ops.subdomain

For Admin Grafana the subdomain of opsDomain that the Ingress to Admin Grafana will be created with.

For Dev Grafana the subdomain of baseDomain that the Ingress to Dev Grafana will be created with.

Note

Must be set for both service and workload clusters.

Notes for grafana.ops.trailingDots

Configure Grafana to use absolute domain names.

Warning

Some operating systems and web browsers may have problems accessing Grafana when with this enabled.

Notes for grafana.user.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for grafana.user.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for grafana.user.sidecar.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for grafana.user.subdomain

For Admin Grafana the subdomain of opsDomain that the Ingress to Admin Grafana will be created with.

For Dev Grafana the subdomain of baseDomain that the Ingress to Dev Grafana will be created with.

Note

Must be set for both service and workload clusters.

Notes for grafana.user.trailingDots

Configure Grafana to use absolute domain names.

Warning

Some operating systems and web browsers may have problems accessing Grafana when with this enabled.

grafanaLabelEnforcer

Configure Grafana Label Enforcer, responsible to filter metrics from different clusters for Grafana datasources.

Notes for grafanaLabelEnforcer.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

harbor

Configuration options for Harbor.

Harbor is a container registry that deployed for the application developers to use when deploying their applications.

Note

See upstream documentation for reference. All config variables that exists in harbor are not exposed via our config.

Key Type Default Description
harbor.alerts object Configuration options for Harbor Alerts.
harbor.alerts.maxTotalArtifacts number 3000 Alert when the total number of artifacts is above the set number.
harbor.alerts.maxTotalStorageUsedGB number 1500 Alert when the total storage usage is above the set number.
harbor.backup object Configuration options for Backup Job.
harbor.backup.enabled boolean True
harbor.backup.ephemeralBackupStore object EphemeralBackupStore configuration for Harbor

StorageSize defines how large the ephemeral volumes will be.
harbor.backup.ephemeralBackupStore.enabled boolean
harbor.backup.ephemeralBackupStore.storageSize string 10Gi
harbor.backup.retentionDays number 7 RetentionDays defines how old a backup should be before deleting it.
harbor.backup.schedule string
harbor.core object Configuration options for Core.
harbor.core.affinity object Affinity is a group of affinity scheduling rules.
harbor.core.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.core.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.core.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.core.replicas number 1 Number of Core pods
harbor.core.resources object See note
harbor.core.resources.limits object
harbor.core.resources.requests object
harbor.database object See note
harbor.database.external object Configuration options for External Database.
harbor.database.external.coreDatabase string registry Name of the database for Core
harbor.database.external.notaryServerDatabase string notaryserver Name of the database for Notary Server
harbor.database.external.notarySignerDatabase string notarysigner Name of the database for Notary Signer
harbor.database.external.port string 5432 Database listening port
harbor.database.external.sslmode string disable See note
harbor.database.internal object Configuration options for Internal Database.
harbor.database.internal.affinity object Affinity is a group of affinity scheduling rules.
harbor.database.internal.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.database.internal.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.database.internal.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.database.internal.persistentVolumeClaim object PersistentVolumeClaim
harbor.database.internal.persistentVolumeClaim.size string 1Gi
harbor.database.internal.resources object See note
harbor.database.internal.resources.limits object
harbor.database.internal.resources.requests object
harbor.database.type string internal
harbor.enabled boolean True
harbor.exporter object Configuration options for Exporter.
harbor.exporter.external object External configuration
harbor.exporter.external.coreDatabase string See note
harbor.exporter.external.port string See note
harbor.exporter.resources object See note
harbor.exporter.resources.limits object
harbor.exporter.resources.requests object
harbor.gc object Configuration options for GC (Garbage Collection).
harbor.gc.enabled boolean True
harbor.gc.forceConfigure boolean
harbor.gc.schedule string 0 0 0 * * SUN See note
harbor.ingress object Configuration options for Ingress.
harbor.ingress.additionalAnnotations object
harbor.ingress.defaultAnnotations object Default annotations for ingress
harbor.ingress.defaultAnnotations.nginx.ingress.kubernetes.io/proxy-buffering string
harbor.ingress.defaultAnnotations.nginx.ingress.kubernetes.io/proxy-request-buffering string
harbor.jobservice object Configuration options for Jobservice.
harbor.jobservice.affinity object Affinity is a group of affinity scheduling rules.
harbor.jobservice.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.jobservice.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.jobservice.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.jobservice.jobLog object Job log configuration
harbor.jobservice.jobLog.persistentVolumeClaim object PersistentVolumeClaim
harbor.jobservice.jobLog.persistentVolumeClaim.size string 1Gi
harbor.jobservice.jobLoggers[] array of string Configuration options for JobLoggers
harbor.jobservice.replicas number 1 Number of Jobservice pods
harbor.jobservice.resources object See note
harbor.jobservice.resources.limits object
harbor.jobservice.resources.requests object
harbor.jobservice.scanDataExports object Scan data exports configuration
harbor.jobservice.scanDataExports.persistentVolumeClaim object PersistentVolumeClaim
harbor.jobservice.scanDataExports.persistentVolumeClaim.size string 1Gi
harbor.mpuCleaner object Configuration options for MultipartUpload cleaner job
harbor.mpuCleaner.enabled boolean True
harbor.mpuCleaner.maxAgeDays number 7 maxAgeDays defines how old an unfinished multipartupload is allowed to be before deleting it.
harbor.mpuCleaner.schedule string
harbor.nodeSelector object See note
harbor.notary object Configuration options for Notary.
harbor.notary.affinity object Affinity is a group of affinity scheduling rules.
harbor.notary.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.notary.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.notary.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.notary.replicas number 1
harbor.notary.resources object See note
harbor.notary.resources.limits object
harbor.notary.resources.requests object
harbor.notary.subdomain string notary.harbor
harbor.notarySigner object Configuration options for Notary signer.
harbor.notarySigner.affinity object Affinity is a group of affinity scheduling rules.
harbor.notarySigner.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.notarySigner.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.notarySigner.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.notarySigner.resources object See note
harbor.notarySigner.resources.limits object
harbor.notarySigner.resources.requests object
harbor.oidc object Configuration options for OIDC.
harbor.oidc.adminGroupName string
harbor.oidc.groupClaimName string groups
harbor.oidc.scope string openid,email,profile,offline_access,groups
harbor.persistence object Configuration options for Persistence.
harbor.persistence.disableRedirect boolean See note
harbor.persistence.type string See note
harbor.portal object Configuration options for Portal.
harbor.portal.affinity object Affinity is a group of affinity scheduling rules.
harbor.portal.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.portal.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.portal.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.portal.replicas number 1
harbor.portal.resources object See note
harbor.portal.resources.limits object
harbor.portal.resources.requests object
harbor.redis object See note
harbor.redis.external object Configuration options when external Redis is set
harbor.redis.external.addr string See note
harbor.redis.external.sentinelMasterSet string
harbor.redis.internal object Configuration options when internal Redis is set
harbor.redis.internal.affinity object Affinity is a group of affinity scheduling rules.
harbor.redis.internal.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.redis.internal.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.redis.internal.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.redis.internal.persistentVolumeClaim object PersistentVolumeClaim
harbor.redis.internal.persistentVolumeClaim.size string 1Gi
harbor.redis.internal.resources object See note
harbor.redis.internal.resources.limits object
harbor.redis.internal.resources.requests object
harbor.redis.type string internal
harbor.registry object Registry configuration
harbor.registry.affinity object Affinity is a group of affinity scheduling rules.
harbor.registry.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.registry.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.registry.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.registry.controller object Controller configuration
harbor.registry.controller.resources object See note
harbor.registry.controller.resources.limits object
harbor.registry.controller.resources.requests object
harbor.registry.persistentVolumeClaim object PersistentVolumeClaim
harbor.registry.persistentVolumeClaim.size string 1Gi
harbor.registry.replicas number 1
harbor.registry.resources object See note
harbor.registry.resources.limits object
harbor.registry.resources.requests object
harbor.s3 object Configuration options for S3.

Storage Driver S3
harbor.s3.multipartcopychunksize -integer- -string- Default chunk size for all but the last S3 Multipart Upload part when copying stored objects.
harbor.s3.multipartcopymaxconcurrency -integer- -string- Max number of concurrent S3 Multipart Upload operations when copying stored objects.
harbor.s3.multipartcopythresholdsize string 536870912 Default object size above which S3 Multipart Upload will be used when copying stored objects.
harbor.subdomain string harbor
harbor.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
harbor.trivy object Configuration options for Trivy.
harbor.trivy.affinity object Affinity is a group of affinity scheduling rules.
harbor.trivy.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
harbor.trivy.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
harbor.trivy.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
harbor.trivy.extraEnvVars[] array of object Array of additional environment variables to pass to Trivy

name/value combination
harbor.trivy.persistentVolumeClaim object PersistentVolumeClaim
harbor.trivy.persistentVolumeClaim.size string 1Gi
harbor.trivy.replicas number 1
harbor.trivy.resources object See note
harbor.trivy.resources.limits object
harbor.trivy.resources.requests object

Notes for harbor.core.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.database

Configuration options for Database used by Harbor

Set type to define which type of redis Harbor should use.

Only external or internal database can be enabled at the same time.

External: Defines an external postgres that harbor will use. For more details how to configure harbor to use an external database check the README

Internal: Use the internal database that is packaged with harbor.

Notes for harbor.database.external.sslmode

Possible values:

disable
require
verify-ca
verify-full

Notes for harbor.database.internal.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.exporter.external.coreDatabase

Examples:

registry

Notes for harbor.exporter.external.port

Examples:

5432

Notes for harbor.exporter.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.gc.schedule

Defines a CRON schedule when the garbage collection job should run. Uses a special Cron format that adds "seconds" as the first entry. Order: "seconds, minutes, hours, day of month, month, day of week".

Notes for harbor.jobservice.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for harbor.notary.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.notarySigner.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.persistence.disableRedirect

Controls whether or not Harbor registry redirects users to the object storage endpoint. Set this to true if the object storage is not reachable by users when pushing images to Harbor, e.g. if you run into this timeout error:

dial tcp <IP>:<PORT>: i/o timeout

Notes for harbor.persistence.type

This should match what is set in global config

Possible values:

filesystem
swift
objectStorage

Notes for harbor.portal.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.redis

Configuration options for Redis used by Harbor

Set type to define which type of redis Harbor should use.

Only external or internal redis can be enabled at the same time.

External: Defines an external redis that harbor will use. For more details how to configure harbor to use an external redis check the README

Internal: Use the internal redis that is packaged with harbor.

Notes for harbor.redis.external.addr

Examples:

rfs-redis-harbor.redis-system.svc.cluster.local:26379

Notes for harbor.redis.internal.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.registry.controller.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.registry.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for harbor.trivy.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

hnc

Configuration for Hierarchical Namespace Controller.

Key Type Default Description
hnc.additionalAllowPropagateResources[] array of object See note
hnc.enabled boolean True Enable HNC
hnc.excludedNamespaces[] array of string See note
hnc.ha boolean True Enable HA mode for hnc webhooks.
hnc.includedNamespacesRegex string See note
hnc.managedNamespaceAnnotations[] array of string Annotations that will be propagated to subnamespaces (allows regex).
hnc.managedNamespaceLabels[] array of string Labels that will be propagated to subnamespaces (allows regex).

Labels in particular must also be configured in the HierarchyConfiguration object to be propagated.
hnc.manager object This is meant to describe the base class if you will, for Welkin resources.
hnc.manager.affinity object Affinity is a group of affinity scheduling rules.
hnc.manager.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
hnc.manager.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
hnc.manager.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
hnc.manager.enabled boolean
hnc.manager.extraArgs[] array of string Extra arguments passed to a container
hnc.manager.nodeSelector object See note
hnc.manager.resources object See note
hnc.manager.resources.limits object
hnc.manager.resources.requests object
hnc.manager.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
hnc.manager.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
hnc.serviceMonitor object Service monitor for Hierarchical Namespace Controller.
hnc.serviceMonitor.relabelings[] array Relabeling
hnc.unpropagatedAnnotations[] array Annotations that will be stripped from propagated objects
hnc.webhook object Webhook for Hierarchical Namespace Controller.
hnc.webhook.affinity object Affinity is a group of affinity scheduling rules.
hnc.webhook.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
hnc.webhook.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
hnc.webhook.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
hnc.webhook.nodeSelector object See note
hnc.webhook.replicaCount integer
hnc.webhook.resources object See note
hnc.webhook.resources.limits object
hnc.webhook.resources.requests object
hnc.webhook.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
hnc.webhook.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
hnc.webhookMatchConditions boolean Fine grained mach conditions for webhook.

This feature is only available in Kubernetes v1.28+.

Notes for hnc.additionalAllowPropagateResources[]

Additional resources to enable opt-in propagation for. Objects that should be propagated must have one of the annotations listed here https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#limit-the-propagation-of-an-object-to-descendant-namespaces

Additional allow propagate resources for hnc.

Examples:

{'resource': 'secrets'}
{'resource': 'networkpolicies', 'group': 'networking.k8s.io'}

Notes for hnc.excludedNamespaces[]

Namespaces excluded by HNC, here you can configure a list of namespaces to exclude from HNC in addition to the default excluded namespaces.

Including and excluding namespaces

Notes for hnc.includedNamespacesRegex

Included namespaces, empty string will include all.

Including and excluding namespaces

Notes for hnc.manager.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for hnc.manager.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for hnc.webhook.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for hnc.webhook.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

images

Configure individual container URI for images of all Welkin components, and (optionally) enable support for global registry and/or repository.

Key Type Default Description
images.calico object calico stack image configuration
images.calico.accountant string See note
images.certManager object cert-manager stack image configuration
images.certManager.cainjector string See note
images.certManager.controller string See note
images.certManager.startupapicheck string See note
images.certManager.webhook string See note
images.dex object dex stack image configuration
images.dex.image string See note
images.externalDns object external-dns stack image configuration
images.externalDns.image string See note
images.falco object falco stack image configuration
images.falco.driverLoaderInit string See note
images.falco.falcoctl string See note
images.falco.image string See note
images.falco.sidekick string See note
images.fluentd object fluentd stack image configuration
images.fluentd.aggregator string See note
images.fluentd.forwarder string See note
images.fluentd.logManager string See note
images.gatekeeper object gatekeeper stack image configuration
images.gatekeeper.image string See note
images.gatekeeper.kubectl string See note
images.gatekeeper.postInstallLabelNamespace string See note
images.gatekeeper.preInstallCRDs string See note
images.global object See note
images.global.registry object If enabled it will be used as the registry of images that don't supply their own.
images.global.registry.enabled boolean
images.global.registry.uri string See note
images.global.repository object If enabled it will be used as the repository of images that don't supply their own.
images.global.repository.enabled boolean
images.global.repository.uri string See note
images.gpuOperator object gpu-operator stack image configuration
images.gpuOperator.nodeFeatureDiscovery string See note
images.gpuOperator.operator string See note
images.harbor object harbor stack image configuration
images.harbor.backupJob string See note
images.harbor.core string See note
images.harbor.database string See note
images.harbor.exporter string See note
images.harbor.initJob string See note
images.harbor.jobservice string See note
images.harbor.mpuCleaner string See note
images.harbor.portal string See note
images.harbor.redis string See note
images.harbor.registry string See note
images.harbor.registryController string See note
images.harbor.trivyAdapter string See note
images.hnc object hnc stack image configuration
images.hnc.image string See note
images.ingressNginx object ingress-nginx stack image configuration
images.ingressNginx.admissionWebhooksPatch string See note
images.ingressNginx.controller string See note
images.ingressNginx.controllerChroot string See note
images.ingressNginx.defaultBackend string See note
images.ingressNginx.fileCopier string See note
images.kured object kured stack image configuration
images.kured.image string See note
images.kyverno object kyverno stack image configuration
images.kyverno.crdsMigration string See note
images.kyverno.init string See note
images.kyverno.main string See note
images.kyverno.webhooksCleanup string See note
images.monitoring object monitoring stack image configuration
images.monitoring.admissionWebhooksPatch string See note
images.monitoring.alertmanager string See note
images.monitoring.blackboxExporter string See note
images.monitoring.configReloader string See note
images.monitoring.grafana string See note
images.monitoring.grafanaLabelEnforcer string See note
images.monitoring.grafanaSidecar string See note
images.monitoring.kubeStateMetrics string See note
images.monitoring.metricsServer string See note
images.monitoring.nodeExporter string See note
images.monitoring.prometheus string See note
images.monitoring.prometheusOperator string See note
images.monitoring.s3Exporter string See note
images.monitoring.trivyOperator string See note
images.nodeLocalDns object node-local-dns stack image configuration
images.nodeLocalDns.image string See note
images.opensearch object opensearch stack image configuration
images.opensearch.configurerJob string See note
images.opensearch.curatorCronjob string See note
images.opensearch.dashboards string See note
images.opensearch.exporter string See note
images.opensearch.image string See note
images.opensearch.initSysctl string See note
images.rclone object rclone stack image configuration
images.rclone.image string See note
images.tekton object tekton stack image configuration
images.tekton.controller string See note
images.tekton.remoteResolvers string See note
images.tekton.webhook string See note
images.thanos object thanos stack image configuration
images.thanos.image string See note
images.velero object velero stack image configuration
images.velero.image string See note
images.velero.kubectl string See note
images.velero.pluginAws string See note
images.velero.pluginAzure string See note
images.velero.pluginCsi string See note
images.velero.pluginGcp string See note

Notes for images.calico.accountant

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.certManager.cainjector

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.certManager.controller

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.certManager.startupapicheck

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.certManager.webhook

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.dex.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.externalDns.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.falco.driverLoaderInit

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.falco.falcoctl

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.falco.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.falco.sidekick

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.fluentd.aggregator

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.fluentd.forwarder

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.fluentd.logManager

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.gatekeeper.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.gatekeeper.kubectl

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.gatekeeper.postInstallLabelNamespace

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.gatekeeper.preInstallCRDs

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.global

Global image registry and repository settings.

If a global registry is supplied and enabled, and an image is specified that doesn't have a registry, the global registry will be used instead.

If a global repository is supplied and enabled, and an image is specified that doesn't have a repository, the global repository will be used instead.

Notes for images.global.registry.uri

Examples:

registry.k8s.io

Notes for images.global.repository.uri

Examples:

ingress-nginx

Notes for images.gpuOperator.nodeFeatureDiscovery

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.gpuOperator.operator

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.backupJob

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.core

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.database

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.exporter

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.initJob

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.jobservice

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.mpuCleaner

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.portal

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.redis

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.registry

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.registryController

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.harbor.trivyAdapter

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.hnc.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.ingressNginx.admissionWebhooksPatch

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.ingressNginx.controller

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.ingressNginx.controllerChroot

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.ingressNginx.defaultBackend

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.ingressNginx.fileCopier

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.kured.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.kyverno.crdsMigration

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.kyverno.init

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.kyverno.main

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.kyverno.webhooksCleanup

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.admissionWebhooksPatch

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.alertmanager

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.blackboxExporter

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.configReloader

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.grafana

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.grafanaLabelEnforcer

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.grafanaSidecar

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.kubeStateMetrics

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.metricsServer

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.nodeExporter

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.prometheus

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.prometheusOperator

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.s3Exporter

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.monitoring.trivyOperator

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.nodeLocalDns.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.opensearch.configurerJob

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.opensearch.curatorCronjob

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.opensearch.dashboards

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.opensearch.exporter

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.opensearch.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.opensearch.initSysctl

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.rclone.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.tekton.controller

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.tekton.remoteResolvers

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.tekton.webhook

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.thanos.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.velero.image

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.velero.kubectl

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.velero.pluginAws

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.velero.pluginAzure

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.velero.pluginCsi

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

Notes for images.velero.pluginGcp

Examples:

registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e

ingressNginx

Configure Ingress-NGINX, the ingress controller.

Key Type Default Description
ingressNginx.controller object Configure the controller daemonset of Ingress-NGINX.
ingressNginx.controller.additionalConfig object See note
ingressNginx.controller.affinity object Affinity is a group of affinity scheduling rules.
ingressNginx.controller.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
ingressNginx.controller.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
ingressNginx.controller.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
ingressNginx.controller.allowSnippetAnnotations boolean See note
ingressNginx.controller.chroot boolean True See note
ingressNginx.controller.config object Configure the Ingress-NGINX controller.
ingressNginx.controller.config.annotationsRiskLevel string Critical See note
ingressNginx.controller.config.useProxyProtocol boolean
ingressNginx.controller.enableAnnotationValidations boolean True When enabled annotations on Ingress resources are validated.

This is disabled by default due to the maturity of the feature and lack of documentation.
ingressNginx.controller.enablepublishService boolean See note
ingressNginx.controller.extraArgs object Configure extra args to pass to Ingress NGINX Controller.
ingressNginx.controller.extraEnvs[] array Configure extra environment variables to Ingress NGINX Controller.
ingressNginx.controller.nodeSelector object See note
ingressNginx.controller.resources object See note
ingressNginx.controller.resources.limits object
ingressNginx.controller.resources.requests object
ingressNginx.controller.service object Configure the Service for traffic to Ingress-NGINX.
ingressNginx.controller.service.allocateLoadBalancerNodePorts boolean See note
ingressNginx.controller.service.annotations object
ingressNginx.controller.service.clusterIP string
ingressNginx.controller.service.enabled boolean
ingressNginx.controller.service.internal object Configure the Internal Service for traffic to Ingress-NGINX.
ingressNginx.controller.service.internal.allocateLoadBalancerNodePorts boolean See note
ingressNginx.controller.service.internal.annotations object
ingressNginx.controller.service.internal.clusterIP string
ingressNginx.controller.service.internal.enabled boolean
ingressNginx.controller.service.internal.ipFamilyPolicy string SingleStack See note
ingressNginx.controller.service.internal.loadBalancerIP string See note
ingressNginx.controller.service.internal.loadBalancerSourceRanges[] array of string Configure the source ranges to allow via the Load Balancer Service.
ingressNginx.controller.service.internal.nodePorts object Configure the node ports to allocate for the Service.
ingressNginx.controller.service.internal.nodePorts.http integer
ingressNginx.controller.service.internal.nodePorts.https integer
ingressNginx.controller.service.internal.type string See note
ingressNginx.controller.service.ipFamilies[] array of string ['IPv4'] See note
ingressNginx.controller.service.ipFamilyPolicy string SingleStack See note
ingressNginx.controller.service.loadBalancerIP string See note
ingressNginx.controller.service.loadBalancerSourceRanges[] array of string Configure the source ranges to allow via the Load Balancer Service.
ingressNginx.controller.service.nodePorts object Configure the node ports to allocate for the Service.
ingressNginx.controller.service.nodePorts.http integer
ingressNginx.controller.service.nodePorts.https integer
ingressNginx.controller.service.type string See note
ingressNginx.controller.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
ingressNginx.controller.useHostPort boolean When enabled ingress traffic is directly forwarded from target ports on the nodes to reach Ingress-NGINX.

This requires the namespace to use Pod Security Standard privileged.
ingressNginx.defaultBackend object Configure the default backend deployment of Ingress-NGINX.
ingressNginx.defaultBackend.affinity object Affinity is a group of affinity scheduling rules.
ingressNginx.defaultBackend.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
ingressNginx.defaultBackend.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
ingressNginx.defaultBackend.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
ingressNginx.defaultBackend.nodeSelector object See note
ingressNginx.defaultBackend.resources object See note
ingressNginx.defaultBackend.resources.limits object
ingressNginx.defaultBackend.resources.requests object
ingressNginx.defaultBackend.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
ingressNginx.defaultBackend.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
ingressNginx.subDomain string

Notes for ingressNginx.controller.additionalConfig

Configure additional configuration for Ingress-NGINX controller.

Note

See the upstream documentation for reference.

Notes for ingressNginx.controller.allowSnippetAnnotations

When enabled annotations on Ingress resources can add snippets to the config of NGINX.

[!danger] Only enable this after evaluating the risks it poses.

Note

See the upstream documentation for reference.

Notes for ingressNginx.controller.chroot

When enabled NGINX itself will run in a chroot under the controller namespace for increased separation between the controller and the proxy.

This requires a special seccomp profile to be available to give the controller the SYS_ADMIN capability, which will be provided by a separate daemon set.

Notes for ingressNginx.controller.config.annotationsRiskLevel

Configure the accepted risk level of annotations on Ingress resources.

Note

See the upstream documentation for reference.

Possible values:

Critical
High
Medium
Low

Notes for ingressNginx.controller.enablepublishService

When enabled it allows customisation of the IP or FQDN to report the external address of the Service in the Ingress status field.

When disabled it reports the IPs of the nodes where the controller pods are running.

Notes for ingressNginx.controller.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for ingressNginx.controller.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for ingressNginx.controller.service.allocateLoadBalancerNodePorts

When enabled node ports will be allocated for the Load Balancer Service.

This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic.

See reference

Notes for ingressNginx.controller.service.internal.allocateLoadBalancerNodePorts

When enabled node ports will be allocated for the Load Balancer Service.

This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic.

See reference

Notes for ingressNginx.controller.service.internal.ipFamilyPolicy

Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field.

See reference

Possible values:


SingleStack
PreferDualStack
RequireDualStack

Notes for ingressNginx.controller.service.internal.loadBalancerIP

Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider.

Important

With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation loadbalancer.openstack.org/keep-floatingip: "true" to prevent the floating IP to be deleted.

Notes for ingressNginx.controller.service.internal.type

Configure the type of the Service.

Possible values:

ClusterIP
LoadBalancer
NodePort

Notes for ingressNginx.controller.service.ipFamilies[]

List of IP families (e.g. IPv4, IPv6) assigned to the service. Default is IPv4 only. When utilizing an internal loadbalancer service (ie MetalLB), IPv6 would also need to be included in order for the ingress service to allocate an address in that family.

Notes for ingressNginx.controller.service.ipFamilyPolicy

Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field.

See reference

Possible values:


SingleStack
PreferDualStack
RequireDualStack

Notes for ingressNginx.controller.service.loadBalancerIP

Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider.

Important

With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation loadbalancer.openstack.org/keep-floatingip: "true" to prevent the floating IP to be deleted.

Notes for ingressNginx.controller.service.type

Configure the type of the Service.

Possible values:

ClusterIP
LoadBalancer
NodePort

Notes for ingressNginx.defaultBackend.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for ingressNginx.defaultBackend.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

issuers

Configure issuers for cert-manager.

Key Type Default Description
issuers.extraIssuers[] array
issuers.letsencrypt object Configure issuers for cert-manager using Let's Encrypt.
issuers.letsencrypt.enabled boolean True
issuers.letsencrypt.prod object Configure Let's Encrypt production issuer.
issuers.letsencrypt.prod.solvers[] array
issuers.letsencrypt.staging object Configure Let's Encrypt staging issuer.
issuers.letsencrypt.staging.solvers[] array

kubeStateMetrics

Configure the kube-state-metrics exporter.

Key Type Default Description
kubeStateMetrics.resources object See note
kubeStateMetrics.resources.limits object
kubeStateMetrics.resources.requests object

Notes for kubeStateMetrics.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

kured

Configuration for Kured (Kubernetes Reboot Daemon).

Kured orchestrates node reboots to allow nodes to automatically perform system updates and patches.

Key Type Default Description
kured.affinity object Affinity is a group of affinity scheduling rules.
kured.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
kured.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
kured.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
kured.configuration object See note
kured.configuration.drainTimeout string See note
kured.configuration.endTime string 86399 Schedule reboots only before this time of day.
kured.configuration.lockReleaseDelay string See note
kured.configuration.period string See note
kured.configuration.rebootDays[] array of string ['mo', 'tu', 'we', 'th', 'fr', 'sa', 'su'] Only reboot on these days.
kured.configuration.startTime string 0:00 Schedule reboots only after this time of day.
kured.configuration.timeZone string UTC
kured.dsAnnotations object
kured.enabled boolean
kured.extraArgs[] array of string Extra arguments passed to a container
kured.extraEnvVars object
kured.metrics object Configuration for Kured metrics
kured.metrics.enabled boolean True
kured.metrics.interval string See note
kured.metrics.labels object
kured.nodeSelector object See note
kured.notification object Send notification from Kured when nodes are rebooted.
kured.notification.slack object Send notification from Kured to Slack when nodes are rebooted.
kured.notification.slack.channel string
kured.notification.slack.enabled boolean
kured.resources object See note
kured.resources.limits object
kured.resources.requests object
kured.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration

Notes for kured.configuration

Kured configuration parameters.

See the upstream documentation for reference. Most parameters are mapped from camelCase to --kebab-case, others can be set via extraArgs.

Notes for kured.configuration.drainTimeout

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Examples:

2h45m0s

Notes for kured.configuration.lockReleaseDelay

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Examples:

2h45m0s

Notes for kured.configuration.period

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Examples:

2h45m0s

Notes for kured.metrics.interval

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Examples:

2h45m0s

Notes for kured.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for kured.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

kyverno

Configure Kyverno and Kyverno Policies

Key Type Default Description
kyverno.enabled boolean
kyverno.nodeAffinity object Affinity is a group of affinity scheduling rules.
kyverno.nodeAffinity.nodeAffinity Describes node affinity scheduling rules for the pod.
kyverno.nodeAffinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
kyverno.nodeAffinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
kyverno.nodeSelector object See note
kyverno.podAffinity object Affinity is a group of affinity scheduling rules.
kyverno.podAffinity.nodeAffinity Describes node affinity scheduling rules for the pod.
kyverno.podAffinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
kyverno.podAffinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
kyverno.policies object Kyverno policies configuration
kyverno.policies.verifyImageSignature object A policy that requires that all images in HNC controlled namespaces are signed
kyverno.policies.verifyImageSignature.attestor string See note
kyverno.policies.verifyImageSignature.enabled boolean
kyverno.policies.verifyImageSignature.ignoreRekorTlog boolean
kyverno.policies.verifyImageSignature.type string See note
kyverno.resources object See note
kyverno.resources.limits object
kyverno.resources.requests object
kyverno.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
kyverno.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.

Notes for kyverno.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for kyverno.policies.verifyImageSignature.attestor

A public key (Cosign) or certificate (Notary) used to verify image signatures

Examples:

-----BEGIN PUBLIC KEY-----
MFkwEwY...
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIDTTCCA...
-----END CERTIFICATE-----

Notes for kyverno.policies.verifyImageSignature.type

Possible values:

Cosign
Notary

Notes for kyverno.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

metricsServer

Configure the metrics-server exporter, used to provide for the metrics API in Kubernetes.

Key Type Default Description
metricsServer.affinity object Affinity is a group of affinity scheduling rules.
metricsServer.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
metricsServer.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
metricsServer.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
metricsServer.enabled boolean True
metricsServer.resources object See note
metricsServer.resources.limits object
metricsServer.resources.requests object
metricsServer.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration

Notes for metricsServer.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

networkPlugin

Configure the network plugin used in the cluster.

Key Type Default Description
networkPlugin.calico object Configuration when network plugin is set to calico
networkPlugin.calico.calicoAccountant object Configure Calico accountant, used to collect metrics about packets affected by Network Policies when using Calico.
networkPlugin.calico.calicoAccountant.backend string nftables See note
networkPlugin.calico.calicoAccountant.enabled boolean True
networkPlugin.calico.calicoAccountant.resources object See note
networkPlugin.calico.calicoAccountant.resources.limits object
networkPlugin.calico.calicoAccountant.resources.requests object
networkPlugin.calico.calicoAccountant.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
networkPlugin.calico.calicoFelixMetrics object Configure Calico Felix metrics, used to collect metrics about Calico.
networkPlugin.calico.calicoFelixMetrics.enabled boolean True
networkPlugin.type string See note

Notes for networkPlugin.calico.calicoAccountant.backend

Possible values:

iptables
nftables

Notes for networkPlugin.calico.calicoAccountant.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for networkPlugin.type

Configure the type of network plugin

Possible values:

calico
cilium

networkPolicies

Configure Network Policies.

Most common Network Policy rules can be updated by running ./bin/ck8s update-ips <both|sc|wc>.

Key Type Default Description
networkPolicies.additional string Configure additional network policies.
networkPolicies.additionalEgressPolicies[] array
networkPolicies.additionalIngressPolicies[] array
networkPolicies.alertmanager object Configure Alertmanager network policy rules.
networkPolicies.alertmanager.alertReceivers object Network policy rule

Kubernetes network policies
networkPolicies.alertmanager.alertReceivers.enabled boolean
networkPolicies.alertmanager.alertReceivers.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.alertmanager.alertReceivers.ports[] array of integer A 16 bit unsigned integer
networkPolicies.alertmanager.enabled boolean
networkPolicies.allowedNameSpaces[] array
networkPolicies.certManager object Configure cert-manager network policy rules.
networkPolicies.certManager.dns01 object Configure network policy rule to allow cert-manager perform DNS-01 challenges.
networkPolicies.certManager.dns01.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.certManager.enabled boolean True
networkPolicies.certManager.http01 object Configure network policy rule to allow cert-manager perform HTTP-01 challenges on other endpoints than the ingress-controller.
networkPolicies.certManager.http01.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.certManager.letsencrypt object See note
networkPolicies.certManager.namespaces[] array of string See note
networkPolicies.coredns object Configure CoreDNS network policy rules.
networkPolicies.coredns.enabled boolean True
networkPolicies.coredns.externalDns object Configure network policy rule to allow CoreDNS to query the upstream DNS servers.
networkPolicies.coredns.serviceIp object Configure network policy rule to allow CoreDNS to query the internal service IP.
networkPolicies.defaultDeny boolean
networkPolicies.dex object Configure Dex network policy rules.
networkPolicies.dex.connectors object Configure network policy rule to allow Dex to reach configured connectors.
networkPolicies.dex.connectors.ports[] array of integer A 16 bit unsigned integer
networkPolicies.dex.enabled boolean True
networkPolicies.dnsAutoscaler object Configure DNS Autoscaler network policy rules.
networkPolicies.dnsAutoscaler.enabled boolean True
networkPolicies.enableAlerting boolean True
networkPolicies.enabled boolean True
networkPolicies.externalDns object Configure ExternalDNS network policy rules.
networkPolicies.externalDns.enabled boolean
networkPolicies.externalDns.ports[] array of integer A 16 bit unsigned integer
networkPolicies.falco object Configure Falco network policy rules.
networkPolicies.falco.enabled boolean True
networkPolicies.falco.plugins object Configure network policy rules to allow Falco to install plugins during startup.
networkPolicies.falco.plugins.ports[] array of integer A 16 bit unsigned integer
networkPolicies.fluentd object Configure Fluentd network policy rules.
networkPolicies.fluentd.enabled boolean True
networkPolicies.fluentd.extraOutput object Configure extra output egress rules.

This may be used to allow application developers to send logs externally from user Fluentd with extra config and plugins.
networkPolicies.fluentd.extraOutput.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.fluentd.extraOutput.ports[] array of integer A 16 bit unsigned integer
networkPolicies.gatekeeper object Configure Gatekeeper network policy rules.
networkPolicies.gatekeeper.enabled boolean True
networkPolicies.global object Configure global network policy rules.
networkPolicies.global.externalLoadBalancer boolean When enabled create Network Policy rules for ingress via external load balancer.
networkPolicies.global.ingressUsingHostNetwork boolean When enabled create Network Policy rules for ingress via host network.
networkPolicies.global.objectStorage object See note
networkPolicies.global.objectStorage.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.global.objectStorage.ports[] array of integer A 16 bit unsigned integer
networkPolicies.global.objectStorageSwift object See note
networkPolicies.global.objectStorageSwift.ports[] array of integer A 16 bit unsigned integer
networkPolicies.global.scApiserver object See note
networkPolicies.global.scApiserver.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.global.scApiserver.port integer
networkPolicies.global.scIngress object See note
networkPolicies.global.scIngress.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.global.scNodes object See note
networkPolicies.global.scNodes.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.global.trivy object Configure Trivy network policy rules.

Used for Trivy to fetch vulnerability databases both in Harbor and Trivy Operator.
networkPolicies.global.trivy.port integer
networkPolicies.global.wcApiserver object See note
networkPolicies.global.wcApiserver.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.global.wcApiserver.port integer
networkPolicies.global.wcIngress object See note
networkPolicies.global.wcIngress.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.global.wcNodes object See note
networkPolicies.global.wcNodes.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.harbor object Configure Harbor network policy rules.
networkPolicies.harbor.database object Configure network policies for the database used by Harbor.
networkPolicies.harbor.database.externalEgress object Configure network policy egress rules to the external database of Harbor.
networkPolicies.harbor.database.externalEgress.peers[] array
networkPolicies.harbor.database.externalEgress.ports[] array
networkPolicies.harbor.database.internalIngress object Configure network policy ingress rules to the internal database of Harbor.
networkPolicies.harbor.database.internalIngress.peers[] array
networkPolicies.harbor.database.internalIngress.ports[] array
networkPolicies.harbor.enabled boolean True
networkPolicies.harbor.jobservice object Configure network policies for the job service in Harbor.
networkPolicies.harbor.jobservice.ports[] array of integer A 16 bit unsigned integer
networkPolicies.harbor.redis object Configure network policies for the Redis used by Harbor.
networkPolicies.harbor.redis.externalEgress object Configure network policy egress rules to the external Redis of Harbor.
networkPolicies.harbor.redis.externalEgress.peers[] array
networkPolicies.harbor.redis.externalEgress.ports[] array
networkPolicies.harbor.registries object Configure network policies for external registries used by Harbor.

Applies to harbor-core and harbor-jobservice when replication is enabled.
networkPolicies.harbor.registries.ports[] array of integer A 16 bit unsigned integer
networkPolicies.harbor.trivy object Configure network policies for the Trivy scanner in Harbor.
networkPolicies.harbor.trivy.ports[] array of integer A 16 bit unsigned integer
networkPolicies.ingressNginx object Configure Ingress NGINX network policy rules.
networkPolicies.ingressNginx.enabled boolean True
networkPolicies.ingressNginx.ingressOverride object Configure override to the ingress rules for Ingress NGINX.

Required when cluster ingress uses direct routing.
networkPolicies.ingressNginx.ingressOverride.enabled boolean
networkPolicies.kubeSystem object Configure kube-system network policy rules.
networkPolicies.kubeSystem.enabled boolean True
networkPolicies.kubeSystem.openstack object Configure OpenStack network policy rules.
networkPolicies.kubeSystem.openstack.enabled boolean
networkPolicies.kubeSystem.openstack.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.kubeSystem.openstack.ports[] array of integer A 16 bit unsigned integer
networkPolicies.kubeSystem.upcloud object Configure UpCloud network policy rules.
networkPolicies.kubeSystem.upcloud.enabled boolean
networkPolicies.kubeSystem.upcloud.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.kubeSystem.upcloud.ports[] array of integer A 16 bit unsigned integer
networkPolicies.kured object Configure Kured network policy rules.
networkPolicies.kured.enabled boolean True
networkPolicies.kured.notificationSlack object Configure network policy rules to allow Kured to send Slack notifications.
networkPolicies.kured.notificationSlack.ports[] array of integer A 16 bit unsigned integer
networkPolicies.kyverno object Configure Kyverno network policy rules.
networkPolicies.kyverno.enabled boolean True
networkPolicies.kyverno.imageRegistry object Configure network policy that allows Kyverno to access image registries. This is required for signed image verification.
networkPolicies.monitoring object Configure monitoring network policy rules.
networkPolicies.monitoring.enabled boolean True
networkPolicies.monitoring.grafana object Configure Grafana network policy rules.
networkPolicies.monitoring.grafana.externalDashboardProvider object Configure network policy rules to allow Grafana to use external dashboards.
networkPolicies.monitoring.grafana.externalDashboardProvider.ips[] array of string List of IP netmasks

A IP address with netmask
networkPolicies.monitoring.grafana.externalDashboardProvider.ports[] array of integer A 16 bit unsigned integer
networkPolicies.monitoring.grafana.externalDataSources object Configure network policy rules to allow Grafana to use external datasources.
networkPolicies.monitoring.grafana.externalDataSources.enabled boolean
networkPolicies.opensearch object Configure OpenSearch network policy rules.
networkPolicies.opensearch.enabled boolean True
networkPolicies.opensearch.plugins object Configure network policy rules to allow OpenSearch to install plugins during startup.
networkPolicies.opensearch.plugins.ports[] array of integer A 16 bit unsigned integer
networkPolicies.prometheus object Configure Prometheus network policy rules.
networkPolicies.prometheus.internalAccess object See note
networkPolicies.prometheus.internalAccess.enabled boolean
networkPolicies.prometheus.internalAccess.namespaces[] array of string Configure the namespaces to allow internal access to Prometheus.
networkPolicies.rclone object Configure Rclone network policy rules.
networkPolicies.rclone.enabled boolean
networkPolicies.rclone.sync object Configure network policy rules to allow rclone to sync.
networkPolicies.rclone.sync.objectStorage object Configure network policy rules to allow rclone to sync object storage.
networkPolicies.rclone.sync.objectStorage.ports[] array of integer A 16 bit unsigned integer
networkPolicies.rclone.sync.objectStorageSwift object Configure network policy rules to allow rclone to sync object storage with Swift.
networkPolicies.rclone.sync.objectStorageSwift.ports[] array of integer A 16 bit unsigned integer
networkPolicies.rclone.sync.secondaryUrl object Configure network policy rules to allow rclone to sync with a secondary URL.
networkPolicies.rclone.sync.secondaryUrl.ports[] array of integer A 16 bit unsigned integer
networkPolicies.rookCeph object Configure Rook Ceph network policy rules.
networkPolicies.rookCeph.enabled boolean
networkPolicies.s3Exporter object Configure S3 exporter network policy rules.
networkPolicies.s3Exporter.enabled boolean True
networkPolicies.tektonPipelines object Enable network policies for tekton and the pipeline.
networkPolicies.tektonPipelines.enabled boolean True
networkPolicies.tektonPipelines.pipeline object See note
networkPolicies.thanos object Configure Thanos network policy rules.
networkPolicies.thanos.enabled boolean True
networkPolicies.velero object Configure Velero network policy rules.
networkPolicies.velero.enabled boolean True

Notes for networkPolicies.certManager.letsencrypt

Configure network policy rule to allow cert-manager to reach Let's Encrypt.

Note

Let's Encrypt by choice does not publish a list of their endpoints, so this is required to be ips: [ 0.0.0.0/0 ].

Notes for networkPolicies.certManager.namespaces[]

Configure namespaces to allow cert-manager HTTP-01 perform HTTP-01 challenges.

Examples:

['dex', 'harbor', 'monitoring', 'opensearch-system', 'thanos']

Notes for networkPolicies.global.objectStorage

Configure object storage network policy rules.

This configuration should match the object storage service configured under objectStorage.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.objectStorageSwift

Configure OpenStack Swift object storage network policy rules.

This configuration should match the object storage service configured under objectStorage.swift if used by any component.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.scApiserver

Configure service cluster API server network policy rules.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.scIngress

Configure service cluster ingress network policy rules.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.scNodes

Configure service cluster nodes network policy rules.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.wcApiserver

Configure workload cluster API server network policy rules.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.wcIngress

Configure workload cluster ingress network policy rules.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.global.wcNodes

Configure workload cluster nodes network policy rules.

Tip

Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.

Notes for networkPolicies.prometheus.internalAccess

Configure network policy rules to allow internal access to Prometheus.

This requires the allowed namespaces to be configured under namespaces and the allowed pods to be labeled elastisys.io/prometheus-access: allowed.

Notes for networkPolicies.tektonPipelines.pipeline

Add required networkpolicies for the pipeline under the section pipeline.

The networkpolicies should follow the network policies generator. As such, it is possible to use pre-defined network policies rules. The pre-defined rules can be found here.

  pipeline:
    clone-config-pod:
      podSelectorLabels:
        tekton.dev/pipeline: upgrade-pipeline
      ingress: {}
      egress:
        - rule: egress-rule-dns # pre-defined network policies rule.
        - name: egress-rule-config-access
          peers:
            - cidr: 1.2.3.4/32
          ports:
            - tcp: 22

nodeLocalDns

Configure node-local-dns, node local DNS resolving and caching.

Key Type Default Description
nodeLocalDns.customConfig string See note
nodeLocalDns.hostZone object Configure the host zone for node-local-dns
nodeLocalDns.hostZone.extraConfig string See note
nodeLocalDns.resources object See note
nodeLocalDns.resources.limits object
nodeLocalDns.resources.requests object

Notes for nodeLocalDns.customConfig

Configure custom options for the CoreDNS instance running as part of node-local-dns.

Note

See the upstream documentation for reference.

Examples:

example.com:53 {
  errors
  cache 30
  reload
  loop
  forward . 127.0.0.1:9005
}

Notes for nodeLocalDns.hostZone.extraConfig

Configure extra config for the host zone .53 for node-local-dns.

Note

See the upstream documentation for reference.

Examples:

template ANY ANY {
  rcode NXDOMAIN
}

Notes for nodeLocalDns.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

objectStorage

Configuration options for using object storage in Welkin

This is used for:

  • Fluentd audit logs
  • Fluentd service cluster logs
  • Harbor database backups and registry storage
  • OpenSearch workload cluster log snapshots
  • Rclone object storage sync source and restore destination
  • Thanos metrics storage
  • Velero resource backups and volume snapshots

Harbor, Rclone, and Thanos have additional configuration to use Swift.

Key Type Default Description
objectStorage.azure object Only supports Azure Public Cloud.
objectStorage.azure.resourceGroup string Resource group of the storage account.
objectStorage.azure.storageAccountName string Name of the storage account
objectStorage.buckets object See note
objectStorage.restore object See note
objectStorage.restore.addTargetsFromSync boolean Automatically configure the restore from a secondary site to the primary site.

Essentially this will configure Rclone restore to do the inverse of Rclone sync.
objectStorage.restore.decrypt object Encrypt data when syncing and decrypt data when restoring.
objectStorage.restore.decrypt.directoryNames boolean Encrypt directory names when syncing, requires file names to be encrypted.
objectStorage.restore.decrypt.enabled boolean
objectStorage.restore.decrypt.fileNames boolean Encrypt file names when syncing.
objectStorage.restore.destinations object Allows for complete or partial overrides of the destinations of the restore, the main object storage configuration.
objectStorage.restore.destinations.azure object Only supports Azure Public Cloud.
objectStorage.restore.destinations.azure.resourceGroup string Resource group of the storage account.
objectStorage.restore.destinations.azure.storageAccountName string Name of the storage account
objectStorage.restore.destinations.s3 object Supports both AWS and non-AWS implementations.
objectStorage.restore.destinations.s3.forcePathStyle boolean Force the use of path style access instead of virtual host style access.

Generally false when using AWS, Exoscale, and UpCloud and true for other providers.
objectStorage.restore.destinations.s3.region string Region to store data.
objectStorage.restore.destinations.s3.regionEndpoint string Endpoint to reach the S3 service, mainly applicable for non-AWS implementations.

Make sure to prepend the protocol (e.g. https://).
objectStorage.restore.destinations.s3.v2Auth boolean Force the use of v2 authentication, will default to using v4 authentication otherwise.
objectStorage.restore.destinations.swift object > [!note]
> Supported as an option only for Harbor, Rclone, and Thanos.
objectStorage.restore.destinations.swift.authUrl string OpenStack authentication URL.

Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3).
objectStorage.restore.destinations.swift.authVersion integer OpenStack authentication version.

Set 0 for auto detect from authentication url.
objectStorage.restore.destinations.swift.domainId string The user domain ID to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.restore.destinations.swift.domainName string The user domain name to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.restore.destinations.swift.projectDomainId string The project domain ID to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.restore.destinations.swift.projectDomainName string The project domain name to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.restore.destinations.swift.projectId string The project ID to use.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.restore.destinations.swift.projectName string The project name to use, requires project domain to be set.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.restore.destinations.swift.region string OpenStack region.
objectStorage.restore.destinations.swift.segmentsContainerSuffix string +segments The container suffix to use for segment containers.

These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads.
objectStorage.restore.dryrun boolean Deploy Rclone with dryrun enabled.
objectStorage.restore.enabled boolean
objectStorage.restore.sources object Allows for complete or partial overrides of the sources of the restore, the sync object storage configuration.
objectStorage.restore.sources.azure object Only supports Azure Public Cloud.
objectStorage.restore.sources.azure.resourceGroup string Resource group of the storage account.
objectStorage.restore.sources.azure.storageAccountName string Name of the storage account
objectStorage.restore.sources.s3 object Supports both AWS and non-AWS implementations.
objectStorage.restore.sources.s3.forcePathStyle boolean Force the use of path style access instead of virtual host style access.

Generally false when using AWS, Exoscale, and UpCloud and true for other providers.
objectStorage.restore.sources.s3.region string Region to store data.
objectStorage.restore.sources.s3.regionEndpoint string Endpoint to reach the S3 service, mainly applicable for non-AWS implementations.

Make sure to prepend the protocol (e.g. https://).
objectStorage.restore.sources.s3.v2Auth boolean Force the use of v2 authentication, will default to using v4 authentication otherwise.
objectStorage.restore.sources.swift object > [!note]
> Supported as an option only for Harbor, Rclone, and Thanos.
objectStorage.restore.sources.swift.authUrl string OpenStack authentication URL.

Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3).
objectStorage.restore.sources.swift.authVersion integer OpenStack authentication version.

Set 0 for auto detect from authentication url.
objectStorage.restore.sources.swift.domainId string The user domain ID to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.restore.sources.swift.domainName string The user domain name to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.restore.sources.swift.projectDomainId string The project domain ID to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.restore.sources.swift.projectDomainName string The project domain name to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.restore.sources.swift.projectId string The project ID to use.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.restore.sources.swift.projectName string The project name to use, requires project domain to be set.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.restore.sources.swift.region string OpenStack region.
objectStorage.restore.sources.swift.segmentsContainerSuffix string +segments The container suffix to use for segment containers.

These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads.
objectStorage.restore.targets[] array of object Targets to restore

Details of a bucket to restore.
objectStorage.restore.timestamp string Perform point-in-time restore if possible.

This is only supported for S3 sources.
objectStorage.s3 object Supports both AWS and non-AWS implementations.
objectStorage.s3.forcePathStyle boolean Force the use of path style access instead of virtual host style access.

Generally false when using AWS, Exoscale, and UpCloud and true for other providers.
objectStorage.s3.region string Region to store data.
objectStorage.s3.regionEndpoint string Endpoint to reach the S3 service, mainly applicable for non-AWS implementations.

Make sure to prepend the protocol (e.g. https://).
objectStorage.s3.v2Auth boolean Force the use of v2 authentication, will default to using v4 authentication otherwise.
objectStorage.swift object > [!note]
> Supported as an option only for Harbor, Rclone, and Thanos.
objectStorage.swift.authUrl string OpenStack authentication URL.

Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3).
objectStorage.swift.authVersion integer OpenStack authentication version.

Set 0 for auto detect from authentication url.
objectStorage.swift.domainId string The user domain ID to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.swift.domainName string The user domain name to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.swift.projectDomainId string The project domain ID to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.swift.projectDomainName string The project domain name to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.swift.projectId string The project ID to use.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.swift.projectName string The project name to use, requires project domain to be set.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.swift.region string OpenStack region.
objectStorage.swift.segmentsContainerSuffix string +segments The container suffix to use for segment containers.

These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads.
objectStorage.sync object Sync object storage from the primary site to a secondary site with Rclone.
objectStorage.sync.activeDeadlineSeconds number 14400 The maximum amount of time that the Rclone job is allowed to run (in seconds).
objectStorage.sync.azure object Only supports Azure Public Cloud.
objectStorage.sync.azure.resourceGroup string Resource group of the storage account.
objectStorage.sync.azure.storageAccountName string Name of the storage account
objectStorage.sync.buckets[] array of object Additional buckets to sync.

List of buckets to sync when syncDefaultBuckets is false
objectStorage.sync.defaultSchedule string
objectStorage.sync.destinationType string See note
objectStorage.sync.dryrun boolean Deploy Rclone with dryrun enabled.
objectStorage.sync.enabled boolean
objectStorage.sync.encrypt object Encrypt data when syncing and decrypt data when restoring.
objectStorage.sync.encrypt.directoryNames boolean Encrypt directory names when syncing, requires file names to be encrypted.
objectStorage.sync.encrypt.enabled boolean
objectStorage.sync.encrypt.fileNames boolean Encrypt file names when syncing.
objectStorage.sync.resources object See note
objectStorage.sync.resources.limits object
objectStorage.sync.resources.requests object
objectStorage.sync.s3 object Supports both AWS and non-AWS implementations.
objectStorage.sync.s3.forcePathStyle boolean Force the use of path style access instead of virtual host style access.

Generally false when using AWS, Exoscale, and UpCloud and true for other providers.
objectStorage.sync.s3.region string Region to store data.
objectStorage.sync.s3.regionEndpoint string Endpoint to reach the S3 service, mainly applicable for non-AWS implementations.

Make sure to prepend the protocol (e.g. https://).
objectStorage.sync.s3.v2Auth boolean Force the use of v2 authentication, will default to using v4 authentication otherwise.
objectStorage.sync.secondaryUrl string
objectStorage.sync.sourceType string See note
objectStorage.sync.swift object > [!note]
> Supported as an option only for Harbor, Rclone, and Thanos.
objectStorage.sync.swift.authUrl string OpenStack authentication URL.

Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3).
objectStorage.sync.swift.authVersion integer OpenStack authentication version.

Set 0 for auto detect from authentication url.
objectStorage.sync.swift.domainId string The user domain ID to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.sync.swift.domainName string The user domain name to use.

User domain is required when authenticating with username, set either domainId or domainName.
objectStorage.sync.swift.projectDomainId string The project domain ID to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.sync.swift.projectDomainName string The project domain name to use.

Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName.
objectStorage.sync.swift.projectId string The project ID to use.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.sync.swift.projectName string The project name to use, requires project domain to be set.

Project is required when authenticating with username, set either projectId or projectName.
objectStorage.sync.swift.region string OpenStack region.
objectStorage.sync.swift.segmentsContainerSuffix string +segments The container suffix to use for segment containers.

These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads.
objectStorage.sync.syncDefaultBuckets boolean Sync the buckets or containers set under .objectStorage.buckets.
objectStorage.type string See note

Notes for objectStorage.buckets

Buckets or containers for each respective application to use for application data or backup storage.

Keys are used as identifiers for buckets or containers, while the values are used as the bucket or container name.

Additional entries added here will have monitoring enabled.

Notes for objectStorage.restore

Restore object storage from a secondary site to the primary site with Rclone.

Note

When enabled this will disable Rclone sync to prevent it from modifying the secondary site.

Notes for objectStorage.sync.destinationType

Object storage type to use.

Possible values:

azure
gcs
s3
swift

Notes for objectStorage.sync.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for objectStorage.sync.sourceType

Object storage type to use. Defaults to .objectStorage.type

Examples:

azure
gcs
s3
swift

Notes for objectStorage.type

Object storage type to use.

In addition to this Harbor, Rclone, and Thanos have additional configuration to use Swift.

Possible values:

azure
gcs
s3
none

opa

Configure Open Policy Agent, constraints and mutations enforced by Gatekeeper.

Welkin contains multiple safeguards to make it easy to follow security best practices.

This includes an implementation of constraints and mutations with similar behaviour as Pod Security Policies, and application developer centric safeguards.

Key Type Default Description
opa.audit object Configure the Audit deployment of OPA Gatekeeper.
opa.audit.affinity object Affinity is a group of affinity scheduling rules.
opa.audit.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opa.audit.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opa.audit.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opa.audit.nodeSelector object See note
opa.audit.resources object See note
opa.audit.resources.limits object
opa.audit.resources.requests object
opa.audit.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opa.audit.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
opa.audit.writeToRAMDisk boolean
opa.auditChunkSize number 500
opa.auditFromCache boolean
opa.auditIntervalSeconds number 600
opa.constraintViolationsLimit number 20
opa.controllerManager object This is meant to describe the base class if you will, for Welkin resources.
opa.controllerManager.affinity object Affinity is a group of affinity scheduling rules.
opa.controllerManager.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opa.controllerManager.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opa.controllerManager.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opa.controllerManager.enabled boolean
opa.controllerManager.extraArgs[] array of string Extra arguments passed to a container
opa.controllerManager.nodeSelector object See note
opa.controllerManager.resources object See note
opa.controllerManager.resources.limits object
opa.controllerManager.resources.requests object
opa.controllerManager.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opa.controllerManager.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
opa.disallowedTags object See note
opa.disallowedTags.enabled boolean True
opa.disallowedTags.enforcement string deny See note
opa.disallowedTags.tags[] array of string Configure the tags that should be disallowed by the constraint.
opa.imageRegistry object See note
opa.imageRegistry.URL[] array of string See note
opa.imageRegistry.enabled boolean True
opa.imageRegistry.enforcement string warn See note
opa.minimumDeploymentReplicas object See note
opa.minimumDeploymentReplicas.enabled boolean True
opa.minimumDeploymentReplicas.enforcement string warn See note
opa.mutatingWebhookTimeoutSeconds number 5
opa.mutations object Configure mutations to set defaults in deployed resources.
opa.mutations.enabled boolean True
opa.mutations.jobTTL object See note
opa.mutations.jobTTL.enabled boolean True
opa.mutations.jobTTL.ttlSeconds number 604800
opa.mutations.ndots object Configure mutations to set ndots on deployed Pods.
opa.mutations.ndots.enabled boolean
opa.mutations.ndots.labelSelector object Configure the label selector for pods to be targeted by this mutation.
opa.mutations.ndots.labelSelector.matchLabels object Configure the label selector for pods to be targeted by this mutation.

Default {} targets all Pods.
opa.mutations.ndots.ndotAmount integer 3
opa.networkPolicies object See note
opa.networkPolicies.enabled boolean True
opa.networkPolicies.enforcement string warn See note
opa.preventAccidentalDeletion object Configure constraint to reject deletion of sensitive resources.
opa.preventAccidentalDeletion.enabled boolean
opa.preventAccidentalDeletion.enforcement string deny See note
opa.rejectLoadBalancerService object See note
opa.rejectLoadBalancerService.enabled boolean
opa.rejectLoadBalancerService.enforcement string deny See note
opa.rejectLocalStorageEmptyDir object See note
opa.rejectLocalStorageEmptyDir.enabled boolean
opa.rejectLocalStorageEmptyDir.enforcement string warn See note
opa.rejectPodWithoutController object See note
opa.rejectPodWithoutController.enabled boolean
opa.rejectPodWithoutController.enforcement string warn See note
opa.resourceRequests object See note
opa.resourceRequests.enabled boolean True
opa.resourceRequests.enforcement string deny See note
opa.restrictPodDisruptionBudgets object See note
opa.restrictPodDisruptionBudgets.enabled boolean True
opa.restrictPodDisruptionBudgets.enforcement string deny See note
opa.validatingWebhookTimeoutSeconds number 5

Notes for opa.audit.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opa.audit.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opa.controllerManager.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opa.controllerManager.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opa.disallowedTags

Configure constraint to disallow configured tags on container images.

Note

See the dev docs for context.

Notes for opa.disallowedTags.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.imageRegistry

Configure constraint to only allow configured registries for container images.

Note

See the dev docs for context.

Notes for opa.imageRegistry.URL[]

Configure the registries that should be trusted by the constraint.

Note

To support issuing certificates with HTTP-01 challenges the registry quay.io/jetstack/cert-manager-acmesolver must be added.

Notes for opa.imageRegistry.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.minimumDeploymentReplicas

Configure constraint to only allow Deployments and StatefulSets with more than one replica.

Note

See the dev docs for context.

Notes for opa.minimumDeploymentReplicas.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.mutations.jobTTL

Configure mutations to set time to live on deployed Jobs.

Note

See the dev docs for context.

Notes for opa.networkPolicies

Configure constraint to only allow Pods targeted by NetworkPolicies.

Note

See the dev docs for context.

Notes for opa.networkPolicies.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.preventAccidentalDeletion.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.rejectLoadBalancerService

Configure constraint to reject creation of Services with the type LoadBalancer.

Advantageous if the cluster cannot automatically provision LoadBalancers, e.g. because the infrastructure provider do not offer such Kubernetes integration.

Note

See the dev docs for context.

Notes for opa.rejectLoadBalancerService.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.rejectLocalStorageEmptyDir

Configure constraint to reject usage of local storage emptydir.

Note

See the dev docs for context.

Notes for opa.rejectLocalStorageEmptyDir.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.rejectPodWithoutController

Configure constraint to reject pods without a controller.

Note

See the dev docs for context.

Notes for opa.rejectPodWithoutController.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.resourceRequests

Configure constraint to only allow Pods configured with resource requests.

Note

See the dev docs for context.

Notes for opa.resourceRequests.enforcement

Possible values:

deny
warn
dryrun

Notes for opa.restrictPodDisruptionBudgets

Configure constraint to reject PodDisruptionBudgets and connected Pod controllers if the PDB does not allow for at least 1 pod disruption.

Note

See the dev docs for context.

Notes for opa.restrictPodDisruptionBudgets.enforcement

Possible values:

deny
warn
dryrun

opensearch

Configuration for OpenSearch.

OpenSearch ingests logs sent from Fluentd in the workload cluster, and presents them in OpenSearch Dashboards.

Note

OpenSearch and its components are installed in the service cluster, so this configuration mainly applies there.

Key Type Default Description
opensearch.additionalTemplates object See note
opensearch.clientNode object Configures the client stateful set of OpenSearch that takes on the roll to ingest and query logs.
opensearch.clientNode.affinity object Affinity is a group of affinity scheduling rules.
opensearch.clientNode.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opensearch.clientNode.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opensearch.clientNode.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opensearch.clientNode.count number 1
opensearch.clientNode.dedicatedPods boolean True When disabled the master nodes will take on these rolls.
opensearch.clientNode.javaOpts string -Xms512m -Xmx512m See note
opensearch.clientNode.nodeSelector object See note
opensearch.clientNode.resources object See note
opensearch.clientNode.resources.limits object
opensearch.clientNode.resources.requests object
opensearch.clientNode.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opensearch.clusterName string opensearch
opensearch.createIndices boolean True See note
opensearch.curator object Configures the CronJob that removes indices.
opensearch.curator.activeDeadlineSeconds number 2700
opensearch.curator.affinity object Affinity is a group of affinity scheduling rules.
opensearch.curator.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opensearch.curator.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opensearch.curator.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opensearch.curator.enabled boolean True
opensearch.curator.nodeSelector object See note
opensearch.curator.resources object See note
opensearch.curator.resources.limits object
opensearch.curator.resources.requests object
opensearch.curator.retention[] array of object [{'pattern': 'authlog-*', 'ageDays': 30, 'sizeGB': 1}, {'pattern': 'kubeaudit-*', 'ageDays': 30, 'sizeGB': 50}, {'pattern': 'kubernetes-*', 'ageDays': 30, 'sizeGB': 50}, {'pattern': 'other-*', 'ageDays': 7, 'sizeGB': 1}, {'pattern': 'security-auditlog-*', 'ageDays': 7, 'sizeGB': 1}] Configures the retention of indices in OpenSearch.

Configures the retention of indices in OpenSearch.
opensearch.curator.startingDeadlineSeconds number 600
opensearch.curator.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opensearch.dashboards object Configures the Dashboards deployment of OpenSearch providing the UI to view and query logs.
opensearch.dashboards.affinity object Affinity is a group of affinity scheduling rules.
opensearch.dashboards.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opensearch.dashboards.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opensearch.dashboards.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opensearch.dashboards.cookieTtl integer Time-to-live for the session cookie in milliseconds. Overrides OpenSearch Dashboards internal default if set.
opensearch.dashboards.nodeSelector object See note
opensearch.dashboards.resources object See note
opensearch.dashboards.resources.limits object
opensearch.dashboards.resources.requests object
opensearch.dashboards.sessionKeepalive boolean Whether the session TTL should be extended upon user activity. Overrides OpenSearch Dashboards internal default if set.
opensearch.dashboards.sessionTtl integer Time-to-live for the session itself in milliseconds. Overrides OpenSearch Dashboards internal default if set.
opensearch.dashboards.subdomain string opensearch See note
opensearch.dashboards.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opensearch.dashboards.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
opensearch.dataNode object Configures the data stateful set of OpenSearch that takes on the roll to index and store logs.
opensearch.dataNode.affinity object Affinity is a group of affinity scheduling rules.
opensearch.dataNode.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opensearch.dataNode.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opensearch.dataNode.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opensearch.dataNode.count number 2
opensearch.dataNode.dedicatedPods boolean True When disabled the master nodes will take on these rolls.
opensearch.dataNode.javaOpts string -Xms512m -Xmx512m See note
opensearch.dataNode.nodeSelector object See note
opensearch.dataNode.resources object See note
opensearch.dataNode.resources.limits object
opensearch.dataNode.resources.requests object
opensearch.dataNode.storageClass -string- -null- See note
opensearch.dataNode.storageSize string Configure the requested size of the persistent volume for this OpenSerch node.
opensearch.dataNode.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opensearch.defaultTemplates boolean True See note
opensearch.enabled boolean True > [!note]
> Must be set for both service and workload cluster.
opensearch.exporter object Configures the exporter exposing metrics from OpenSearch.
opensearch.exporter.resources object See note
opensearch.exporter.resources.limits object
opensearch.exporter.resources.requests object
opensearch.exporter.serviceMonitor object Configures the service monitor of the exporter.
opensearch.exporter.serviceMonitor.interval string 30s
opensearch.exporter.serviceMonitor.scrapeTimeout string
opensearch.exporter.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opensearch.extraRoleMappings[] array of object See note
opensearch.extraRoles[] array of object See note
opensearch.indexPerNamespace boolean See note
opensearch.ingress object Configures the ingress for OpenSearch master or client nodes.
opensearch.ingress.maxbodysize string 32m
opensearch.ism object Configures index state management in OpenSearch.
opensearch.ism.additionalPolicies object See note
opensearch.ism.defaultPolicies boolean True See note
opensearch.ism.overwritePolicies boolean True When set OpenSearch can be configured with index state management policies via additionalPolicies that overwrite the ones configured via defaultPolicies.
opensearch.ism.rolloverAgeDays number 1 Configures the age a write index must reach before it is rolled over to a new one.
opensearch.ism.rolloverSizeGB number 1 Configures the size a write index must reach before it is rolled over to a new one.
opensearch.masterNode object Configures the main stateful set of OpenSearch that takes on all roles not provided by other nodes (dataNode, clientNode).
opensearch.masterNode.affinity object Affinity is a group of affinity scheduling rules.
opensearch.masterNode.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
opensearch.masterNode.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
opensearch.masterNode.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
opensearch.masterNode.count number 1
opensearch.masterNode.javaOpts string -Xms512m -Xmx512m See note
opensearch.masterNode.nodeSelector object See note
opensearch.masterNode.resources object See note
opensearch.masterNode.resources.limits object
opensearch.masterNode.resources.requests object
opensearch.masterNode.storageClass -string- -null- See note
opensearch.masterNode.storageSize string Configure the requested size of the persistent volume for this OpenSerch node.
opensearch.masterNode.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
opensearch.maxClauseCount number 1024 Configures the maximum number of clauses permitted in a query.
opensearch.maxShardsPerNode number 1000 Configures the maximum number of shards permitted on one node.
opensearch.overwriteTemplates boolean True When set OpenSearch can be configured with index templates via additionalTemplates that overwrite the ones configured via defaultTemplates.
opensearch.plugins object Configures plugins used in OpenSearch.
opensearch.plugins.additionalPlugins[] array Configures OpenSearch to install plugins when it starts.

In an air-gapped environment this can be used to install plugins from known sources.
opensearch.plugins.installExternalObjectStoragePlugin boolean See note
opensearch.promIndexAlerts[] array of object [{'prefix': 'authlog-default', 'alertSizeMB': 2}, {'prefix': 'kubeaudit-default', 'alertSizeMB': 5500}, {'prefix': 'kubernetes-default', 'alertSizeMB': 5500}, {'prefix': 'other-default', 'alertSizeMB': 400}] Configures the index alerts monitoring the function of index state management.

Configures the index alert monitoring the function of index state management.
opensearch.securityadmin object Configures the Job that initialises OpenSearch Security.
opensearch.securityadmin.activeDeadlineSeconds number 1200
opensearch.securityadmin.enabled boolean True
opensearch.securityadmin.resources object See note
opensearch.securityadmin.resources.limits object
opensearch.securityadmin.resources.requests object
opensearch.snapshot object Configure OpenSearch snapshot creation and retention.

This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.opensearch.
opensearch.snapshot.backupSchedule string
opensearch.snapshot.enabled boolean True
opensearch.snapshot.max number 14
opensearch.snapshot.min number 7
opensearch.snapshot.repository string opensearch-snapshots
opensearch.snapshot.retentionAge string 10d
opensearch.snapshot.retentionSchedule string
opensearch.sso object Configures Single Sign On to OpenSearch via Dex.
opensearch.sso.enabled boolean
opensearch.sso.rolesKey string groups
opensearch.sso.scope string openid profile email groups
opensearch.sso.subjectKey string email
opensearch.subdomain string opensearch See note

Notes for opensearch.additionalTemplates

When set OpenSearch will be configured with additional index templates.

The keys will be used as the name of the index templates.

Note

See the upstream documentation for reference.

Notes for opensearch.clientNode.javaOpts

Set Java Virtual Machine Options to control the memory allocation of OpenSearch.

As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable. Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.

Notes for opensearch.clientNode.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opensearch.clientNode.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.createIndices

When enabled OpenSearch will be configured with initial indices for:

  • authlog
  • kubeaudit
  • kubernetes
  • other

Notes for opensearch.curator.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opensearch.curator.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.dashboards.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opensearch.dashboards.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.dashboards.subdomain

Subdomain of baseDomain that the Ingress to OpenSearch Dashboards will be created with.

Note

Must be set for both service and workload cluster.

Notes for opensearch.dataNode.javaOpts

Set Java Virtual Machine Options to control the memory allocation of OpenSearch.

As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable. Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.

Notes for opensearch.dataNode.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opensearch.dataNode.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.dataNode.storageClass

Set storage class for OpenSearch.

  • If set to null, the default storage class will be used to provision the volumes.
  • If set to -, no storage class will be used to provision the volumes.

Notes for opensearch.defaultTemplates

When enabled OpenSearch will be configured with the default index templates for:

  • authlog
  • kubeaudit
  • kubernetes
  • other

Notes for opensearch.exporter.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.extraRoleMappings[]

Configures extra role mappings for OpenSearch Security.

Extra users can be configured in secrets.yaml under extraUsers and extra roles under extraRoles.

Configures a role mapping for OpenSearch Security.

Note

See the upstream documentation for reference.

Notes for opensearch.extraRoles[]

Configures extra roles for OpenSearch Security.

Configures a role for OpenSearch Security.

Note

See the upstream documentation for reference.

Notes for opensearch.indexPerNamespace

When enabled logs are ingested into multiple indices per namespace. When disabled logs are ingested into a single kubernetes index.

Note

Must be set for both service and workload cluster.

Notes for opensearch.ism.additionalPolicies

When set OpenSearch will be configured with additional index state management policies.

The keys will be used as the name of the index state management policy.

Note

See the upstream documentation for reference.

Notes for opensearch.ism.defaultPolicies

When enabled OpenSearch will be configured with the default index state management policies for:

  • authlog
  • kubeaudit
  • kubernetes
  • other

Notes for opensearch.masterNode.javaOpts

Set Java Virtual Machine Options to control the memory allocation of OpenSearch.

As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable. Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.

Notes for opensearch.masterNode.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for opensearch.masterNode.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.masterNode.storageClass

Set storage class for OpenSearch.

  • If set to null, the default storage class will be used to provision the volumes.
  • If set to -, no storage class will be used to provision the volumes.

Notes for opensearch.plugins.installExternalObjectStoragePlugin

When enabled OpenSearch will install the required object storage plugin when it starts.

In an air-gapped environment where the nodes are not connected to the Internet, set this to false to prevent downloading any external object storage plugins.

Notes for opensearch.securityadmin.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for opensearch.subdomain

Subdomain of opsDomain that the Ingress to OpenSearch will be created with.

Note

Must be set for both service and workload cluster.

openstackMonitoring

Configure the collection of metrics for OpenStack components.

Key Type Default Description
openstackMonitoring.enabled boolean

prometheus

Configure Prometheus.

Prometheus automatically collects metrics via ServiceMonitors, PodMonitors, and Probes, and pushes metrics to Thanos for long term storage. Additionally Prometheus evaluates recording rules for both service and workload cluster, and all alerting rules for the workload cluster.

Note

Prometheus is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.

Key Type Default Description
prometheus.additionalScrapeConfigs[] array See note
prometheus.affinity object Affinity is a group of affinity scheduling rules.
prometheus.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
prometheus.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
prometheus.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
prometheus.alertmanagerSpec object See note
prometheus.alertmanagerSpec.affinity object Affinity is a group of affinity scheduling rules.
prometheus.alertmanagerSpec.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
prometheus.alertmanagerSpec.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
prometheus.alertmanagerSpec.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
prometheus.alertmanagerSpec.groupBy[] array of string See note
prometheus.alertmanagerSpec.replicas number 2
prometheus.alertmanagerSpec.resources object See note
prometheus.alertmanagerSpec.resources.limits object
prometheus.alertmanagerSpec.resources.requests object
prometheus.alertmanagerSpec.storage object Configure persistent storage for Alertmanager.
prometheus.alertmanagerSpec.storage.volumeClaimTemplate object Configure persistent storage for Alertmanager.
prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec object Configure persistent storage for Alertmanager.
prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.accessModes[] array of string Configure the access mode of the persistent storage for Alertmanager.
prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources object See note
prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources.limits object
prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources.requests object
prometheus.alertmanagerSpec.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
prometheus.alertmanagerSpec.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
prometheus.autoscaledNodeGroupAlerts object Configure whether to split KubeletDownForXm alerts into autoscaled and non-autoscaled nodes groups.
prometheus.autoscaledNodeGroupAlerts.enabled boolean True
prometheus.autoscaledNodeGroupAlerts.groupLabel string node-restriction.kubernetes.io/autoscaled-node-type The label to identity whether a node belongs to an autoscaled node group.
prometheus.autoscaledNodeGroupAlerts.groupLabelValues[] array of string The label values to a autoscaled node group if their are multiple autoscaled node groups.
prometheus.capacityManagementAlerts object Configure capacity management alerts.
prometheus.capacityManagementAlerts.disklimit number 75 Alert when a disk's usage reaches the limit in percent.
prometheus.capacityManagementAlerts.enabled boolean True
prometheus.capacityManagementAlerts.nodeGroupRequestsExcludePattern string See note
prometheus.capacityManagementAlerts.persistentVolume object Configure capacity management alerts on persistent volumes.
prometheus.capacityManagementAlerts.persistentVolume.enabled boolean True
prometheus.capacityManagementAlerts.persistentVolume.limit number 75 Alert when a persistent volume's usage reaches the limit in percent.
prometheus.capacityManagementAlerts.predictUsage boolean
prometheus.capacityManagementAlerts.requestLimit object Alert when a node's resource requests reaches the limits in percent.
prometheus.capacityManagementAlerts.requestLimit.cpu number 80 Configure a CPU request percentage limit to alert for.
prometheus.capacityManagementAlerts.requestLimit.memory number 80 Configure a memory request percentage limit to alert for.
prometheus.capacityManagementAlerts.usagelimit number 95
prometheus.devAlertmanager object Configuration options for deploying an application developer-specific Alertmanager. Configuration shared with the service cluster alertmanager can be configured via .alertmanagerSpec.
prometheus.devAlertmanager.enabled boolean Allows to enable alertmanager for application developer.
prometheus.devAlertmanager.ingressEnabled boolean Allows to have ingress for application developer alertmanager with basic auth
prometheus.devAlertmanager.namespace string alertmanager Allows to have alertmanager running in custom namespace
prometheus.devAlertmanager.username string
prometheus.diskAlerts object Configure disk alerts.
prometheus.diskAlerts.inode object Configure disk alerts based on inode usage.
prometheus.diskAlerts.inode.predictLinear[] array of object See note
prometheus.diskAlerts.inode.space[] array of object See note
prometheus.diskAlerts.perf object Configure performance disk alerts.
prometheus.diskAlerts.perf.enabled boolean
prometheus.diskAlerts.perf.queueSizeThreshold number 5
prometheus.diskAlerts.perf.readWaitTimeThreshold number 1
prometheus.diskAlerts.perf.writeWaitTimeThreshold number 1
prometheus.diskAlerts.storage object Configure disk alerts based on storage usage.
prometheus.diskAlerts.storage.predictLinear[] array of object See note
prometheus.diskAlerts.storage.space[] array of object See note
prometheus.nodeSelector object See note
prometheus.replicas number 1
prometheus.resources object See note
prometheus.resources.limits object
prometheus.resources.requests object
prometheus.retention object Configure retention for Prometheus.
prometheus.retention.age string 3d Configure the time range Prometheus will retain metrics for.
prometheus.retention.alertmanager string See note
prometheus.retention.size string 4GiB Configure the total size Prometheus will retain metrics for.
prometheus.s3BucketAlerts object Configure S3 bucket alerts.
prometheus.s3BucketAlerts.buckets[] array of object Definitions for specific S3 bucket alerts.

S3 Bucket Alert configuration for specific bucket
prometheus.s3BucketAlerts.exclude[] array of string Exclude buckets from S3 alerts.
prometheus.s3BucketAlerts.objects object Alert when an S3 buckets reaches the set percentage of the set number of objects.
prometheus.s3BucketAlerts.objects.count number 1638400
prometheus.s3BucketAlerts.objects.enabled boolean
prometheus.s3BucketAlerts.objects.percent number Percentage, 0% - 100%
prometheus.s3BucketAlerts.size object Alert when an S3 bucket reaches the set percentage of the set size.
prometheus.s3BucketAlerts.size.enabled boolean
prometheus.s3BucketAlerts.size.percent number Percentage, 0% - 100%
prometheus.s3BucketAlerts.size.sizeQuotaGB number 1000
prometheus.s3BucketAlerts.totalSize object Alert when all S3 buckets reaches the set percentage of the set size.
prometheus.s3BucketAlerts.totalSize.enabled boolean
prometheus.s3BucketAlerts.totalSize.percent number Percentage, 0% - 100%
prometheus.s3BucketAlerts.totalSize.sizeQuotaGB number 1000
prometheus.storage object Configure the persistent volume claim used for Promtheus storage.
prometheus.storage.enabled boolean By default Prometheus instances run without storage and are treated as ephemeral.
See ADR-0007 for context.
prometheus.storage.size string 5Gi
prometheus.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
prometheus.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
prometheus.webhookAlerts object Configure webhook alerts.
prometheus.webhookAlerts.enabled boolean True

Notes for prometheus.additionalScrapeConfigs[]

Configure additional scrape configs for Prometheus.

Note

See the upstream documentation for reference.

Notes for prometheus.alertmanagerSpec

Configure service cluster & workload cluster Alertmanager.

Alertmanager receives alerts from Prometheus and Thanos and forwards them to the configured notification channel.

Note

Alertmanager is installed in both service cluster and workload cluster, however this configuration key only applies to the service cluster, use user.alertmanager to configure it in the workload cluster.

Notes for prometheus.alertmanagerSpec.groupBy[]

Configure Alertmanager to group certain alerts based on labels.

Note

See the upstream documentation for reference.

Notes for prometheus.alertmanagerSpec.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for prometheus.capacityManagementAlerts.nodeGroupRequestsExcludePattern

Configure a pattern of node groups to exclude from the resource request alerts. This can be used to exclude certain node groups from request alerts, while still getting usage alerts for those node groups.

Examples:

.*redis.*|.*postgres.*

Notes for prometheus.diskAlerts.inode.predictLinear[]

Configure disk alerts when disk usage is predicted to reach the limit.

Configure disk alerts when disk usage is predicted to reach the limit.

The hours key is only supported when configured under predictLinear.

Notes for prometheus.diskAlerts.inode.space[]

Configure disk alerts when disk usage is predicted to reach the limit.

Configure disk alerts when disk usage is predicted to reach the limit.

The hours key is only supported when configured under predictLinear.

Notes for prometheus.diskAlerts.storage.predictLinear[]

Configure disk alerts when disk usage is predicted to reach the limit.

Configure disk alerts when disk usage is predicted to reach the limit.

The hours key is only supported when configured under predictLinear.

Notes for prometheus.diskAlerts.storage.space[]

Configure disk alerts when disk usage is predicted to reach the limit.

Configure disk alerts when disk usage is predicted to reach the limit.

The hours key is only supported when configured under predictLinear.

Notes for prometheus.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for prometheus.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for prometheus.retention.alertmanager

An amount of time

Examples:

300s
72h
3d

prometheusBlackboxExporter

Configure Prometheus Blackbox Exporter, the exporter used for probing endpoints.

Key Type Default Description
prometheusBlackboxExporter.affinity object Affinity is a group of affinity scheduling rules.
prometheusBlackboxExporter.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
prometheusBlackboxExporter.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
prometheusBlackboxExporter.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
prometheusBlackboxExporter.customKubeapiTargets[] array of object Configure custom Kube API targets Prometheus Blackbox Exporter should probe.

Custom Kube API target Prometheus Blackbox Exporter should probe.
prometheusBlackboxExporter.hostAliases[] array of object Configure host aliases to resolve internally within the Pod.

Configure a host alias to resolve internally within the Pod.
prometheusBlackboxExporter.resources object See note
prometheusBlackboxExporter.resources.limits object
prometheusBlackboxExporter.resources.requests object
prometheusBlackboxExporter.targets object Configure the targets Prometheus Blackbox Exporter should probe.
prometheusBlackboxExporter.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration

Notes for prometheusBlackboxExporter.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

prometheusNodeExporter

Configure Prometheus Node Exporter, the exporter used for collecting node metrics.

Notes for prometheusNodeExporter.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

prometheusOperator

Configure Prometheus Operator.

Notes for prometheusOperator.prometheusConfigReloader.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for prometheusOperator.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

rookCeph

Configure support for Rook Ceph.

This is deprecated and should be configured via compliantkubernetes-kubespray if used.

Key Type Default Description
rookCeph.gatekeeperPsp object Configure Pod Security Policies for Rook Ceph.
rookCeph.gatekeeperPsp.enabled boolean
rookCeph.monitoring object Configure Monitoring for Rook Ceph.
rookCeph.monitoring.enabled boolean

s3Exporter

Configure S3 exporter, used to collect metrics about S3 usage.

Key Type Default Description
s3Exporter.affinity object Affinity is a group of affinity scheduling rules.
s3Exporter.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
s3Exporter.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
s3Exporter.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
s3Exporter.enabled boolean True
s3Exporter.interval string 60m
s3Exporter.nodeSelector object See note
s3Exporter.resources object See note
s3Exporter.resources.limits object
s3Exporter.resources.requests object
s3Exporter.scrapeTimeout string
s3Exporter.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration

Notes for s3Exporter.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for s3Exporter.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

storageClasses

Configuration options for using block storage in Welkin

Key Type Default Description
storageClasses.default string default The StorageClass to use for all persistent volumes in Welkin.

tektonPipelines

Configure Tekton Pipelines

Notes for tektonPipelines.controller.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for tektonPipelines.customConfigDefaults

Configure custom default options for Tekton

Note

See the upstream documentation for available default config options.

Examples:

{'default-timeout-minutes': '30'}

Notes for tektonPipelines.remoteResolvers.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for tektonPipelines.webhook.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

thanos

Configuration for Thanos.

Thanos ingests metrics sent from Prometheus in both the service and workload clusters, and stores them in object storage.

This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.thanos.

Note

Thanos and its components are installed in the service cluster, so this configuration mainly applies there.

Key Type Default Description
thanos.bucketweb object Configure Thanos Bucket Web, the UI to view the state of the bucket or container in use by Thanos.
thanos.bucketweb.resources object See note
thanos.bucketweb.resources.limits object
thanos.bucketweb.resources.requests object
thanos.compactor object See note
thanos.compactor.deduplication string none See note
thanos.compactor.persistence object Configure persistence for Thanos Compactor.
thanos.compactor.persistence.enabled boolean True
thanos.compactor.persistence.size string 8Gi
thanos.compactor.resources object See note
thanos.compactor.resources.limits object
thanos.compactor.resources.requests object
thanos.compactor.retentionResolution1h string See note
thanos.compactor.retentionResolution5m string See note
thanos.compactor.retentionResolutionRaw string See note
thanos.compactor.verticalCompaction boolean When enabled series of metrics from multiple replicas will be merged into one.
thanos.enabled boolean True > [!note]
> Must be set for both service and workload cluster.
thanos.metrics object Configure metrics collected from Thanos.
thanos.metrics.enabled boolean True
thanos.metrics.serviceMonitor object Configure the service monitor used to collect metrics from Thanos.
thanos.metrics.serviceMonitor.enabled boolean True
thanos.objectStorage object Configure Object Storage for Thanos.

Allows for using OpenStack Swift as the object storage backend type.
thanos.objectStorage.type string See note
thanos.query object Configure Thanos Query, the component executing metric queries.
thanos.query.affinity object Affinity is a group of affinity scheduling rules.
thanos.query.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
thanos.query.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
thanos.query.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
thanos.query.enabled boolean True
thanos.query.replicaCount number 1
thanos.query.resources object See note
thanos.query.resources.limits object
thanos.query.resources.requests object
thanos.query.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
thanos.queryFrontend object Configure Thanos Query Frontend, the component serving query requests from Grafana.
thanos.queryFrontend.resources object See note
thanos.queryFrontend.resources.limits object
thanos.queryFrontend.resources.requests object
thanos.receiveDistributor object Configure Thanos Receive Distributor, the component serving remote write requests from Prometheus.

Also called routing receiver upstream.
thanos.receiveDistributor.extraFlags[] array See note
thanos.receiveDistributor.receiveHashringsAlgorithm string ketama See note
thanos.receiveDistributor.receiveMaxConcurrency integer 5 Maximum number of concurrent write requests allowed by Thanos receiveDistributor.
thanos.receiveDistributor.replicaCount integer 3
thanos.receiveDistributor.replicationFactor number 1 Requires that incoming remote write requests are replicated (replicationFactor + 1) / 2.
thanos.receiveDistributor.resources object See note
thanos.receiveDistributor.resources.limits object
thanos.receiveDistributor.resources.requests object
thanos.receiver object Configure Thanos Receiver, the component ingesting metrics collected by Prometheus and storing them in object storage.

Also called ingesting receiver upstream.
thanos.receiver.affinity object Affinity is a group of affinity scheduling rules.
thanos.receiver.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
thanos.receiver.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
thanos.receiver.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
thanos.receiver.basic_auth object Configure authentication to Thanos Receiver,
thanos.receiver.basic_auth.username string thanos See note
thanos.receiver.enabled boolean True
thanos.receiver.mode string dual-mode See note
thanos.receiver.outOfOrderTimeWindow string 600s
thanos.receiver.persistence object Configure persistence for Thanos Receiver.
thanos.receiver.persistence.enabled boolean True
thanos.receiver.persistence.size string 50Gi
thanos.receiver.replicaCount number 2
thanos.receiver.resources object See note
thanos.receiver.resources.limits object
thanos.receiver.resources.requests object
thanos.receiver.subdomain string thanos-receiver See note
thanos.receiver.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
thanos.receiver.tsdbRetention string 15d
thanos.ruler object Configure Thanos Ruler, the component evaluating alerting and recording rules.
thanos.ruler.affinity object Affinity is a group of affinity scheduling rules.
thanos.ruler.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
thanos.ruler.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
thanos.ruler.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
thanos.ruler.configReloader object Configure the config reloader sidecar for Thanos Ruler.
thanos.ruler.configReloader.resources object See note
thanos.ruler.configReloader.resources.limits object
thanos.ruler.configReloader.resources.requests object
thanos.ruler.enabled boolean True
thanos.ruler.persistence object Configure persistence for Thanos Ruler.
thanos.ruler.persistence.enabled boolean
thanos.ruler.persistence.size string 8Gi
thanos.ruler.replicaCount number 2
thanos.ruler.resources object See note
thanos.ruler.resources.limits object
thanos.ruler.resources.requests object
thanos.ruler.topologySpreadConstraints[] array TopologySpreadConstraints describes how pods should spread across topology domains.
thanos.storegateway object Configure Thanos Store Gateway, the component fetching metrics from object storage.
thanos.storegateway.persistence object Configure persistence for Thanos Store Gateway.
thanos.storegateway.persistence.size string 8Gi
thanos.storegateway.resources object See note
thanos.storegateway.resources.limits object
thanos.storegateway.resources.requests object

Notes for thanos.bucketweb.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.compactor

Configure Thanos Compactor, the component compacting and deduplicating metrics stored by Thanos.

Note

See the upstream documentation for reference.

Notes for thanos.compactor.deduplication

Configure deduplication of metrics.

Possible values:

none
receiverReplicas
prometheusReplicas

Notes for thanos.compactor.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.compactor.retentionResolution1h

An amount of time

Examples:

300s
72h
3d

Notes for thanos.compactor.retentionResolution5m

An amount of time

Examples:

300s
72h
3d

Notes for thanos.compactor.retentionResolutionRaw

An amount of time

Examples:

300s
72h
3d

Notes for thanos.objectStorage.type

Possible values:


swift

Notes for thanos.query.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.queryFrontend.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.receiveDistributor.extraFlags[]

When set, the arguments will be passed onto the component as command-line flags. Refer to the upstream doc for more details.

Notes for thanos.receiveDistributor.receiveHashringsAlgorithm

Algorithm used for distributing writes across Thanos receive replicas.

Possible values:

hashmod
ketama

Notes for thanos.receiveDistributor.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.receiver.basic_auth.username

Configure the username for authenticating to Thanos Receiver.

Note

Must be set for both service and workload clusters.

Notes for thanos.receiver.mode

Possible values:

standalone
dual-mode

Notes for thanos.receiver.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.receiver.subdomain

Subdomain of opsDomain that the Ingress to Thanos Receive will be created with.

Note

Must be set for both service and workload clusters.

Notes for thanos.ruler.configReloader.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.ruler.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for thanos.storegateway.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

trivy

Configure Trivy Operator.

Trivy automatically scans the cluster for vulnerabilities, misconfigurations, and exposed secrets.

Key Type Default Description
trivy.affinity object Affinity is a group of affinity scheduling rules.
trivy.affinity.nodeAffinity Describes node affinity scheduling rules for the pod.
trivy.affinity.podAffinity Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)).
trivy.affinity.podAntiAffinity Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)).
trivy.enabled boolean True
trivy.excludeNamespaces string Configure a comma separated list of namespaces (or glob patterns) to be excluded from Trivy scanners.
trivy.nodeCollector object Configure the node collector created by Trivy.
trivy.nodeCollector.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
trivy.resources object See note
trivy.resources.limits object
trivy.resources.requests object
trivy.scanJobs object Configure the scan jobs created by Trivy.
trivy.scanJobs.concurrentLimit number 1
trivy.scanJobs.retryDelay string 1m
trivy.scanJobs.timeout string 5m
trivy.scanner object See note
trivy.scanner.dbRegistry string
trivy.scanner.dbRepository string
trivy.scanner.dbRepositoryInsecure boolean
trivy.scanner.imagePullSecret object Configure an image pull secret for Trivy to use.

Create the secret in the monitoring namespace then configure the name here.
trivy.scanner.imagePullSecret.name string
trivy.scanner.javaDbRegistry string
trivy.scanner.javaDbRepository string
trivy.scanner.offlineScanEnabled boolean
trivy.scanner.registry object Configure registries for Trivy.
trivy.scanner.registry.mirror object See note
trivy.scanner.resources object See note
trivy.scanner.resources.limits object
trivy.scanner.resources.requests object
trivy.scanner.timeout string See note
trivy.serviceMonitor object Configure the service monitor collecting metrics from Trivy.
trivy.serviceMonitor.enabled boolean True
trivy.serviceMonitor.interval string See note
trivy.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
trivy.vulnerabilityScanner object Configure the vulnerability scanner for Trivy.
trivy.vulnerabilityScanner.scanOnlyCurrentRevisions boolean True
trivy.vulnerabilityScanner.scannerReportTTL string See note

Notes for trivy.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for trivy.scanner

Configure the scanner used by Trivy.

Note

Many of these must be configured to support an air-gapped environment. See the admin documentation for reference.

Notes for trivy.scanner.registry.mirror

Configure registry mirrors for Trivy.

The key represents the original registry and the value the mirror registry.

Examples:

{'docker.io': 'registry.example.com:5000', 'gcr.io': 'registry.example.com:5000', 'ghcr.io': 'registry.example.com:5000', 'index.docker.io': 'registry.example.com:5000', 'quay.io': 'registry.example.com:5000', 'registry.k8s.io': 'registry.example.com:5000'}

Notes for trivy.scanner.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for trivy.scanner.timeout

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Examples:

2h45m0s

Notes for trivy.serviceMonitor.interval

An amount of time

Examples:

300s
72h
3d

Notes for trivy.vulnerabilityScanner.scannerReportTTL

An amount of time

Examples:

300s
72h
3d

user

Configuration for Application Developers (users), that use the workload cluster

Key Type Default Description
user.adminGroups[] array of string List of groups that Application Developers are apart of that should have access to the cluster.
user.adminUsers[] array of string List of Application Developers that should have access to the cluster.
user.constraints object See note
user.createNamespaces boolean This only controls if the namespaces should be created, user RBAC is always created.
user.extraClusterRoleBindings object Configure extra ClusterRoleBindings for Application Developers
user.extraClusterRoles object Configure extra ClusterRoles that are not originally part of Welkin
These are intended to be used for Application Developers
user.extraRoleBindings object Configure extra RoleBindings for Application Developers
The RoleBindings are added to all Application Developer namespaces configured in user.namespaces
user.extraRoles object Configure extra Roles for Application Developers
The Roles are added to all Application Developer namespaces configured in user.namespaces
user.fluxv2 object Installs required cluster resources needed to install fluxv2.

Requires that gatekeeper.allowUserCRDs.enabled is enabled.
user.fluxv2.enabled boolean
user.kafka object Installs required cluster resources needed to install kafka-operator.

Requires that gatekeeper.allowUserCRDs.enabled is enabled.
user.kafka.enabled boolean
user.mongodb object Installs required cluster resources needed to install MongoDB.

Requires that gatekeeper.allowUserCRDs.enabled is enabled.
user.mongodb.enabled boolean
user.namespaces[] array of string See note
user.sealedSecrets object Installs required cluster resources needed to install sealedSecrets.

Requires that gatekeeper.allowUserCRDs.enabled is enabled.
user.sealedSecrets.enabled boolean
user.serviceAccounts[] array of string See note

Notes for user.constraints

Any namespace listed in constraints are exempted from HNC managed namespaces.

This to override the Pod Security Admission level.

Example of constraint can be found here: Example Constraint

The only extra label `psaLevel: `` is shown in the following example:

<namespace>:
  psaLevel: <baseline/privileged>
  <service-name>:
    ...

Notes for user.namespaces[]

List of namespaces that should be created for Application Developer.

It is common to create one namespace for the Application Developer and then create namespaces via HNC.

Requires that user.createNamespaces is enabled.

Notes for user.serviceAccounts[]

List of serviceAccounts to create RBAC rules for, used for dev situations.

Application developer kube-config for contributors

velero

Configure Velero, the backup and snapshot tool for Kubernetes resources and volumes.

This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.velero.

Key Type Default Description
velero.enabled boolean True
velero.excludedExtraNamespaces[] array of string Configure dynamic namespaces to exclude from backups, prefer this for overrides over excludedNamespaces.
velero.excludedNamespaces[] array of string Configure system namespaces to exclude from backups.
velero.nodeAgent object Configure the node agent of Velero, used to take snapshots of volumes.
velero.nodeAgent.resources object See note
velero.nodeAgent.resources.limits object
velero.nodeAgent.resources.requests object
velero.nodeAgent.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
velero.nodeSelector object See note
velero.resources object See note
velero.resources.limits object
velero.resources.requests object
velero.restoreResourcePriorities[] array of string See note
velero.retentionPeriod string See note
velero.schedule string
velero.storagePrefix string See note
velero.tolerations[] array Kubernetes Tolerations

Kubernetes taint and toleration
velero.uploaderType string See note
velero.useVolumeSnapshots boolean

Notes for velero.nodeAgent.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for velero.nodeSelector

Kubernetes node selector

Kubernetes assign pod node

Examples:

{'kubernetes.io/os': 'linux'}

Notes for velero.resources

Resource requests are used by the kube-scheduler to pick a node to schedule pods on.

Limits are enforced. Resources are commonly 'cpu' and 'memory'.

Examples:

{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}

Notes for velero.restoreResourcePriorities[]

Configure restore order for resources

Notes for velero.retentionPeriod

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".

Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".

Examples:

2h45m0s

Notes for velero.storagePrefix

Configure unique storage prefix for this cluster when storing backups and snapshots in object storage.

When multiple workload clusters share the same bucket or container ensure that they use separate storage prefixes.

Examples:

service-cluster
workload-cluster

Notes for velero.uploaderType

Possible values:

kopia
restic

wcProbeIngress

Configure a probe for the workload cluster Ingress Controller.

Key Type Default Description
wcProbeIngress.enabled boolean

welcomingDashboard

If you want to add extra text to the grafana/opensearch "welcoming dashboards" then write the text in these values as a one-line string. Note, first line of the string is a header, not all characters are supported. For newline in Grafana dashboard use format \\n

Key Type Default Description
welcomingDashboard.extraTextGrafana string See note
welcomingDashboard.extraTextOpensearch string Extra text added to the Opensearch welcoming dashboard.
welcomingDashboard.extraVersions[] array of object List of additional components to list on the welcoming dashboard.

Additional component to list on the welcoming dashboard.

Notes for welcomingDashboard.extraTextGrafana

Extra text added to the Grafana welcoming dashboard.

Examples:

Hello\n\n[This is an example link](https:/elastisys.io)