Config
This table was generated from config.yaml.
Cells marked with "—" mean "not specified in schema".
alerts¶
Configure alerting.
Notes for alerts.customReceivers[]
Additional receivers that will be added to the configuration of alertmanager
Note
See the upstream documentation for reference.
Notes for alerts.customRoutes[]
Additional route receivers that will be added to the configuration of alertmanager
Note
See the upstream documentation for reference.
Notes for alerts.runbookUrls.alertmanager
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.backupStatus
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.blackbox
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.certManager
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.clusterApi
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.clusterAutoscaler
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.clusterCapacityManagement
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.configReloaders
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.coreDns
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.dailyChecks
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.diskPerf
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.falco
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.fluentd
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.general
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.harbor
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.hnc
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.kubeStateMetrics
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesApps
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesResources
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesStorage
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kubernetesSystem
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.kured
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.missingMetrics
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.nodeExporter
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.nodeNetwork
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.opensearch
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.openstack
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.packetsDropped
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
Notes for alerts.runbookUrls.prometheus
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.prometheusOperator
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://runbooks.prometheus-operator.dev/runbooks/
Notes for alerts.runbookUrls.thanos
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses upstream runbooks by default
https://github.com/thanos-io/thanos/tree/main/mixin/runbook.md
Notes for alerts.runbookUrls.webhook
Example:
group: link-to-alert-group-runbook AlertName: link-to-specific-alert-runbook
Uses no upstream runbook by default
certmanager¶
Configure cert-manager, used to provision certificates either self-signed or via Let's Encrypt.
| Key | Type | Default | Description |
|---|---|---|---|
| certmanager. |
object | — | Affinity is a group of affinity scheduling rules. |
| certmanager. |
— | — | Describes node affinity scheduling rules for the pod. |
| certmanager. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
object | — | This is meant to describe the base class if you will, for Welkin resources. |
| certmanager. |
object | — | Affinity is a group of affinity scheduling rules. |
| certmanager. |
— | — | Describes node affinity scheduling rules for the pod. |
| certmanager. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
boolean | — | — |
| certmanager. |
array of string | — | Extra arguments passed to a container |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | — |
| certmanager. |
object | — | — |
| certmanager. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| certmanager. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| certmanager. |
array of string | — | Extra arguments passed to a container |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | — |
| certmanager. |
object | — | — |
| certmanager. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| certmanager. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| certmanager. |
object | — | This is meant to describe the base class if you will, for Welkin resources. |
| certmanager. |
object | — | Affinity is a group of affinity scheduling rules. |
| certmanager. |
— | — | Describes node affinity scheduling rules for the pod. |
| certmanager. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| certmanager. |
boolean | — | — |
| certmanager. |
array of string | — | Extra arguments passed to a container |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | See note |
| certmanager. |
object | — | — |
| certmanager. |
object | — | — |
| certmanager. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| certmanager. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
Notes for certmanager.cainjector.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for certmanager.cainjector.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for certmanager.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for certmanager.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for certmanager.webhook.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for certmanager.webhook.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
clusterAdmin¶
Configure the cluster admins.
| Key | Type | Default | Description |
|---|---|---|---|
| clusterAdmin. |
array of string | — | Configure the cluster admin groups. |
| clusterAdmin. |
array of string | — | Configure the cluster admin users. |
clusterApi¶
Set to true if kubernetes is installed with cluster-api.
| Key | Type | Default | Description |
|---|---|---|---|
| clusterApi. |
array of string | — | List of clusters to monitor. Used when monitoring clusters for autoscaling. |
| clusterApi. |
boolean | — | — |
| clusterApi. |
object | — | Enable autoscaling monitoring of cluster API clusters. |
| clusterApi. |
boolean | — | — |
dex¶
Configure Dex, the federated OIDC Identity Provider.
Note
Dex is installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Description |
|---|---|---|---|
| dex. |
array of string | — | Configure Dex with additional Kubelogin redirects. |
| dex. |
object | — | Affinity is a group of affinity scheduling rules. |
| dex. |
— | — | Describes node affinity scheduling rules for the pod. |
| dex. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| dex. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| dex. |
boolean | True |
Configure Dex with a static password login admin@example.com. |
| dex. |
object | — | Configure expiry when authenticating with Dex. |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
object | — | Configure expiry of refresh tokens when authenticating with Dex. |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
string | — | See note |
| dex. |
object | — | Configure Dex with specific options when using the Google connector. |
| dex. |
string | — | — |
| dex. |
boolean | — | — |
| dex. |
object | — | See note |
| dex. |
number | 2 |
— |
| dex. |
object | — | See note |
| dex. |
object | — | — |
| dex. |
object | — | — |
| dex. |
object | — | Configure the Service Monitor collecting metrics from Dex. |
| dex. |
boolean | True |
— |
| dex. |
string | dex |
See note |
| dex. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| dex. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
Notes for dex.expiry.deviceRequests
An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.idToken
An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.refreshTokens.absoluteLifetime
An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.refreshTokens.reuseInterval
An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.refreshTokens.validIfNotUsedFor
An amount of time
Examples:
300s
72h
3d
Notes for dex.expiry.signingKeys
An amount of time
Examples:
300s
72h
3d
Notes for dex.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for dex.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for dex.subdomain
Subdomain of baseDomain that the Ingress to Dex will be created with.
Note
Must be set for both service and workload clusters.
externalDns¶
Configure External DNS.
External DNS manages DNS records based on Kubernetes resources, and can automatically configure DNS records from:
- CRD resources
- Ingress resources
- Service resources
Currently only AWS Route 53 is supported as the DNS provider.
Note
See the upstream documentation for reference.
| Key | Type | Default | Description |
|---|---|---|---|
| externalDns. |
object | — | Affinity is a group of affinity scheduling rules. |
| externalDns. |
— | — | Describes node affinity scheduling rules for the pod. |
| externalDns. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| externalDns. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| externalDns. |
array of string | — | Configure the domains External DNS should manage. |
| externalDns. |
boolean | — | — |
| externalDns. |
array of object | — | See note |
| externalDns. |
array of string | — | Extra arguments passed to a container |
| externalDns. |
string | — | See note |
| externalDns. |
boolean | — | — |
| externalDns. |
string | — | See note |
| externalDns. |
object | — | See note |
| externalDns. |
object | — | — |
| externalDns. |
object | — | — |
| externalDns. |
object | — | Configure the sources External DNS should manage DNS records for. |
| externalDns. |
boolean | — | — |
| externalDns. |
boolean | — | — |
| externalDns. |
boolean | — | — |
| externalDns. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| externalDns. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| externalDns. |
string | — | Configure a prefix to TXT records. This is required with AWS Route 53 if CNAME records are preferred over A/AAAA records as it cannot handle both at the same time. |
Notes for externalDns.endpoints[]
Configure the endpoints to create DNS records for.
Requires externalDns.sources.crd to be enabled.
Configure an endpoint to create a DNS record for.
Notes for externalDns.logLevel
Examples:
info
Notes for externalDns.provider
Examples:
aws
Notes for externalDns.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
externalTrafficPolicy¶
Configure global ingress external traffic policy.
| Key | Type | Default | Description |
|---|---|---|---|
| externalTrafficPolicy. |
boolean | True |
— |
| externalTrafficPolicy. |
object | — | See note |
Notes for externalTrafficPolicy.whitelistRange
Configure allowlist CIDR ranges for ingresses.
This is done via the ingress annotation nginx.ingress.kubernetes.io/whitelist-source-range.
Set to false to explicitly opt-out of this annotation.
falco¶
Configuration for Falco, runtime security tool and threat detection.
| Key | Type | Default | Description |
|---|---|---|---|
| falco. |
object | — | Affinity is a group of affinity scheduling rules. |
| falco. |
— | — | Describes node affinity scheduling rules for the pod. |
| falco. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
object | — | Configure Falco alerts sent from Falco sidekick. |
| falco. |
boolean | — | — |
| falco. |
string | http://alertmanager-operated.monitoring:9093 |
Configure the notification channel for Falco alerts. |
| falco. |
string | notice |
Configure the notification priority for Falco alerts. |
| falco. |
string | alertmanager |
See note |
| falco. |
object | — | Configure Falcoctl artefact management. See the upstream repository for reference. |
| falco. |
object | — | Configure Falcoctl artefact install. |
| falco. |
boolean | — | Configure Falcoctl to install additional artifacts before Falco starts. Set this to false in an air-gapped environment, unless artifacts are self-hosted and customIndexes are configured. |
| falco. |
array of object | — | Configure custom artefact indices for Falcoctl. Configure custom artefact index for Falcoctl. |
| falco. |
object | — | See note |
| falco. |
object | — | Configuration for the Falco syscall driver used to collect events. See the upstream documentation for more information. |
| falco. |
string | kmod |
See note |
| falco. |
boolean | True |
— |
| falco. |
object | — | Basic configuration for Falco Sidekick, the deployment that forwards Falco alerts to Alertmanager. |
| falco. |
object | — | Affinity is a group of affinity scheduling rules. |
| falco. |
— | — | Describes node affinity scheduling rules for the pod. |
| falco. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| falco. |
object | — | See note |
| falco. |
object | — | See note |
| falco. |
object | — | — |
| falco. |
object | — | — |
| falco. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| falco. |
object | — | See note |
| falco. |
object | — | See note |
| falco. |
object | — | — |
| falco. |
object | — | — |
| falco. |
object | — | Configure standard rules to use in Falco. See the upstream documentation for reference. |
| falco. |
object | — | Configure Falco default rules |
| falco. |
boolean | True |
— |
| falco. |
string | 3.0.1 |
— |
| falco. |
object | — | Configure Falco incubating rules |
| falco. |
boolean | — | — |
| falco. |
string | 3.0.1 |
— |
| falco. |
object | — | Configure Falco sandbox rules |
| falco. |
boolean | — | — |
| falco. |
string | 3.0.1 |
— |
| falco. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| falco. |
boolean | True |
Attach the Falco process to a TTY inside the container. Needed to flush Falco logs as soon as they are emitted. |
| falco. |
boolean | True |
Use the new container engine collector that replaces the old docker, containerd, crio and podman collectors. |
Notes for falco.alerts.type
Configure the notification channel for Falco alerts.
Possible values:
alertmanager
slack
none
Notes for falco.customRules
Configure custom rules to use in Falco.
Note
See the upstream documentation for reference.
The keys will become the file name of the generated rule file, and all files are parsed in alphabetical order.
Notes for falco.driver.kind
Possible values:
kmod
modern-bpf
ebpf
Notes for falco.falcoSidekick.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for falco.falcoSidekick.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for falco.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for falco.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
fluentd¶
Configuration for Fluentd.
Fluentd automatically collects logs from all containers running in the environment.
In the service cluster audit, application, and platform logs can be shipped to object storage. In the workload cluster audit logs can be shipped to object storage and application and platform logs to OpenSearch running in the service cluster.
Logs are collected using a daemon set, and in the workload cluster two sets are deployed, one for the system nodes and one for the worker nodes. Application developer can modify two ConfigMaps to add additional configuration and plugins to the set running on the worker nodes.
When logs are shipped to object storage a stateful aggregator is deployed that buffers logs with persistence before they are shipped. When logs are shipped to OpenSearch it is done directly from the forwarder daemons.
Shipping audit and service cluster logs requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.audit and objectStorage.buckets.scLogs respectively.
Note
Fluentd is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.
| Key | Type | Default | Description |
|---|---|---|---|
| fluentd. |
object | — | Configure Fluentd aggregator, used to buffer logs with persistence before they are shipped to object storage. |
| fluentd. |
object | — | Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
number | — | See note |
| fluentd. |
integer | — | The number of threads to flush/write chunks in parallel. Flushing parameters |
| fluentd. |
boolean | — | If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.Retries parameters |
| fluentd. |
integer | — | The maximum interval (seconds) for exponential backoff between retries while failing. Retries parameters |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
boolean | — | Output plugin decides to use UTC or not to format placeholders using timekey. Common/Time parameters |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Configure Fluentd aggregator persistence. |
| fluentd. |
string | 10Gi |
— |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | — |
| fluentd. |
object | — | — |
| fluentd. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| fluentd. |
object | — | Configure Fluentd audit log collection. |
| fluentd. |
object | — | Configure the compaction of logs stored in object storage. |
| fluentd. |
number | — | Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
— |
| fluentd. |
object | — | Configure the job to run with an ephemeral volume if the nodes risk running out of storage. |
| fluentd. |
boolean | — | — |
| fluentd. |
string | — | — |
| fluentd. |
boolean | — | — |
| fluentd. |
string | — | Configure Fluentd audit log filter stages. To capture audit logs label the logs with the @AUDIT label. |
| fluentd. |
object | — | Configure the retention of logs stored in object storage. |
| fluentd. |
number | — | Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
— |
| fluentd. |
string | — | — |
| fluentd. |
boolean | True |
— |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Configure Fluentd forwarder, used to collect and forward logs on system nodes. |
| fluentd. |
object | — | Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
number | — | See note |
| fluentd. |
integer | — | The number of threads to flush/write chunks in parallel. Flushing parameters |
| fluentd. |
boolean | — | If true, plugin will ignore retryTimeout and retryMaxTimes options and retry flushing forever.Retries parameters |
| fluentd. |
integer | — | The maximum interval (seconds) for exponential backoff between retries while failing. Retries parameters |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
boolean | — | Output plugin decides to use UTC or not to format placeholders using timekey. Common/Time parameters |
| fluentd. |
string | — | See note |
| fluentd. |
string | — | See note |
| fluentd. |
object | — | Configure Fluentd forwarder image repository and tag |
| fluentd. |
string | ghcr.io/elastisys/fluentd-forwarder |
— |
| fluentd. |
string | v4.7.5-ck8s1 |
— |
| fluentd. |
number | 900 |
— |
| fluentd. |
object | — | See note |
| fluentd. |
string | 60s |
— |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | — |
| fluentd. |
object | — | — |
| fluentd. |
number | 1200 |
— |
| fluentd. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| fluentd. |
object | — | Configure log-manager, used to manage compaction and retention of logs store in object storage. |
| fluentd. |
object | — | Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | Configure log-manager compaction. |
| fluentd. |
number | — | Configure the memory buffer size in GB (accepts decimals) for Azure copy operations. |
| fluentd. |
number | — | Configure the maximum number of concurrent download requests for Azure copy operations. |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | — |
| fluentd. |
object | — | — |
| fluentd. |
object | — | Configure log-manager compaction volume. |
| fluentd. |
string | 5Gi |
Configure log-manager compaction volume size. |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | Configure log-manager retention. |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | — |
| fluentd. |
object | — | — |
| fluentd. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| fluentd. |
object | — | Configure Fluentd service cluster log collection. |
| fluentd. |
object | — | Configure the compaction of logs stored in object storage. |
| fluentd. |
number | — | Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
— |
| fluentd. |
object | — | Configure the job to run with an ephemeral volume if the nodes risk running out of storage. |
| fluentd. |
boolean | — | — |
| fluentd. |
string | — | — |
| fluentd. |
boolean | True |
— |
| fluentd. |
object | — | Configure the retention of logs stored in object storage. |
| fluentd. |
number | — | Configure the days to consider for compaction or the days to retain. |
| fluentd. |
boolean | True |
— |
| fluentd. |
string | — | — |
| fluentd. |
object | — | Configure Fluentd forwarder, used to collect and forward logs on worker nodes that applications developers run their workload on. |
| fluentd. |
object | — | Affinity is a group of affinity scheduling rules. |
| fluentd. |
— | — | Describes node affinity scheduling rules for the pod. |
| fluentd. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | See note |
| fluentd. |
object | — | — |
| fluentd. |
object | — | — |
| fluentd. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
Notes for fluentd.aggregator.buffer
Fluentd buffer configuration parameters.
Note
See upstream documentation for reference, set keys will be converted from camelCase to snake_case.
Notes for fluentd.aggregator.buffer.chunkLimitSize
Events will be written into chunks until the size of chunks become chunkLimitSize.
Examples:
50MB
Notes for fluentd.aggregator.buffer.flushInterval
Flushes the buffer each flushInterval, if flushMode is equal to interval.
Examples:
15m
Notes for fluentd.aggregator.buffer.flushMode
The flush mode to use.
Possible values:
lazy
interval
immediate
Notes for fluentd.aggregator.buffer.flushThreadBurstInterval
The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.
Notes for fluentd.aggregator.buffer.retryType
The retry algorithm type to use.
Possible values:
exponential_backoff
periodic
Notes for fluentd.aggregator.buffer.timekey
Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).
Examples:
10m
Notes for fluentd.aggregator.buffer.timekeyWait
Output plugin will write chunks after timekey_wait seconds later after timekey expiration.
If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.
Examples:
1m
Notes for fluentd.aggregator.buffer.totalLimitSize
The size limitation of this buffer plugin instance.
Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).
Examples:
9GB
Notes for fluentd.aggregator.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.aggregator.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.extraConfigMaps
Configure extra ConfigMaps for Fluentd.
Note
This is only applicable for Fluentd forwarder running on system nodes in the workload cluster.
Notes for fluentd.forwarder.buffer
Fluentd buffer configuration parameters.
Note
See upstream documentation for reference, set keys will be converted from camelCase to snake_case.
Notes for fluentd.forwarder.buffer.chunkLimitSize
Events will be written into chunks until the size of chunks become chunkLimitSize.
Examples:
50MB
Notes for fluentd.forwarder.buffer.flushInterval
Flushes the buffer each flushInterval, if flushMode is equal to interval.
Examples:
15m
Notes for fluentd.forwarder.buffer.flushMode
The flush mode to use.
Possible values:
lazy
interval
immediate
Notes for fluentd.forwarder.buffer.flushThreadBurstInterval
The sleep interval (seconds) for threads between flushes when the output plugin flushes the waiting chunks to the next ones.
Notes for fluentd.forwarder.buffer.retryType
The retry algorithm type to use.
Possible values:
exponential_backoff
periodic
Notes for fluentd.forwarder.buffer.timekey
Output plugin will flush chunks per specified time (enabled when time is specified in chunk keys).
Examples:
10m
Notes for fluentd.forwarder.buffer.timekeyWait
Output plugin will write chunks after timekey_wait seconds later after timekey expiration.
If a user configures timekey 60m, output plugin will wait delayed events for flushed timekey and write the chunk at 10 minutes of each hour.
Examples:
1m
Notes for fluentd.forwarder.buffer.totalLimitSize
The size limitation of this buffer plugin instance.
Once the total size of stored buffer reached this threshold, all append operations will fail with error (and data will be lost).
Examples:
9GB
Notes for fluentd.forwarder.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.forwarder.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.logManager.compaction.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.logManager.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.logManager.retention.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for fluentd.user.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for fluentd.user.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
gatekeeper¶
Configure OPA Gatekeeper to give application developer access to Custom Resource Definitions.
Some preconfigured services can be found under the key user.
Note
See the admin docs for context.
| Key | Type | Default | Description |
|---|---|---|---|
| gatekeeper. |
object | — | Configure access to Custom Resource Definitions for application developers. |
| gatekeeper. |
string | kubernetes-admin |
Configure the admin config user of the /etc/kubernetes/admin.conf found on the control plane nodes.This is necessary if Kubespray is used for managing the cluster. |
| gatekeeper. |
boolean | — | — |
| gatekeeper. |
string | deny |
See note |
| gatekeeper. |
array of object | — | Configure extra CRDs to allow for application developers. Configure extra CRDs to allow for application developers. |
| gatekeeper. |
array of object | — | See note |
| gatekeeper. |
boolean | True |
— |
Notes for gatekeeper.allowUserCRDs.enforcement
Possible values:
deny
warn
dryrun
Notes for gatekeeper.allowUserCRDs.extraServiceAccounts[]
Configure extra service accounts to allow access to configured CRDs.
Configure an extra service account to allow access to configured CRDs.
Examples:
[{'namespace': 'example-namespace', 'name': 'example-controller'}]
global¶
Some common options used in various helm charts.
| Key | Type | Default | Description |
|---|---|---|---|
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | — | See note |
| global. |
string | 10.233.0.3 |
IP of the cluster DNS in kubernetes |
| global. |
string | — | — |
| global. |
array of string | — | Configure the names of the workload clusters that sends metrics to the service cluster. Mainly used to filter metrics. |
| global. |
string | containerd |
See note |
| global. |
boolean | — | Enforce ipFamilyPolicy to all services that doesn't explicitly set it. This is done using a mutating webhook to all services that doesn't set this. The value it sets is taken from .global.ipFamilies |
| global. |
boolean | — | See note |
| global. |
array of string | ['IPv4'] |
Used to set the ipFamilyPolicy for all configurable services. |
| global. |
string | SingleStack |
See note |
| global. |
string | letsencrypt-staging |
See note |
| global. |
string | — | See note |
| global. |
string | — | If baseDomain for wc and sc are not the same, set the domain of the sc cluster. |
| global. |
string | — | If opsDomain for wc and sc are not the same, set the ops domain of the sc cluster. |
| global. |
boolean | True |
Verify ingress certificates |
Notes for global.baseDomain
Domain intended for ingress usage in the workload cluster and to reach application developer facing services such as Grafana, Harbor and OpenSearch Dashboards. E.g. with 'prod.domain.com', OpenSearch Dashboards is reached via 'opensearch.prod.domain.com'.
Notes for global.ck8sCloudProvider
Possible values:
aws
azure
baremetal
citycloud
elastx
exoscale
none
safespring
upcloud
openstack
Notes for global.ck8sConfigSerial
This property is used during migrations to track state and ensure that the
same version is used during ck8s upgrade prepare as during ck8s upgrade
apply.
Examples:
2025-04-29T08:34:21+00:00
Notes for global.ck8sEnvironmentName
Examples:
my-welkin-cluster
Notes for global.ck8sFlavor
Possible values:
prod
dev
air-gapped
Notes for global.ck8sK8sInstaller
Possible values:
capi
kubespray
none
Notes for global.ck8sVersion
Use version number if you are exactly at a release tag.
Otherwise use full commit hash of current commit.
any, can be used to disable this validation.
Examples:
v0.42.1
any
424442541a567646c232d949bad1af2b5b7cb885
Notes for global.containerRuntime
Possible values:
containerd
docker
Notes for global.enforceIPFamilyPolicy
Enforce ipFamilyPolicy to all services that doesn't explicitly set it.
This is done using a mutating webhook to all services that doesn't set this.
The value it sets is taken from .global.ipFamilyPolicy
Notes for global.ipFamilyPolicy
Used to set the ipFamilyPolicy for all configurable services.
Examples:
SingleStack
PreferDualStack
RequireDualStack
Possible values:
SingleStack
PreferDualStack
RequireDualStack
Notes for global.issuer
Default cert-manager issuer to use for issuing certificates for ingresses.
Normally one of letsencrypt-staging or letsencrypt-prod.
Examples:
letsencrypt-staging
letsencrypt-prod
selfsigned
Notes for global.opsDomain
Domain intended for ingress usage in the service cluster and to reach non-user facing services such as Thanos and OpenSearch. E.g. with 'ops.prod.domain.com', OpenSearch is reached via 'opensearch.ops.prod.domain.com'.
gpu¶
Configure the GPU Operator and its dependencies
| Key | Type | Default | Description |
|---|---|---|---|
| gpu. |
object | — | Configure GPU Daemonsets |
| gpu. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| gpu. |
object | — | Configuration for the device plugin, e.g. timeslicing |
| gpu. |
boolean | — | — |
| gpu. |
boolean | — | Adds some profiling metrics in DCGM if it's available in your GPU setup |
| gpu. |
object | — | Configure MIG options like strategy |
| gpu. |
string | — | See note |
| gpu. |
object | — | Configure Node Feature Discovery |
| gpu. |
object | — | Configure Node Feature Discovery Control Plane |
| gpu. |
object | — | Affinity is a group of affinity scheduling rules. |
| gpu. |
— | — | Describes node affinity scheduling rules for the pod. |
| gpu. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
object | — | See note |
| gpu. |
object | — | — |
| gpu. |
object | — | — |
| gpu. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| gpu. |
object | — | Configure Node Feature Discovery workers |
| gpu. |
object | — | Affinity is a group of affinity scheduling rules. |
| gpu. |
— | — | Describes node affinity scheduling rules for the pod. |
| gpu. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
object | — | See note |
| gpu. |
object | — | — |
| gpu. |
object | — | — |
| gpu. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| gpu. |
object | — | Configure GPU Operator |
| gpu. |
object | — | Affinity is a group of affinity scheduling rules. |
| gpu. |
— | — | Describes node affinity scheduling rules for the pod. |
| gpu. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| gpu. |
object | — | See note |
| gpu. |
object | — | — |
| gpu. |
object | — | — |
| gpu. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
Notes for gpu.mig.strategy
None ignores MIG entirely, single makes MIG devices a standard GPU resource, and shared creates one resource type for each MIG configuration
Possible values:
mixed
single
none
Notes for gpu.nodeFeatureDiscovery.controlPlane.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for gpu.nodeFeatureDiscovery.worker.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for gpu.operator.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
grafana¶
Configure Grafana, the metrics visualisation dashboard.
Welkin hosts two instances of Grafana one for the Platform Administrator and one for the Application Developer.
Note
Grafana is installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Description |
|---|---|---|---|
| grafana. |
object | — | Configure Grafana. |
| grafana. |
string | — | — |
| grafana. |
object | — | — |
| grafana. |
object | — | Affinity is a group of affinity scheduling rules. |
| grafana. |
— | — | Describes node affinity scheduling rules for the pod. |
| grafana. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
object | — | Configure Grafana dataproxy values |
| grafana. |
number | 600 |
— |
| grafana. |
boolean | True |
— |
| grafana. |
object | — | See note |
| grafana. |
object | — | Configure authentication to Grafana via Dex. |
| grafana. |
array of string | — | Configure the domains of the users allowed to authenticate to Grafana. |
| grafana. |
boolean | True |
— |
| grafana. |
string | openid profile email groups |
— |
| grafana. |
boolean | — | When enabled the roles for user can be managed within Grafana. |
| grafana. |
object | — | Configure the roles for groups. |
| grafana. |
string | grafana_admin |
— |
| grafana. |
string | grafana_editor |
— |
| grafana. |
string | grafana_viewer |
— |
| grafana. |
array | — | — |
| grafana. |
object | — | See note |
| grafana. |
object | — | — |
| grafana. |
object | — | — |
| grafana. |
object | — | Configure the sidecar provisioning dashboards from ConfigMaps in Grafana. |
| grafana. |
object | — | See note |
| grafana. |
object | — | — |
| grafana. |
object | — | — |
| grafana. |
string | grafana |
See note |
| grafana. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| grafana. |
boolean | True |
See note |
| grafana. |
boolean | True |
— |
| grafana. |
object | — | Configure Grafana. |
| grafana. |
string | — | — |
| grafana. |
object | — | — |
| grafana. |
object | — | Affinity is a group of affinity scheduling rules. |
| grafana. |
— | — | Describes node affinity scheduling rules for the pod. |
| grafana. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| grafana. |
object | — | Configure Grafana dataproxy values |
| grafana. |
number | 600 |
— |
| grafana. |
boolean | True |
— |
| grafana. |
object | — | See note |
| grafana. |
object | — | Configure authentication to Grafana via Dex. |
| grafana. |
array of string | — | Configure the domains of the users allowed to authenticate to Grafana. |
| grafana. |
boolean | True |
— |
| grafana. |
string | openid profile email groups |
— |
| grafana. |
boolean | — | When enabled the roles for user can be managed within Grafana. |
| grafana. |
object | — | Configure the roles for groups. |
| grafana. |
string | grafana_admin |
— |
| grafana. |
string | grafana_editor |
— |
| grafana. |
string | grafana_viewer |
— |
| grafana. |
array | — | — |
| grafana. |
object | — | See note |
| grafana. |
object | — | — |
| grafana. |
object | — | — |
| grafana. |
object | — | Configure the sidecar provisioning dashboards from ConfigMaps in Grafana. |
| grafana. |
object | — | See note |
| grafana. |
object | — | — |
| grafana. |
object | — | — |
| grafana. |
string | grafana |
See note |
| grafana. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| grafana. |
boolean | True |
See note |
| grafana. |
boolean | True |
— |
Notes for grafana.ops.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for grafana.ops.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.ops.sidecar.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.ops.subdomain
For Admin Grafana the subdomain of opsDomain that the Ingress to Admin Grafana will be created with.
For Dev Grafana the subdomain of baseDomain that the Ingress to Dev Grafana will be created with.
Note
Must be set for both service and workload clusters.
Notes for grafana.ops.trailingDots
Configure Grafana to use absolute domain names.
Warning
Some operating systems and web browsers may have problems accessing Grafana when with this enabled.
Notes for grafana.user.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for grafana.user.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.user.sidecar.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for grafana.user.subdomain
For Admin Grafana the subdomain of opsDomain that the Ingress to Admin Grafana will be created with.
For Dev Grafana the subdomain of baseDomain that the Ingress to Dev Grafana will be created with.
Note
Must be set for both service and workload clusters.
Notes for grafana.user.trailingDots
Configure Grafana to use absolute domain names.
Warning
Some operating systems and web browsers may have problems accessing Grafana when with this enabled.
grafanaLabelEnforcer¶
Configure Grafana Label Enforcer, responsible to filter metrics from different clusters for Grafana datasources.
| Key | Type | Default | Description |
|---|---|---|---|
| grafanaLabelEnforcer. |
object | — | See note |
| grafanaLabelEnforcer. |
object | — | — |
| grafanaLabelEnforcer. |
object | — | — |
Notes for grafanaLabelEnforcer.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
harbor¶
Configuration options for Harbor.
Harbor is a container registry that deployed for the application developers to use when deploying their applications.
Note
See upstream documentation for reference. All config variables that exists in harbor are not exposed via our config.
| Key | Type | Default | Description |
|---|---|---|---|
| harbor. |
object | — | Configuration options for Harbor Alerts. |
| harbor. |
number | 3000 |
Alert when the total number of artifacts is above the set number. |
| harbor. |
number | 1500 |
Alert when the total storage usage is above the set number. |
| harbor. |
object | — | Configuration options for Backup Job. |
| harbor. |
boolean | True |
— |
| harbor. |
object | — | EphemeralBackupStore configuration for HarborStorageSize defines how large the ephemeral volumes will be. |
| harbor. |
boolean | — | — |
| harbor. |
string | 10Gi |
— |
| harbor. |
number | 7 |
RetentionDays defines how old a backup should be before deleting it. |
| harbor. |
string | — | — |
| harbor. |
object | — | Configuration options for Core. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
number | 1 |
Number of Core pods |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | See note |
| harbor. |
object | — | Configuration options for External Database. |
| harbor. |
string | registry |
Name of the database for Core |
| harbor. |
string | notaryserver |
Name of the database for Notary Server |
| harbor. |
string | notarysigner |
Name of the database for Notary Signer |
| harbor. |
string | 5432 |
Database listening port |
| harbor. |
string | disable |
See note |
| harbor. |
object | — | Configuration options for Internal Database. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
string | internal |
— |
| harbor. |
boolean | True |
— |
| harbor. |
object | — | Configuration options for Exporter. |
| harbor. |
object | — | External configuration |
| harbor. |
string | — | See note |
| harbor. |
string | — | See note |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | Configuration options for GC (Garbage Collection). |
| harbor. |
boolean | True |
— |
| harbor. |
boolean | — | — |
| harbor. |
string | 0 0 0 * * SUN |
See note |
| harbor. |
object | — | Configuration options for Ingress. |
| harbor. |
object | — | — |
| harbor. |
object | — | Default annotations for ingress |
| harbor. |
string | — | — |
| harbor. |
string | — | — |
| harbor. |
object | — | Configuration options for Jobservice. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | Job log configuration |
| harbor. |
object | — | PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
array of string | — | Configuration options for JobLoggers |
| harbor. |
number | 1 |
Number of Jobservice pods |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | Scan data exports configuration |
| harbor. |
object | — | PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
object | — | Configuration options for MultipartUpload cleaner job |
| harbor. |
boolean | True |
— |
| harbor. |
number | 7 |
maxAgeDays defines how old an unfinished multipartupload is allowed to be before deleting it. |
| harbor. |
string | — | — |
| harbor. |
object | — | See note |
| harbor. |
object | — | Configuration options for Notary. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
string | notary.harbor |
— |
| harbor. |
object | — | Configuration options for Notary signer. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | Configuration options for OIDC. |
| harbor. |
string | — | — |
| harbor. |
string | groups |
— |
| harbor. |
string | openid,email,profile,offline_access,groups |
— |
| harbor. |
object | — | Configuration options for Persistence. |
| harbor. |
boolean | — | See note |
| harbor. |
string | — | See note |
| harbor. |
object | — | Configuration options for Portal. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | See note |
| harbor. |
object | — | Configuration options when external Redis is set |
| harbor. |
string | — | See note |
| harbor. |
string | — | — |
| harbor. |
object | — | Configuration options when internal Redis is set |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
string | internal |
— |
| harbor. |
object | — | Registry configuration |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
object | — | Controller configuration |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
| harbor. |
object | — | Configuration options for S3. Storage Driver S3 |
| harbor. |
-integer- -string- | — | Default chunk size for all but the last S3 Multipart Upload part when copying stored objects. |
| harbor. |
-integer- -string- | — | Max number of concurrent S3 Multipart Upload operations when copying stored objects. |
| harbor. |
string | 536870912 |
Default object size above which S3 Multipart Upload will be used when copying stored objects. |
| harbor. |
string | harbor |
— |
| harbor. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| harbor. |
object | — | Configuration options for Trivy. |
| harbor. |
object | — | Affinity is a group of affinity scheduling rules. |
| harbor. |
— | — | Describes node affinity scheduling rules for the pod. |
| harbor. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| harbor. |
array of object | — | Array of additional environment variables to pass to Trivy name/value combination |
| harbor. |
object | — | PersistentVolumeClaim |
| harbor. |
string | 1Gi |
— |
| harbor. |
number | 1 |
— |
| harbor. |
object | — | See note |
| harbor. |
object | — | — |
| harbor. |
object | — | — |
Notes for harbor.core.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.database
Configuration options for Database used by Harbor
Set type to define which type of redis Harbor should use.
Only external or internal database can be enabled at the same time.
External: Defines an external postgres that harbor will use.
For more details how to configure harbor to use an external database check the README
Internal: Use the internal database that is packaged with harbor.
Notes for harbor.database.external.sslmode
Possible values:
disable
require
verify-ca
verify-full
Notes for harbor.database.internal.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.exporter.external.coreDatabase
Examples:
registry
Notes for harbor.exporter.external.port
Examples:
5432
Notes for harbor.exporter.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.gc.schedule
Defines a CRON schedule when the garbage collection job should run. Uses a special Cron format that adds "seconds" as the first entry. Order: "seconds, minutes, hours, day of month, month, day of week".
Notes for harbor.jobservice.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for harbor.notary.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.notarySigner.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.persistence.disableRedirect
Controls whether or not Harbor registry redirects users to the object storage endpoint. Set this to true if the object storage is not reachable by users when pushing images to Harbor, e.g. if you run into this timeout error:
dial tcp <IP>:<PORT>: i/o timeout
Notes for harbor.persistence.type
This should match what is set in global config
Possible values:
filesystem
swift
objectStorage
Notes for harbor.portal.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.redis
Configuration options for Redis used by Harbor
Set type to define which type of redis Harbor should use.
Only external or internal redis can be enabled at the same time.
External: Defines an external redis that harbor will use.
For more details how to configure harbor to use an external redis check the README
Internal: Use the internal redis that is packaged with harbor.
Notes for harbor.redis.external.addr
Examples:
rfs-redis-harbor.redis-system.svc.cluster.local:26379
Notes for harbor.redis.internal.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.registry.controller.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.registry.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for harbor.trivy.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
hnc¶
Configuration for Hierarchical Namespace Controller.
Note
| Key | Type | Default | Description |
|---|---|---|---|
| hnc. |
array of object | — | See note |
| hnc. |
boolean | True |
Enable HNC |
| hnc. |
array of string | — | See note |
| hnc. |
boolean | True |
Enable HA mode for hnc webhooks. |
| hnc. |
string | — | See note |
| hnc. |
array of string | — | Annotations that will be propagated to subnamespaces (allows regex). |
| hnc. |
array of string | — | Labels that will be propagated to subnamespaces (allows regex). Labels in particular must also be configured in the HierarchyConfiguration object to be propagated. |
| hnc. |
object | — | This is meant to describe the base class if you will, for Welkin resources. |
| hnc. |
object | — | Affinity is a group of affinity scheduling rules. |
| hnc. |
— | — | Describes node affinity scheduling rules for the pod. |
| hnc. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
boolean | — | — |
| hnc. |
array of string | — | Extra arguments passed to a container |
| hnc. |
object | — | See note |
| hnc. |
object | — | See note |
| hnc. |
object | — | — |
| hnc. |
object | — | — |
| hnc. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| hnc. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| hnc. |
object | — | Service monitor for Hierarchical Namespace Controller. |
| hnc. |
array | — | Relabeling |
| hnc. |
array | — | Annotations that will be stripped from propagated objects |
| hnc. |
object | — | Webhook for Hierarchical Namespace Controller. |
| hnc. |
object | — | Affinity is a group of affinity scheduling rules. |
| hnc. |
— | — | Describes node affinity scheduling rules for the pod. |
| hnc. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| hnc. |
object | — | See note |
| hnc. |
integer | — | — |
| hnc. |
object | — | See note |
| hnc. |
object | — | — |
| hnc. |
object | — | — |
| hnc. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| hnc. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| hnc. |
boolean | — | Fine grained mach conditions for webhook. This feature is only available in Kubernetes v1.28+. |
Notes for hnc.additionalAllowPropagateResources[]
Additional resources to enable opt-in propagation for. Objects that should be propagated must have one of the annotations listed here https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/docs/user-guide/how-to.md#limit-the-propagation-of-an-object-to-descendant-namespaces
Additional allow propagate resources for hnc.
Examples:
{'resource': 'secrets'}
{'resource': 'networkpolicies', 'group': 'networking.k8s.io'}
Notes for hnc.excludedNamespaces[]
Namespaces excluded by HNC, here you can configure a list of namespaces to exclude from HNC in addition to the default excluded namespaces.
Including and excluding namespaces
Notes for hnc.includedNamespacesRegex
Included namespaces, empty string will include all.
Including and excluding namespaces
Notes for hnc.manager.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for hnc.manager.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for hnc.webhook.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for hnc.webhook.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
images¶
Configure individual container URI for images of all Welkin components, and (optionally) enable support for global registry and/or repository.
Notes for images.calico.accountant
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.cainjector
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.controller
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.startupapicheck
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.certManager.webhook
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.dex.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.externalDns.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.driverLoaderInit
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.falcoctl
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.falco.sidekick
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.fluentd.aggregator
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.fluentd.forwarder
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.fluentd.logManager
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.kubectl
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.postInstallLabelNamespace
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gatekeeper.preInstallCRDs
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.global
Global image registry and repository settings.
If a global registry is supplied and enabled, and an image is specified that doesn't have a registry, the global registry will be used instead.
If a global repository is supplied and enabled, and an image is specified that doesn't have a repository, the global repository will be used instead.
Notes for images.global.registry.uri
Examples:
registry.k8s.io
Notes for images.global.repository.uri
Examples:
ingress-nginx
Notes for images.gpuOperator.nodeFeatureDiscovery
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.gpuOperator.operator
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.backupJob
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.core
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.database
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.exporter
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.initJob
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.jobservice
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.mpuCleaner
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.portal
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.redis
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.registry
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.registryController
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.harbor.trivyAdapter
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.hnc.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.admissionWebhooksPatch
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.controller
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.controllerChroot
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.defaultBackend
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.ingressNginx.fileCopier
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kured.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.crdsMigration
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.init
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.main
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.kyverno.webhooksCleanup
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.admissionWebhooksPatch
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.alertmanager
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.blackboxExporter
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.configReloader
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.grafana
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.grafanaLabelEnforcer
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.grafanaSidecar
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.kubeStateMetrics
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.metricsServer
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.nodeExporter
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.prometheus
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.prometheusOperator
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.s3Exporter
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.monitoring.trivyOperator
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.nodeLocalDns.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.configurerJob
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.curatorCronjob
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.dashboards
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.exporter
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.opensearch.initSysctl
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.rclone.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.tekton.controller
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.tekton.remoteResolvers
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.tekton.webhook
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.thanos.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.image
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.kubectl
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginAws
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginAzure
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginCsi
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
Notes for images.velero.pluginGcp
Examples:
registry.k8s.io/ingress-nginx/controller-chroot:v1.12.1@sha256:90155c86548e0bb95b3abf1971cd687d8f5d43f340cfca0ad3484e2b8351096e
ingressNginx¶
Configure Ingress-NGINX, the ingress controller.
Notes for ingressNginx.controller.additionalConfig
Configure additional configuration for Ingress-NGINX controller.
Note
See the upstream documentation for reference.
Notes for ingressNginx.controller.allowSnippetAnnotations
When enabled annotations on Ingress resources can add snippets to the config of NGINX.
[!danger] Only enable this after evaluating the risks it poses.
Note
See the upstream documentation for reference.
Notes for ingressNginx.controller.chroot
When enabled NGINX itself will run in a chroot under the controller namespace for increased separation between the controller and the proxy.
This requires a special seccomp profile to be available to give the controller the SYS_ADMIN capability, which will be provided by a separate daemon set.
Notes for ingressNginx.controller.config.annotationsRiskLevel
Configure the accepted risk level of annotations on Ingress resources.
Note
See the upstream documentation for reference.
Possible values:
Critical
High
Medium
Low
Notes for ingressNginx.controller.enablepublishService
When enabled it allows customisation of the IP or FQDN to report the external address of the Service in the Ingress status field.
When disabled it reports the IPs of the nodes where the controller pods are running.
Notes for ingressNginx.controller.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for ingressNginx.controller.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for ingressNginx.controller.service.allocateLoadBalancerNodePorts
When enabled node ports will be allocated for the Load Balancer Service.
This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic.
See reference
Notes for ingressNginx.controller.service.internal.allocateLoadBalancerNodePorts
When enabled node ports will be allocated for the Load Balancer Service.
This should be enabled when the cluster is fronted by a proxy load balancer regardless if it is external or internal, and disabled if the cluster uses direct routing of ingress traffic.
See reference
Notes for ingressNginx.controller.service.internal.ipFamilyPolicy
Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field.
See reference
Possible values:
SingleStack
PreferDualStack
RequireDualStack
Notes for ingressNginx.controller.service.internal.loadBalancerIP
Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider.
Important
With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation loadbalancer.openstack.org/keep-floatingip: "true" to prevent the floating IP to be deleted.
Notes for ingressNginx.controller.service.internal.type
Configure the type of the Service.
Possible values:
ClusterIP
LoadBalancer
NodePort
Notes for ingressNginx.controller.service.ipFamilies[]
List of IP families (e.g. IPv4, IPv6) assigned to the service. Default is IPv4 only. When utilizing an internal loadbalancer service (ie MetalLB), IPv6 would also need to be included in order for the ingress service to allocate an address in that family.
Notes for ingressNginx.controller.service.ipFamilyPolicy
Represents the dual-stack-ness requested or required by this Service. When utilizing an internal loadbalancer service (ie MetalLB), set this field to "RequireDualStack" if you want both IPv4 and IPv6 connectivity. The ipFamilies and clusterIPs fields depend on the value of this field.
See reference
Possible values:
SingleStack
PreferDualStack
RequireDualStack
Notes for ingressNginx.controller.service.loadBalancerIP
Configure the Load Balancer IP to use an existing IP if supported by the infrastructure provider.
Important
With OpenStack Octavia the floating IP can be created via the CLI beforehand, and one should set the annotation loadbalancer.openstack.org/keep-floatingip: "true" to prevent the floating IP to be deleted.
Notes for ingressNginx.controller.service.type
Configure the type of the Service.
Possible values:
ClusterIP
LoadBalancer
NodePort
Notes for ingressNginx.defaultBackend.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for ingressNginx.defaultBackend.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
issuers¶
Configure issuers for cert-manager.
| Key | Type | Default | Description |
|---|---|---|---|
| issuers. |
array | — | — |
| issuers. |
object | — | Configure issuers for cert-manager using Let's Encrypt. |
| issuers. |
boolean | True |
— |
| issuers. |
object | — | Configure Let's Encrypt production issuer. |
| issuers. |
array | — | — |
| issuers. |
object | — | Configure Let's Encrypt staging issuer. |
| issuers. |
array | — | — |
kubeStateMetrics¶
Configure the kube-state-metrics exporter.
| Key | Type | Default | Description |
|---|---|---|---|
| kubeStateMetrics. |
object | — | See note |
| kubeStateMetrics. |
object | — | — |
| kubeStateMetrics. |
object | — | — |
Notes for kubeStateMetrics.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
kured¶
Configuration for Kured (Kubernetes Reboot Daemon).
Kured orchestrates node reboots to allow nodes to automatically perform system updates and patches.
| Key | Type | Default | Description |
|---|---|---|---|
| kured. |
object | — | Affinity is a group of affinity scheduling rules. |
| kured. |
— | — | Describes node affinity scheduling rules for the pod. |
| kured. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| kured. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| kured. |
object | — | See note |
| kured. |
string | — | See note |
| kured. |
string | 86399 |
Schedule reboots only before this time of day. |
| kured. |
string | — | See note |
| kured. |
string | — | See note |
| kured. |
array of string | ['mo', 'tu', 'we', 'th', 'fr', 'sa', 'su'] |
Only reboot on these days. |
| kured. |
string | 0:00 |
Schedule reboots only after this time of day. |
| kured. |
string | UTC |
— |
| kured. |
object | — | — |
| kured. |
boolean | — | — |
| kured. |
array of string | — | Extra arguments passed to a container |
| kured. |
object | — | — |
| kured. |
object | — | Configuration for Kured metrics |
| kured. |
boolean | True |
— |
| kured. |
string | — | See note |
| kured. |
object | — | — |
| kured. |
object | — | See note |
| kured. |
object | — | Send notification from Kured when nodes are rebooted. |
| kured. |
object | — | Send notification from Kured to Slack when nodes are rebooted. |
| kured. |
string | — | — |
| kured. |
boolean | — | — |
| kured. |
object | — | See note |
| kured. |
object | — | — |
| kured. |
object | — | — |
| kured. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
Notes for kured.configuration
Kured configuration parameters.
See the upstream documentation for reference.
Most parameters are mapped from camelCase to --kebab-case, others can be set via extraArgs.
Notes for kured.configuration.drainTimeout
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.configuration.lockReleaseDelay
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.configuration.period
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.metrics.interval
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for kured.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for kured.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
kyverno¶
Configure Kyverno and Kyverno Policies
| Key | Type | Default | Description |
|---|---|---|---|
| kyverno. |
boolean | — | — |
| kyverno. |
object | — | Affinity is a group of affinity scheduling rules. |
| kyverno. |
— | — | Describes node affinity scheduling rules for the pod. |
| kyverno. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
object | — | See note |
| kyverno. |
object | — | Affinity is a group of affinity scheduling rules. |
| kyverno. |
— | — | Describes node affinity scheduling rules for the pod. |
| kyverno. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| kyverno. |
object | — | Kyverno policies configuration |
| kyverno. |
object | — | A policy that requires that all images in HNC controlled namespaces are signed |
| kyverno. |
string | — | See note |
| kyverno. |
boolean | — | — |
| kyverno. |
boolean | — | — |
| kyverno. |
string | — | See note |
| kyverno. |
object | — | See note |
| kyverno. |
object | — | — |
| kyverno. |
object | — | — |
| kyverno. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| kyverno. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
Notes for kyverno.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for kyverno.policies.verifyImageSignature.attestor
A public key (Cosign) or certificate (Notary) used to verify image signatures
Examples:
-----BEGIN PUBLIC KEY-----
MFkwEwY...
-----END PUBLIC KEY-----
-----BEGIN CERTIFICATE-----
MIIDTTCCA...
-----END CERTIFICATE-----
Notes for kyverno.policies.verifyImageSignature.type
Possible values:
Cosign
Notary
Notes for kyverno.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
metricsServer¶
Configure the metrics-server exporter, used to provide for the metrics API in Kubernetes.
| Key | Type | Default | Description |
|---|---|---|---|
| metricsServer. |
object | — | Affinity is a group of affinity scheduling rules. |
| metricsServer. |
— | — | Describes node affinity scheduling rules for the pod. |
| metricsServer. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| metricsServer. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| metricsServer. |
boolean | True |
— |
| metricsServer. |
object | — | See note |
| metricsServer. |
object | — | — |
| metricsServer. |
object | — | — |
| metricsServer. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
Notes for metricsServer.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
networkPlugin¶
Configure the network plugin used in the cluster.
| Key | Type | Default | Description |
|---|---|---|---|
| networkPlugin. |
object | — | Configuration when network plugin is set to calico |
| networkPlugin. |
object | — | Configure Calico accountant, used to collect metrics about packets affected by Network Policies when using Calico. |
| networkPlugin. |
string | nftables |
See note |
| networkPlugin. |
boolean | True |
— |
| networkPlugin. |
object | — | See note |
| networkPlugin. |
object | — | — |
| networkPlugin. |
object | — | — |
| networkPlugin. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| networkPlugin. |
object | — | Configure Calico Felix metrics, used to collect metrics about Calico. |
| networkPlugin. |
boolean | True |
— |
| networkPlugin. |
string | — | See note |
Notes for networkPlugin.calico.calicoAccountant.backend
Possible values:
iptables
nftables
Notes for networkPlugin.calico.calicoAccountant.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for networkPlugin.type
Configure the type of network plugin
Possible values:
calico
cilium
networkPolicies¶
Configure Network Policies.
Most common Network Policy rules can be updated by running ./bin/ck8s update-ips <both|sc|wc>.
| Key | Type | Default | Description |
|---|---|---|---|
| networkPolicies. |
string | — | Configure additional network policies. |
| networkPolicies. |
array | — | — |
| networkPolicies. |
array | — | — |
| networkPolicies. |
object | — | Configure Alertmanager network policy rules. |
| networkPolicies. |
object | — | Network policy rule Kubernetes network policies |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array | — | — |
| networkPolicies. |
object | — | Configure cert-manager network policy rules. |
| networkPolicies. |
object | — | Configure network policy rule to allow cert-manager perform DNS-01 challenges. |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policy rule to allow cert-manager perform HTTP-01 challenges on other endpoints than the ingress-controller. |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | See note |
| networkPolicies. |
object | — | Configure CoreDNS network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policy rule to allow CoreDNS to query the upstream DNS servers. |
| networkPolicies. |
object | — | Configure network policy rule to allow CoreDNS to query the internal service IP. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
object | — | Configure Dex network policy rules. |
| networkPolicies. |
object | — | Configure network policy rule to allow Dex to reach configured connectors. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure DNS Autoscaler network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure ExternalDNS network policy rules. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Falco network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policy rules to allow Falco to install plugins during startup. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Fluentd network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure extra output egress rules. This may be used to allow application developers to send logs externally from user Fluentd with extra config and plugins. |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Gatekeeper network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure global network policy rules. |
| networkPolicies. |
boolean | — | When enabled create Network Policy rules for ingress via external load balancer. |
| networkPolicies. |
boolean | — | When enabled create Network Policy rules for ingress via host network. |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
integer | — | — |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | Configure Trivy network policy rules. Used for Trivy to fetch vulnerability databases both in Harbor and Trivy Operator. |
| networkPolicies. |
integer | — | — |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
integer | — | — |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
object | — | Configure Harbor network policy rules. |
| networkPolicies. |
object | — | Configure network policies for the database used by Harbor. |
| networkPolicies. |
object | — | Configure network policy egress rules to the external database of Harbor. |
| networkPolicies. |
array | — | — |
| networkPolicies. |
array | — | — |
| networkPolicies. |
object | — | Configure network policy ingress rules to the internal database of Harbor. |
| networkPolicies. |
array | — | — |
| networkPolicies. |
array | — | — |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policies for the job service in Harbor. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure network policies for the Redis used by Harbor. |
| networkPolicies. |
object | — | Configure network policy egress rules to the external Redis of Harbor. |
| networkPolicies. |
array | — | — |
| networkPolicies. |
array | — | — |
| networkPolicies. |
object | — | Configure network policies for external registries used by Harbor. Applies to harbor-core and harbor-jobservice when replication is enabled. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure network policies for the Trivy scanner in Harbor. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Ingress NGINX network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure override to the ingress rules for Ingress NGINX. Required when cluster ingress uses direct routing. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
object | — | Configure kube-system network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure OpenStack network policy rules. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure UpCloud network policy rules. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Kured network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policy rules to allow Kured to send Slack notifications. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Kyverno network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policy that allows Kyverno to access image registries. This is required for signed image verification. |
| networkPolicies. |
object | — | Configure monitoring network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure Grafana network policy rules. |
| networkPolicies. |
object | — | Configure network policy rules to allow Grafana to use external dashboards. |
| networkPolicies. |
array of string | — | List of IP netmasks A IP address with netmask |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure network policy rules to allow Grafana to use external datasources. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
object | — | Configure OpenSearch network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure network policy rules to allow OpenSearch to install plugins during startup. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Prometheus network policy rules. |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
array of string | — | Configure the namespaces to allow internal access to Prometheus. |
| networkPolicies. |
object | — | Configure Rclone network policy rules. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
object | — | Configure network policy rules to allow rclone to sync. |
| networkPolicies. |
object | — | Configure network policy rules to allow rclone to sync object storage. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure network policy rules to allow rclone to sync object storage with Swift. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure network policy rules to allow rclone to sync with a secondary URL. |
| networkPolicies. |
array of integer | — | A 16 bit unsigned integer |
| networkPolicies. |
object | — | Configure Rook Ceph network policy rules. |
| networkPolicies. |
boolean | — | — |
| networkPolicies. |
object | — | Configure S3 exporter network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Enable network policies for tekton and the pipeline. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | See note |
| networkPolicies. |
object | — | Configure Thanos network policy rules. |
| networkPolicies. |
boolean | True |
— |
| networkPolicies. |
object | — | Configure Velero network policy rules. |
| networkPolicies. |
boolean | True |
— |
Notes for networkPolicies.certManager.letsencrypt
Configure network policy rule to allow cert-manager to reach Let's Encrypt.
Note
Let's Encrypt by choice does not publish a list of their endpoints, so this is required to be ips: [ 0.0.0.0/0 ].
Notes for networkPolicies.certManager.namespaces[]
Configure namespaces to allow cert-manager HTTP-01 perform HTTP-01 challenges.
Examples:
['dex', 'harbor', 'monitoring', 'opensearch-system', 'thanos']
Notes for networkPolicies.global.objectStorage
Configure object storage network policy rules.
This configuration should match the object storage service configured under objectStorage.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.objectStorageSwift
Configure OpenStack Swift object storage network policy rules.
This configuration should match the object storage service configured under objectStorage.swift if used by any component.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.scApiserver
Configure service cluster API server network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.scIngress
Configure service cluster ingress network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.scNodes
Configure service cluster nodes network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.wcApiserver
Configure workload cluster API server network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.wcIngress
Configure workload cluster ingress network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.global.wcNodes
Configure workload cluster nodes network policy rules.
Tip
Automatically populated by ./bin/ck8s update-ips <both|sc|wc>.
Notes for networkPolicies.prometheus.internalAccess
Configure network policy rules to allow internal access to Prometheus.
This requires the allowed namespaces to be configured under namespaces and the allowed pods to be labeled elastisys.io/prometheus-access: allowed.
Notes for networkPolicies.tektonPipelines.pipeline
Add required networkpolicies for the pipeline under the section pipeline.
The networkpolicies should follow the network policies generator. As such, it is possible to use pre-defined network policies rules. The pre-defined rules can be found here.
pipeline:
clone-config-pod:
podSelectorLabels:
tekton.dev/pipeline: upgrade-pipeline
ingress: {}
egress:
- rule: egress-rule-dns # pre-defined network policies rule.
- name: egress-rule-config-access
peers:
- cidr: 1.2.3.4/32
ports:
- tcp: 22
nodeLocalDns¶
Configure node-local-dns, node local DNS resolving and caching.
| Key | Type | Default | Description |
|---|---|---|---|
| nodeLocalDns. |
string | — | See note |
| nodeLocalDns. |
object | — | Configure the host zone for node-local-dns |
| nodeLocalDns. |
string | — | See note |
| nodeLocalDns. |
object | — | See note |
| nodeLocalDns. |
object | — | — |
| nodeLocalDns. |
object | — | — |
Notes for nodeLocalDns.customConfig
Configure custom options for the CoreDNS instance running as part of node-local-dns.
Note
See the upstream documentation for reference.
Examples:
example.com:53 {
errors
cache 30
reload
loop
forward . 127.0.0.1:9005
}
Notes for nodeLocalDns.hostZone.extraConfig
Configure extra config for the host zone .53 for node-local-dns.
Note
See the upstream documentation for reference.
Examples:
template ANY ANY {
rcode NXDOMAIN
}
Notes for nodeLocalDns.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
objectStorage¶
Configuration options for using object storage in Welkin
This is used for:
- Fluentd audit logs
- Fluentd service cluster logs
- Harbor database backups and registry storage
- OpenSearch workload cluster log snapshots
- Rclone object storage sync source and restore destination
- Thanos metrics storage
- Velero resource backups and volume snapshots
Harbor, Rclone, and Thanos have additional configuration to use Swift.
| Key | Type | Default | Description |
|---|---|---|---|
| objectStorage. |
object | — | Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Resource group of the storage account. |
| objectStorage. |
string | — | Name of the storage account |
| objectStorage. |
object | — | See note |
| objectStorage. |
object | — | See note |
| objectStorage. |
boolean | — | Automatically configure the restore from a secondary site to the primary site. Essentially this will configure Rclone restore to do the inverse of Rclone sync. |
| objectStorage. |
object | — | Encrypt data when syncing and decrypt data when restoring. |
| objectStorage. |
boolean | — | Encrypt directory names when syncing, requires file names to be encrypted. |
| objectStorage. |
boolean | — | — |
| objectStorage. |
boolean | — | Encrypt file names when syncing. |
| objectStorage. |
object | — | Allows for complete or partial overrides of the destinations of the restore, the main object storage configuration. |
| objectStorage. |
object | — | Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Resource group of the storage account. |
| objectStorage. |
string | — | Name of the storage account |
| objectStorage. |
object | — | Supports both AWS and non-AWS implementations. |
| objectStorage. |
boolean | — | Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | Region to store data. |
| objectStorage. |
string | — | Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
object | — | > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack region. |
| objectStorage. |
string | +segments |
The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
boolean | — | Deploy Rclone with dryrun enabled. |
| objectStorage. |
boolean | — | — |
| objectStorage. |
object | — | Allows for complete or partial overrides of the sources of the restore, the sync object storage configuration. |
| objectStorage. |
object | — | Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Resource group of the storage account. |
| objectStorage. |
string | — | Name of the storage account |
| objectStorage. |
object | — | Supports both AWS and non-AWS implementations. |
| objectStorage. |
boolean | — | Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | Region to store data. |
| objectStorage. |
string | — | Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
object | — | > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack region. |
| objectStorage. |
string | +segments |
The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
array of object | — | Targets to restore Details of a bucket to restore. |
| objectStorage. |
string | — | Perform point-in-time restore if possible. This is only supported for S3 sources. |
| objectStorage. |
object | — | Supports both AWS and non-AWS implementations. |
| objectStorage. |
boolean | — | Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | Region to store data. |
| objectStorage. |
string | — | Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
object | — | > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack region. |
| objectStorage. |
string | +segments |
The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
object | — | Sync object storage from the primary site to a secondary site with Rclone. |
| objectStorage. |
number | 14400 |
The maximum amount of time that the Rclone job is allowed to run (in seconds). |
| objectStorage. |
object | — | Only supports Azure Public Cloud. |
| objectStorage. |
string | — | Resource group of the storage account. |
| objectStorage. |
string | — | Name of the storage account |
| objectStorage. |
array of object | — | Additional buckets to sync. List of buckets to sync when syncDefaultBuckets is false |
| objectStorage. |
string | — | — |
| objectStorage. |
string | — | See note |
| objectStorage. |
boolean | — | Deploy Rclone with dryrun enabled. |
| objectStorage. |
boolean | — | — |
| objectStorage. |
object | — | Encrypt data when syncing and decrypt data when restoring. |
| objectStorage. |
boolean | — | Encrypt directory names when syncing, requires file names to be encrypted. |
| objectStorage. |
boolean | — | — |
| objectStorage. |
boolean | — | Encrypt file names when syncing. |
| objectStorage. |
object | — | See note |
| objectStorage. |
object | — | — |
| objectStorage. |
object | — | — |
| objectStorage. |
object | — | Supports both AWS and non-AWS implementations. |
| objectStorage. |
boolean | — | Force the use of path style access instead of virtual host style access. Generally false when using AWS, Exoscale, and UpCloud and true for other providers. |
| objectStorage. |
string | — | Region to store data. |
| objectStorage. |
string | — | Endpoint to reach the S3 service, mainly applicable for non-AWS implementations. Make sure to prepend the protocol (e.g. https://). |
| objectStorage. |
boolean | — | Force the use of v2 authentication, will default to using v4 authentication otherwise. |
| objectStorage. |
string | — | — |
| objectStorage. |
string | — | See note |
| objectStorage. |
object | — | > [!note] > Supported as an option only for Harbor, Rclone, and Thanos. |
| objectStorage. |
string | — | OpenStack authentication URL. Make sure to prepend the protocol (e.g. https://) and append the authentication version (e.g. /v3). |
| objectStorage. |
integer | — | OpenStack authentication version. Set 0 for auto detect from authentication url. |
| objectStorage. |
string | — | The user domain ID to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The user domain name to use. User domain is required when authenticating with username, set either domainId or domainName. |
| objectStorage. |
string | — | The project domain ID to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project domain name to use. Project domain is required when authenticating with projectName, set either projectDomainId or projectDomainName. |
| objectStorage. |
string | — | The project ID to use. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | The project name to use, requires project domain to be set. Project is required when authenticating with username, set either projectId or projectName. |
| objectStorage. |
string | — | OpenStack region. |
| objectStorage. |
string | +segments |
The container suffix to use for segment containers. These are created to store large objects with SLOs/DLOs, and with s3api middleware for multipart uploads. |
| objectStorage. |
boolean | — | Sync the buckets or containers set under .objectStorage.buckets. |
| objectStorage. |
string | — | See note |
Notes for objectStorage.buckets
Buckets or containers for each respective application to use for application data or backup storage.
Keys are used as identifiers for buckets or containers, while the values are used as the bucket or container name.
Additional entries added here will have monitoring enabled.
Notes for objectStorage.restore
Restore object storage from a secondary site to the primary site with Rclone.
Note
When enabled this will disable Rclone sync to prevent it from modifying the secondary site.
Notes for objectStorage.sync.destinationType
Object storage type to use.
Possible values:
azure
gcs
s3
swift
Notes for objectStorage.sync.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for objectStorage.sync.sourceType
Object storage type to use. Defaults to .objectStorage.type
Examples:
azure
gcs
s3
swift
Notes for objectStorage.type
Object storage type to use.
In addition to this Harbor, Rclone, and Thanos have additional configuration to use Swift.
Possible values:
azure
gcs
s3
none
opa¶
Configure Open Policy Agent, constraints and mutations enforced by Gatekeeper.
Welkin contains multiple safeguards to make it easy to follow security best practices.
This includes an implementation of constraints and mutations with similar behaviour as Pod Security Policies, and application developer centric safeguards.
Notes for opa.audit.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opa.audit.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opa.controllerManager.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opa.controllerManager.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opa.disallowedTags
Configure constraint to disallow configured tags on container images.
Note
See the dev docs for context.
Notes for opa.disallowedTags.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.imageRegistry
Configure constraint to only allow configured registries for container images.
Note
See the dev docs for context.
Notes for opa.imageRegistry.URL[]
Configure the registries that should be trusted by the constraint.
Note
To support issuing certificates with HTTP-01 challenges the registry quay.io/jetstack/cert-manager-acmesolver must be added.
Notes for opa.imageRegistry.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.minimumDeploymentReplicas
Configure constraint to only allow Deployments and StatefulSets with more than one replica.
Note
See the dev docs for context.
Notes for opa.minimumDeploymentReplicas.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.mutations.jobTTL
Configure mutations to set time to live on deployed Jobs.
Note
See the dev docs for context.
Notes for opa.networkPolicies
Configure constraint to only allow Pods targeted by NetworkPolicies.
Note
See the dev docs for context.
Notes for opa.networkPolicies.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.preventAccidentalDeletion.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.rejectLoadBalancerService
Configure constraint to reject creation of Services with the type LoadBalancer.
Advantageous if the cluster cannot automatically provision LoadBalancers, e.g. because the infrastructure provider do not offer such Kubernetes integration.
Note
See the dev docs for context.
Notes for opa.rejectLoadBalancerService.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.rejectLocalStorageEmptyDir
Configure constraint to reject usage of local storage emptydir.
Note
See the dev docs for context.
Notes for opa.rejectLocalStorageEmptyDir.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.rejectPodWithoutController
Configure constraint to reject pods without a controller.
Note
See the dev docs for context.
Notes for opa.rejectPodWithoutController.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.resourceRequests
Configure constraint to only allow Pods configured with resource requests.
Note
See the dev docs for context.
Notes for opa.resourceRequests.enforcement
Possible values:
deny
warn
dryrun
Notes for opa.restrictPodDisruptionBudgets
Configure constraint to reject PodDisruptionBudgets and connected Pod controllers if the PDB does not allow for at least 1 pod disruption.
Note
See the dev docs for context.
Notes for opa.restrictPodDisruptionBudgets.enforcement
Possible values:
deny
warn
dryrun
opensearch¶
Configuration for OpenSearch.
OpenSearch ingests logs sent from Fluentd in the workload cluster, and presents them in OpenSearch Dashboards.
Note
OpenSearch and its components are installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Description |
|---|---|---|---|
| opensearch. |
object | — | See note |
| opensearch. |
object | — | Configures the client stateful set of OpenSearch that takes on the roll to ingest and query logs. |
| opensearch. |
object | — | Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | 1 |
— |
| opensearch. |
boolean | True |
When disabled the master nodes will take on these rolls. |
| opensearch. |
string | -Xms512m -Xmx512m |
See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
string | opensearch |
— |
| opensearch. |
boolean | True |
See note |
| opensearch. |
object | — | Configures the CronJob that removes indices. |
| opensearch. |
number | 2700 |
— |
| opensearch. |
object | — | Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
boolean | True |
— |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
array of object | [{'pattern': 'authlog-*', 'ageDays': 30, 'sizeGB': 1}, {'pattern': 'kubeaudit-*', 'ageDays': 30, 'sizeGB': 50}, {'pattern': 'kubernetes-*', 'ageDays': 30, 'sizeGB': 50}, {'pattern': 'other-*', 'ageDays': 7, 'sizeGB': 1}, {'pattern': 'security-auditlog-*', 'ageDays': 7, 'sizeGB': 1}] |
Configures the retention of indices in OpenSearch. Configures the retention of indices in OpenSearch. |
| opensearch. |
number | 600 |
— |
| opensearch. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
object | — | Configures the Dashboards deployment of OpenSearch providing the UI to view and query logs. |
| opensearch. |
object | — | Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
integer | — | Time-to-live for the session cookie in milliseconds. Overrides OpenSearch Dashboards internal default if set. |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
boolean | — | Whether the session TTL should be extended upon user activity. Overrides OpenSearch Dashboards internal default if set. |
| opensearch. |
integer | — | Time-to-live for the session itself in milliseconds. Overrides OpenSearch Dashboards internal default if set. |
| opensearch. |
string | opensearch |
See note |
| opensearch. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| opensearch. |
object | — | Configures the data stateful set of OpenSearch that takes on the roll to index and store logs. |
| opensearch. |
object | — | Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | 2 |
— |
| opensearch. |
boolean | True |
When disabled the master nodes will take on these rolls. |
| opensearch. |
string | -Xms512m -Xmx512m |
See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
-string- -null- | — | See note |
| opensearch. |
string | — | Configure the requested size of the persistent volume for this OpenSerch node. |
| opensearch. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
boolean | True |
See note |
| opensearch. |
boolean | True |
> [!note] > Must be set for both service and workload cluster. |
| opensearch. |
object | — | Configures the exporter exposing metrics from OpenSearch. |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
object | — | Configures the service monitor of the exporter. |
| opensearch. |
string | 30s |
— |
| opensearch. |
string | — | — |
| opensearch. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
array of object | — | See note |
| opensearch. |
array of object | — | See note |
| opensearch. |
boolean | — | See note |
| opensearch. |
object | — | Configures the ingress for OpenSearch master or client nodes. |
| opensearch. |
string | 32m |
— |
| opensearch. |
object | — | Configures index state management in OpenSearch. |
| opensearch. |
object | — | See note |
| opensearch. |
boolean | True |
See note |
| opensearch. |
boolean | True |
When set OpenSearch can be configured with index state management policies via additionalPolicies that overwrite the ones configured via defaultPolicies. |
| opensearch. |
number | 1 |
Configures the age a write index must reach before it is rolled over to a new one. |
| opensearch. |
number | 1 |
Configures the size a write index must reach before it is rolled over to a new one. |
| opensearch. |
object | — | Configures the main stateful set of OpenSearch that takes on all roles not provided by other nodes (dataNode, clientNode). |
| opensearch. |
object | — | Affinity is a group of affinity scheduling rules. |
| opensearch. |
— | — | Describes node affinity scheduling rules for the pod. |
| opensearch. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| opensearch. |
number | 1 |
— |
| opensearch. |
string | -Xms512m -Xmx512m |
See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
-string- -null- | — | See note |
| opensearch. |
string | — | Configure the requested size of the persistent volume for this OpenSerch node. |
| opensearch. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| opensearch. |
number | 1024 |
Configures the maximum number of clauses permitted in a query. |
| opensearch. |
number | 1000 |
Configures the maximum number of shards permitted on one node. |
| opensearch. |
boolean | True |
When set OpenSearch can be configured with index templates via additionalTemplates that overwrite the ones configured via defaultTemplates. |
| opensearch. |
object | — | Configures plugins used in OpenSearch. |
| opensearch. |
array | — | Configures OpenSearch to install plugins when it starts. In an air-gapped environment this can be used to install plugins from known sources. |
| opensearch. |
boolean | — | See note |
| opensearch. |
array of object | [{'prefix': 'authlog-default', 'alertSizeMB': 2}, {'prefix': 'kubeaudit-default', 'alertSizeMB': 5500}, {'prefix': 'kubernetes-default', 'alertSizeMB': 5500}, {'prefix': 'other-default', 'alertSizeMB': 400}] |
Configures the index alerts monitoring the function of index state management. Configures the index alert monitoring the function of index state management. |
| opensearch. |
object | — | Configures the Job that initialises OpenSearch Security. |
| opensearch. |
number | 1200 |
— |
| opensearch. |
boolean | True |
— |
| opensearch. |
object | — | See note |
| opensearch. |
object | — | — |
| opensearch. |
object | — | — |
| opensearch. |
object | — | Configure OpenSearch snapshot creation and retention. This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.opensearch. |
| opensearch. |
string | — | — |
| opensearch. |
boolean | True |
— |
| opensearch. |
number | 14 |
— |
| opensearch. |
number | 7 |
— |
| opensearch. |
string | opensearch-snapshots |
— |
| opensearch. |
string | 10d |
— |
| opensearch. |
string | — | — |
| opensearch. |
object | — | Configures Single Sign On to OpenSearch via Dex. |
| opensearch. |
boolean | — | — |
| opensearch. |
string | groups |
— |
| opensearch. |
string | openid profile email groups |
— |
| opensearch. |
string | email |
— |
| opensearch. |
string | opensearch |
See note |
Notes for opensearch.additionalTemplates
When set OpenSearch will be configured with additional index templates.
The keys will be used as the name of the index templates.
Note
See the upstream documentation for reference.
Notes for opensearch.clientNode.javaOpts
Set Java Virtual Machine Options to control the memory allocation of OpenSearch.
As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable.
Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.
Notes for opensearch.clientNode.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.clientNode.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.createIndices
When enabled OpenSearch will be configured with initial indices for:
authlogkubeauditkubernetesother
Notes for opensearch.curator.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.curator.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.dashboards.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.dashboards.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.dashboards.subdomain
Subdomain of baseDomain that the Ingress to OpenSearch Dashboards will be created with.
Note
Must be set for both service and workload cluster.
Notes for opensearch.dataNode.javaOpts
Set Java Virtual Machine Options to control the memory allocation of OpenSearch.
As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable.
Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.
Notes for opensearch.dataNode.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.dataNode.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.dataNode.storageClass
Set storage class for OpenSearch.
- If set to
null, the default storage class will be used to provision the volumes. - If set to
-, no storage class will be used to provision the volumes.
Notes for opensearch.defaultTemplates
When enabled OpenSearch will be configured with the default index templates for:
authlogkubeauditkubernetesother
Notes for opensearch.exporter.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.extraRoleMappings[]
Configures extra role mappings for OpenSearch Security.
Extra users can be configured in secrets.yaml under extraUsers and extra roles under extraRoles.
Configures a role mapping for OpenSearch Security.
Note
See the upstream documentation for reference.
Notes for opensearch.extraRoles[]
Configures extra roles for OpenSearch Security.
Configures a role for OpenSearch Security.
Note
See the upstream documentation for reference.
Notes for opensearch.indexPerNamespace
When enabled logs are ingested into multiple indices per namespace.
When disabled logs are ingested into a single kubernetes index.
Note
Must be set for both service and workload cluster.
Notes for opensearch.ism.additionalPolicies
When set OpenSearch will be configured with additional index state management policies.
The keys will be used as the name of the index state management policy.
Note
See the upstream documentation for reference.
Notes for opensearch.ism.defaultPolicies
When enabled OpenSearch will be configured with the default index state management policies for:
authlogkubeauditkubernetesother
Notes for opensearch.masterNode.javaOpts
Set Java Virtual Machine Options to control the memory allocation of OpenSearch.
As a rule of thumb the minimum allocation -Xms and maximum allocation -Xmx arguments should be the same to be more predictable.
Additionally until memory allocation is at 2 GiB and more it is recommended that the memory limit set in Kubernetes is twice the allocation as OpenSearch uses this for cache.
Notes for opensearch.masterNode.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for opensearch.masterNode.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.masterNode.storageClass
Set storage class for OpenSearch.
- If set to
null, the default storage class will be used to provision the volumes. - If set to
-, no storage class will be used to provision the volumes.
Notes for opensearch.plugins.installExternalObjectStoragePlugin
When enabled OpenSearch will install the required object storage plugin when it starts.
In an air-gapped environment where the nodes are not connected to the Internet, set this to false to prevent downloading any external object storage plugins.
Notes for opensearch.securityadmin.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for opensearch.subdomain
Subdomain of opsDomain that the Ingress to OpenSearch will be created with.
Note
Must be set for both service and workload cluster.
openstackMonitoring¶
Configure the collection of metrics for OpenStack components.
| Key | Type | Default | Description |
|---|---|---|---|
| openstackMonitoring. |
boolean | — | — |
prometheus¶
Configure Prometheus.
Prometheus automatically collects metrics via ServiceMonitors, PodMonitors, and Probes, and pushes metrics to Thanos for long term storage. Additionally Prometheus evaluates recording rules for both service and workload cluster, and all alerting rules for the workload cluster.
Note
Prometheus is installed in both service cluster and workload cluster, so this configuration applies there with some exceptions.
| Key | Type | Default | Description |
|---|---|---|---|
| prometheus. |
array | — | See note |
| prometheus. |
object | — | Affinity is a group of affinity scheduling rules. |
| prometheus. |
— | — | Describes node affinity scheduling rules for the pod. |
| prometheus. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | Affinity is a group of affinity scheduling rules. |
| prometheus. |
— | — | Describes node affinity scheduling rules for the pod. |
| prometheus. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| prometheus. |
array of string | — | See note |
| prometheus. |
number | 2 |
— |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | — |
| prometheus. |
object | — | — |
| prometheus. |
object | — | Configure persistent storage for Alertmanager. |
| prometheus. |
object | — | Configure persistent storage for Alertmanager. |
| prometheus. |
object | — | Configure persistent storage for Alertmanager. |
| prometheus. |
array of string | — | Configure the access mode of the persistent storage for Alertmanager. |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | — |
| prometheus. |
object | — | — |
| prometheus. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| prometheus. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| prometheus. |
object | — | Configure whether to split KubeletDownForXm alerts into autoscaled and non-autoscaled nodes groups. |
| prometheus. |
boolean | True |
— |
| prometheus. |
string | node-restriction.kubernetes.io/autoscaled-node-type |
The label to identity whether a node belongs to an autoscaled node group. |
| prometheus. |
array of string | — | The label values to a autoscaled node group if their are multiple autoscaled node groups. |
| prometheus. |
object | — | Configure capacity management alerts. |
| prometheus. |
number | 75 |
Alert when a disk's usage reaches the limit in percent. |
| prometheus. |
boolean | True |
— |
| prometheus. |
string | — | See note |
| prometheus. |
object | — | Configure capacity management alerts on persistent volumes. |
| prometheus. |
boolean | True |
— |
| prometheus. |
number | 75 |
Alert when a persistent volume's usage reaches the limit in percent. |
| prometheus. |
boolean | — | — |
| prometheus. |
object | — | Alert when a node's resource requests reaches the limits in percent. |
| prometheus. |
number | 80 |
Configure a CPU request percentage limit to alert for. |
| prometheus. |
number | 80 |
Configure a memory request percentage limit to alert for. |
| prometheus. |
number | 95 |
— |
| prometheus. |
object | — | Configuration options for deploying an application developer-specific Alertmanager. Configuration shared with the service cluster alertmanager can be configured via .alertmanagerSpec. |
| prometheus. |
boolean | — | Allows to enable alertmanager for application developer. |
| prometheus. |
boolean | — | Allows to have ingress for application developer alertmanager with basic auth |
| prometheus. |
string | alertmanager |
Allows to have alertmanager running in custom namespace |
| prometheus. |
string | — | — |
| prometheus. |
object | — | Configure disk alerts. |
| prometheus. |
object | — | Configure disk alerts based on inode usage. |
| prometheus. |
array of object | — | See note |
| prometheus. |
array of object | — | See note |
| prometheus. |
object | — | Configure performance disk alerts. |
| prometheus. |
boolean | — | — |
| prometheus. |
number | 5 |
— |
| prometheus. |
number | 1 |
— |
| prometheus. |
number | 1 |
— |
| prometheus. |
object | — | Configure disk alerts based on storage usage. |
| prometheus. |
array of object | — | See note |
| prometheus. |
array of object | — | See note |
| prometheus. |
object | — | See note |
| prometheus. |
number | 1 |
— |
| prometheus. |
object | — | See note |
| prometheus. |
object | — | — |
| prometheus. |
object | — | — |
| prometheus. |
object | — | Configure retention for Prometheus. |
| prometheus. |
string | 3d |
Configure the time range Prometheus will retain metrics for. |
| prometheus. |
string | — | See note |
| prometheus. |
string | 4GiB |
Configure the total size Prometheus will retain metrics for. |
| prometheus. |
object | — | Configure S3 bucket alerts. |
| prometheus. |
array of object | — | Definitions for specific S3 bucket alerts. S3 Bucket Alert configuration for specific bucket |
| prometheus. |
array of string | — | Exclude buckets from S3 alerts. |
| prometheus. |
object | — | Alert when an S3 buckets reaches the set percentage of the set number of objects. |
| prometheus. |
number | 1638400 |
— |
| prometheus. |
boolean | — | — |
| prometheus. |
number | — | Percentage, 0% - 100% |
| prometheus. |
object | — | Alert when an S3 bucket reaches the set percentage of the set size. |
| prometheus. |
boolean | — | — |
| prometheus. |
number | — | Percentage, 0% - 100% |
| prometheus. |
number | 1000 |
— |
| prometheus. |
object | — | Alert when all S3 buckets reaches the set percentage of the set size. |
| prometheus. |
boolean | — | — |
| prometheus. |
number | — | Percentage, 0% - 100% |
| prometheus. |
number | 1000 |
— |
| prometheus. |
object | — | Configure the persistent volume claim used for Promtheus storage. |
| prometheus. |
boolean | — | By default Prometheus instances run without storage and are treated as ephemeral. See ADR-0007 for context. |
| prometheus. |
string | 5Gi |
— |
| prometheus. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| prometheus. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| prometheus. |
object | — | Configure webhook alerts. |
| prometheus. |
boolean | True |
— |
Notes for prometheus.additionalScrapeConfigs[]
Configure additional scrape configs for Prometheus.
Note
See the upstream documentation for reference.
Notes for prometheus.alertmanagerSpec
Configure service cluster & workload cluster Alertmanager.
Alertmanager receives alerts from Prometheus and Thanos and forwards them to the configured notification channel.
Note
Alertmanager is installed in both service cluster and workload cluster, however this configuration key only applies to the service cluster, use user.alertmanager to configure it in the workload cluster.
Notes for prometheus.alertmanagerSpec.groupBy[]
Configure Alertmanager to group certain alerts based on labels.
Note
See the upstream documentation for reference.
Notes for prometheus.alertmanagerSpec.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheus.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheus.capacityManagementAlerts.nodeGroupRequestsExcludePattern
Configure a pattern of node groups to exclude from the resource request alerts. This can be used to exclude certain node groups from request alerts, while still getting usage alerts for those node groups.
Examples:
.*redis.*|.*postgres.*
Notes for prometheus.diskAlerts.inode.predictLinear[]
Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.diskAlerts.inode.space[]
Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.diskAlerts.storage.predictLinear[]
Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.diskAlerts.storage.space[]
Configure disk alerts when disk usage is predicted to reach the limit.
Configure disk alerts when disk usage is predicted to reach the limit.
The hours key is only supported when configured under predictLinear.
Notes for prometheus.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for prometheus.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheus.retention.alertmanager
An amount of time
Examples:
300s
72h
3d
prometheusBlackboxExporter¶
Configure Prometheus Blackbox Exporter, the exporter used for probing endpoints.
| Key | Type | Default | Description |
|---|---|---|---|
| prometheusBlackboxExporter. |
object | — | Affinity is a group of affinity scheduling rules. |
| prometheusBlackboxExporter. |
— | — | Describes node affinity scheduling rules for the pod. |
| prometheusBlackboxExporter. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| prometheusBlackboxExporter. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| prometheusBlackboxExporter. |
array of object | — | Configure custom Kube API targets Prometheus Blackbox Exporter should probe. Custom Kube API target Prometheus Blackbox Exporter should probe. |
| prometheusBlackboxExporter. |
array of object | — | Configure host aliases to resolve internally within the Pod. Configure a host alias to resolve internally within the Pod. |
| prometheusBlackboxExporter. |
object | — | See note |
| prometheusBlackboxExporter. |
object | — | — |
| prometheusBlackboxExporter. |
object | — | — |
| prometheusBlackboxExporter. |
object | — | Configure the targets Prometheus Blackbox Exporter should probe. |
| prometheusBlackboxExporter. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
Notes for prometheusBlackboxExporter.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
prometheusNodeExporter¶
Configure Prometheus Node Exporter, the exporter used for collecting node metrics.
| Key | Type | Default | Description |
|---|---|---|---|
| prometheusNodeExporter. |
object | — | See note |
| prometheusNodeExporter. |
object | — | — |
| prometheusNodeExporter. |
object | — | — |
| prometheusNodeExporter. |
string | — | — |
Notes for prometheusNodeExporter.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
prometheusOperator¶
Configure Prometheus Operator.
| Key | Type | Default | Description |
|---|---|---|---|
| prometheusOperator. |
object | — | Configure Prometheus Operator config reloader. |
| prometheusOperator. |
object | — | See note |
| prometheusOperator. |
object | — | — |
| prometheusOperator. |
object | — | — |
| prometheusOperator. |
object | — | See note |
| prometheusOperator. |
object | — | — |
| prometheusOperator. |
object | — | — |
Notes for prometheusOperator.prometheusConfigReloader.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for prometheusOperator.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
rookCeph¶
Configure support for Rook Ceph.
This is deprecated and should be configured via compliantkubernetes-kubespray if used.
| Key | Type | Default | Description |
|---|---|---|---|
| rookCeph. |
object | — | Configure Pod Security Policies for Rook Ceph. |
| rookCeph. |
boolean | — | — |
| rookCeph. |
object | — | Configure Monitoring for Rook Ceph. |
| rookCeph. |
boolean | — | — |
s3Exporter¶
Configure S3 exporter, used to collect metrics about S3 usage.
| Key | Type | Default | Description |
|---|---|---|---|
| s3Exporter. |
object | — | Affinity is a group of affinity scheduling rules. |
| s3Exporter. |
— | — | Describes node affinity scheduling rules for the pod. |
| s3Exporter. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| s3Exporter. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| s3Exporter. |
boolean | True |
— |
| s3Exporter. |
string | 60m |
— |
| s3Exporter. |
object | — | See note |
| s3Exporter. |
object | — | See note |
| s3Exporter. |
object | — | — |
| s3Exporter. |
object | — | — |
| s3Exporter. |
string | — | — |
| s3Exporter. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
Notes for s3Exporter.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for s3Exporter.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
storageClasses¶
Configuration options for using block storage in Welkin
| Key | Type | Default | Description |
|---|---|---|---|
| storageClasses. |
string | default |
The StorageClass to use for all persistent volumes in Welkin. |
tektonPipelines¶
Configure Tekton Pipelines
| Key | Type | Default | Description |
|---|---|---|---|
| tektonPipelines. |
object | — | Configure the Tekton Controller |
| tektonPipelines. |
integer | — | — |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
object | — | — |
| tektonPipelines. |
object | — | — |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
boolean | — | — |
| tektonPipelines. |
object | — | Configure the Tekton Remote Resolver |
| tektonPipelines. |
integer | — | — |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
object | — | — |
| tektonPipelines. |
object | — | — |
| tektonPipelines. |
object | — | Configure the Tekton Webhook |
| tektonPipelines. |
integer | — | — |
| tektonPipelines. |
object | — | See note |
| tektonPipelines. |
object | — | — |
| tektonPipelines. |
object | — | — |
Notes for tektonPipelines.controller.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for tektonPipelines.customConfigDefaults
Configure custom default options for Tekton
Note
See the upstream documentation for available default config options.
Examples:
{'default-timeout-minutes': '30'}
Notes for tektonPipelines.remoteResolvers.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for tektonPipelines.webhook.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
thanos¶
Configuration for Thanos.
Thanos ingests metrics sent from Prometheus in both the service and workload clusters, and stores them in object storage.
This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.thanos.
Note
Thanos and its components are installed in the service cluster, so this configuration mainly applies there.
| Key | Type | Default | Description |
|---|---|---|---|
| thanos. |
object | — | Configure Thanos Bucket Web, the UI to view the state of the bucket or container in use by Thanos. |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
object | — | See note |
| thanos. |
string | none |
See note |
| thanos. |
object | — | Configure persistence for Thanos Compactor. |
| thanos. |
boolean | True |
— |
| thanos. |
string | 8Gi |
— |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
string | — | See note |
| thanos. |
string | — | See note |
| thanos. |
string | — | See note |
| thanos. |
boolean | — | When enabled series of metrics from multiple replicas will be merged into one. |
| thanos. |
boolean | True |
> [!note] > Must be set for both service and workload cluster. |
| thanos. |
object | — | Configure metrics collected from Thanos. |
| thanos. |
boolean | True |
— |
| thanos. |
object | — | Configure the service monitor used to collect metrics from Thanos. |
| thanos. |
boolean | True |
— |
| thanos. |
object | — | Configure Object Storage for Thanos. Allows for using OpenStack Swift as the object storage backend type. |
| thanos. |
string | — | See note |
| thanos. |
object | — | Configure Thanos Query, the component executing metric queries. |
| thanos. |
object | — | Affinity is a group of affinity scheduling rules. |
| thanos. |
— | — | Describes node affinity scheduling rules for the pod. |
| thanos. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
boolean | True |
— |
| thanos. |
number | 1 |
— |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| thanos. |
object | — | Configure Thanos Query Frontend, the component serving query requests from Grafana. |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
object | — | Configure Thanos Receive Distributor, the component serving remote write requests from Prometheus. Also called routing receiver upstream. |
| thanos. |
array | — | See note |
| thanos. |
string | ketama |
See note |
| thanos. |
integer | 5 |
Maximum number of concurrent write requests allowed by Thanos receiveDistributor. |
| thanos. |
integer | 3 |
— |
| thanos. |
number | 1 |
Requires that incoming remote write requests are replicated (replicationFactor + 1) / 2. |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
object | — | Configure Thanos Receiver, the component ingesting metrics collected by Prometheus and storing them in object storage. Also called ingesting receiver upstream. |
| thanos. |
object | — | Affinity is a group of affinity scheduling rules. |
| thanos. |
— | — | Describes node affinity scheduling rules for the pod. |
| thanos. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
object | — | Configure authentication to Thanos Receiver, |
| thanos. |
string | thanos |
See note |
| thanos. |
boolean | True |
— |
| thanos. |
string | dual-mode |
See note |
| thanos. |
string | 600s |
— |
| thanos. |
object | — | Configure persistence for Thanos Receiver. |
| thanos. |
boolean | True |
— |
| thanos. |
string | 50Gi |
— |
| thanos. |
number | 2 |
— |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
string | thanos-receiver |
See note |
| thanos. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| thanos. |
string | 15d |
— |
| thanos. |
object | — | Configure Thanos Ruler, the component evaluating alerting and recording rules. |
| thanos. |
object | — | Affinity is a group of affinity scheduling rules. |
| thanos. |
— | — | Describes node affinity scheduling rules for the pod. |
| thanos. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| thanos. |
object | — | Configure the config reloader sidecar for Thanos Ruler. |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
boolean | True |
— |
| thanos. |
object | — | Configure persistence for Thanos Ruler. |
| thanos. |
boolean | — | — |
| thanos. |
string | 8Gi |
— |
| thanos. |
number | 2 |
— |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
| thanos. |
array | — | TopologySpreadConstraints describes how pods should spread across topology domains. |
| thanos. |
object | — | Configure Thanos Store Gateway, the component fetching metrics from object storage. |
| thanos. |
object | — | Configure persistence for Thanos Store Gateway. |
| thanos. |
string | 8Gi |
— |
| thanos. |
object | — | See note |
| thanos. |
object | — | — |
| thanos. |
object | — | — |
Notes for thanos.bucketweb.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.compactor
Configure Thanos Compactor, the component compacting and deduplicating metrics stored by Thanos.
Note
See the upstream documentation for reference.
Notes for thanos.compactor.deduplication
Configure deduplication of metrics.
Possible values:
none
receiverReplicas
prometheusReplicas
Notes for thanos.compactor.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.compactor.retentionResolution1h
An amount of time
Examples:
300s
72h
3d
Notes for thanos.compactor.retentionResolution5m
An amount of time
Examples:
300s
72h
3d
Notes for thanos.compactor.retentionResolutionRaw
An amount of time
Examples:
300s
72h
3d
Notes for thanos.objectStorage.type
Possible values:
swift
Notes for thanos.query.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.queryFrontend.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.receiveDistributor.extraFlags[]
When set, the arguments will be passed onto the component as command-line flags. Refer to the upstream doc for more details.
Notes for thanos.receiveDistributor.receiveHashringsAlgorithm
Algorithm used for distributing writes across Thanos receive replicas.
Possible values:
hashmod
ketama
Notes for thanos.receiveDistributor.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.receiver.basic_auth.username
Configure the username for authenticating to Thanos Receiver.
Note
Must be set for both service and workload clusters.
Notes for thanos.receiver.mode
Possible values:
standalone
dual-mode
Notes for thanos.receiver.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.receiver.subdomain
Subdomain of opsDomain that the Ingress to Thanos Receive will be created with.
Note
Must be set for both service and workload clusters.
Notes for thanos.ruler.configReloader.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.ruler.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for thanos.storegateway.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
trivy¶
Configure Trivy Operator.
Trivy automatically scans the cluster for vulnerabilities, misconfigurations, and exposed secrets.
| Key | Type | Default | Description |
|---|---|---|---|
| trivy. |
object | — | Affinity is a group of affinity scheduling rules. |
| trivy. |
— | — | Describes node affinity scheduling rules for the pod. |
| trivy. |
— | — | Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). |
| trivy. |
— | — | Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). |
| trivy. |
boolean | True |
— |
| trivy. |
string | — | Configure a comma separated list of namespaces (or glob patterns) to be excluded from Trivy scanners. |
| trivy. |
object | — | Configure the node collector created by Trivy. |
| trivy. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| trivy. |
object | — | See note |
| trivy. |
object | — | — |
| trivy. |
object | — | — |
| trivy. |
object | — | Configure the scan jobs created by Trivy. |
| trivy. |
number | 1 |
— |
| trivy. |
string | 1m |
— |
| trivy. |
string | 5m |
— |
| trivy. |
object | — | See note |
| trivy. |
string | — | — |
| trivy. |
string | — | — |
| trivy. |
boolean | — | — |
| trivy. |
object | — | Configure an image pull secret for Trivy to use. Create the secret in the monitoring namespace then configure the name here. |
| trivy. |
string | — | — |
| trivy. |
string | — | — |
| trivy. |
string | — | — |
| trivy. |
boolean | — | — |
| trivy. |
object | — | Configure registries for Trivy. |
| trivy. |
object | — | See note |
| trivy. |
object | — | See note |
| trivy. |
object | — | — |
| trivy. |
object | — | — |
| trivy. |
string | — | See note |
| trivy. |
object | — | Configure the service monitor collecting metrics from Trivy. |
| trivy. |
boolean | True |
— |
| trivy. |
string | — | See note |
| trivy. |
array | — | Kubernetes Tolerations Kubernetes taint and toleration |
| trivy. |
object | — | Configure the vulnerability scanner for Trivy. |
| trivy. |
boolean | True |
— |
| trivy. |
string | — | See note |
Notes for trivy.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for trivy.scanner
Configure the scanner used by Trivy.
Note
Many of these must be configured to support an air-gapped environment. See the admin documentation for reference.
Notes for trivy.scanner.registry.mirror
Configure registry mirrors for Trivy.
The key represents the original registry and the value the mirror registry.
Examples:
{'docker.io': 'registry.example.com:5000', 'gcr.io': 'registry.example.com:5000', 'ghcr.io': 'registry.example.com:5000', 'index.docker.io': 'registry.example.com:5000', 'quay.io': 'registry.example.com:5000', 'registry.k8s.io': 'registry.example.com:5000'}
Notes for trivy.scanner.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for trivy.scanner.timeout
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for trivy.serviceMonitor.interval
An amount of time
Examples:
300s
72h
3d
Notes for trivy.vulnerabilityScanner.scannerReportTTL
An amount of time
Examples:
300s
72h
3d
user¶
Configuration for Application Developers (users), that use the workload cluster
| Key | Type | Default | Description |
|---|---|---|---|
| user. |
array of string | — | List of groups that Application Developers are apart of that should have access to the cluster. |
| user. |
array of string | — | List of Application Developers that should have access to the cluster. |
| user. |
object | — | See note |
| user. |
boolean | — | This only controls if the namespaces should be created, user RBAC is always created. |
| user. |
object | — | Configure extra ClusterRoleBindings for Application Developers |
| user. |
object | — | Configure extra ClusterRoles that are not originally part of Welkin These are intended to be used for Application Developers |
| user. |
object | — | Configure extra RoleBindings for Application Developers The RoleBindings are added to all Application Developer namespaces configured in user.namespaces |
| user. |
object | — | Configure extra Roles for Application Developers The Roles are added to all Application Developer namespaces configured in user.namespaces |
| user. |
object | — | Installs required cluster resources needed to install fluxv2. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | — |
| user. |
object | — | Installs required cluster resources needed to install kafka-operator. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | — |
| user. |
object | — | Installs required cluster resources needed to install MongoDB. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | — |
| user. |
array of string | — | See note |
| user. |
object | — | Installs required cluster resources needed to install sealedSecrets. Requires that gatekeeper.allowUserCRDs.enabled is enabled. |
| user. |
boolean | — | — |
| user. |
array of string | — | See note |
Notes for user.constraints
Any namespace listed in constraints are exempted from HNC managed namespaces.
This to override the Pod Security Admission level.
Example of constraint can be found here: Example Constraint
The only extra label `psaLevel:
<namespace>:
psaLevel: <baseline/privileged>
<service-name>:
...
Notes for user.namespaces[]
List of namespaces that should be created for Application Developer.
It is common to create one namespace for the Application Developer and then create namespaces via HNC.
Requires that user.createNamespaces is enabled.
Notes for user.serviceAccounts[]
List of serviceAccounts to create RBAC rules for, used for dev situations.
Application developer kube-config for contributors
velero¶
Configure Velero, the backup and snapshot tool for Kubernetes resources and volumes.
This requires that objectStorage is configured, and will use the bucket or container set in objectStorage.buckets.velero.
Notes for velero.nodeAgent.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for velero.nodeSelector
Kubernetes node selector
Examples:
{'kubernetes.io/os': 'linux'}
Notes for velero.resources
Resource requests are used by the kube-scheduler to pick a node to schedule pods on.
Limits are enforced. Resources are commonly 'cpu' and 'memory'.
Examples:
{'requests': {'memory': '128Mi', 'cpu': '100m'}, 'limits': {'memory': '256Mi', 'cpu': '250m'}}
Notes for velero.restoreResourcePriorities[]
Configure restore order for resources
Note
Notes for velero.retentionPeriod
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m".
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
Examples:
2h45m0s
Notes for velero.storagePrefix
Configure unique storage prefix for this cluster when storing backups and snapshots in object storage.
When multiple workload clusters share the same bucket or container ensure that they use separate storage prefixes.
Examples:
service-cluster
workload-cluster
Notes for velero.uploaderType
Possible values:
kopia
restic
wcProbeIngress¶
Configure a probe for the workload cluster Ingress Controller.
| Key | Type | Default | Description |
|---|---|---|---|
| wcProbeIngress. |
boolean | — | — |
welcomingDashboard¶
If you want to add extra text to the grafana/opensearch "welcoming dashboards"
then write the text in these values as a one-line string.
Note, first line of the string is a header, not all characters are supported.
For newline in Grafana dashboard use format \\n
| Key | Type | Default | Description |
|---|---|---|---|
| welcomingDashboard. |
string | — | See note |
| welcomingDashboard. |
string | — | Extra text added to the Opensearch welcoming dashboard. |
| welcomingDashboard. |
array of object | — | List of additional components to list on the welcoming dashboard. Additional component to list on the welcoming dashboard. |
Notes for welcomingDashboard.extraTextGrafana
Extra text added to the Grafana welcoming dashboard.
Examples:
Hello\n\n[This is an example link](https:/elastisys.io)