forked from gardener/gardener
-
Notifications
You must be signed in to change notification settings - Fork 0
/
types_shoot.go
1622 lines (1514 loc) · 96.1 KB
/
types_shoot.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
// Copyright (c) 2018 SAP SE or an SAP affiliate company. All rights reserved. This file is licensed under the Apache Software License, v. 2 except as noted otherwise in the LICENSE file
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v1beta1
import (
"time"
autoscalingv1 "k8s.io/api/autoscaling/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"
)
// +genclient
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// Shoot represents a Shoot cluster created and managed by Gardener.
type Shoot struct {
metav1.TypeMeta `json:",inline"`
// Standard object metadata.
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Specification of the Shoot cluster.
// If the object's deletion timestamp is set, this field is immutable.
// +optional
Spec ShootSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
// Most recently observed status of the Shoot cluster.
// +optional
Status ShootStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// ShootList is a list of Shoot objects.
type ShootList struct {
metav1.TypeMeta `json:",inline"`
// Standard list object metadata.
// +optional
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Items is the list of Shoots.
Items []Shoot `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// ShootTemplate is a template for creating a Shoot object.
type ShootTemplate struct {
// Standard object metadata.
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Specification of the desired behavior of the Shoot.
// +optional
Spec ShootSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
// ShootSpec is the specification of a Shoot.
type ShootSpec struct {
// Addons contains information about enabled/disabled addons and their configuration.
// +optional
Addons *Addons `json:"addons,omitempty" protobuf:"bytes,1,opt,name=addons"`
// CloudProfileName is a name of a CloudProfile object. This field is immutable.
CloudProfileName string `json:"cloudProfileName" protobuf:"bytes,2,opt,name=cloudProfileName"`
// DNS contains information about the DNS settings of the Shoot.
// +optional
DNS *DNS `json:"dns,omitempty" protobuf:"bytes,3,opt,name=dns"`
// Extensions contain type and provider information for Shoot extensions.
// +optional
Extensions []Extension `json:"extensions,omitempty" protobuf:"bytes,4,rep,name=extensions"`
// Hibernation contains information whether the Shoot is suspended or not.
// +optional
Hibernation *Hibernation `json:"hibernation,omitempty" protobuf:"bytes,5,opt,name=hibernation"`
// Kubernetes contains the version and configuration settings of the control plane components.
Kubernetes Kubernetes `json:"kubernetes" protobuf:"bytes,6,opt,name=kubernetes"`
// Networking contains information about cluster networking such as CNI Plugin type, CIDRs, ...etc.
Networking Networking `json:"networking" protobuf:"bytes,7,opt,name=networking"`
// Maintenance contains information about the time window for maintenance operations and which
// operations should be performed.
// +optional
Maintenance *Maintenance `json:"maintenance,omitempty" protobuf:"bytes,8,opt,name=maintenance"`
// Monitoring contains information about custom monitoring configurations for the shoot.
// +optional
Monitoring *Monitoring `json:"monitoring,omitempty" protobuf:"bytes,9,opt,name=monitoring"`
// Provider contains all provider-specific and provider-relevant information.
Provider Provider `json:"provider" protobuf:"bytes,10,opt,name=provider"`
// Purpose is the purpose class for this cluster.
// +optional
Purpose *ShootPurpose `json:"purpose,omitempty" protobuf:"bytes,11,opt,name=purpose,casttype=ShootPurpose"`
// Region is a name of a region. This field is immutable.
Region string `json:"region" protobuf:"bytes,12,opt,name=region"`
// SecretBindingName is the name of the a SecretBinding that has a reference to the provider secret.
// The credentials inside the provider secret will be used to create the shoot in the respective account.
// This field is immutable.
SecretBindingName string `json:"secretBindingName" protobuf:"bytes,13,opt,name=secretBindingName"`
// SeedName is the name of the seed cluster that runs the control plane of the Shoot.
// This field is immutable when the SeedChange feature gate is disabled.
// +optional
SeedName *string `json:"seedName,omitempty" protobuf:"bytes,14,opt,name=seedName"`
// SeedSelector is an optional selector which must match a seed's labels for the shoot to be scheduled on that seed.
// +optional
SeedSelector *SeedSelector `json:"seedSelector,omitempty" protobuf:"bytes,15,opt,name=seedSelector"`
// Resources holds a list of named resource references that can be referred to in extension configs by their names.
// +optional
Resources []NamedResourceReference `json:"resources,omitempty" protobuf:"bytes,16,rep,name=resources"`
// Tolerations contains the tolerations for taints on seed clusters.
// +patchMergeKey=key
// +patchStrategy=merge
// +optional
Tolerations []Toleration `json:"tolerations,omitempty" patchStrategy:"merge" patchMergeKey:"key" protobuf:"bytes,17,rep,name=tolerations"`
// ExposureClassName is the optional name of an exposure class to apply a control plane endpoint exposure strategy.
// This field is immutable.
// +optional
ExposureClassName *string `json:"exposureClassName,omitempty" protobuf:"bytes,18,opt,name=exposureClassName"`
// SystemComponents contains the settings of system components in the control or data plane of the Shoot cluster.
// +optional
SystemComponents *SystemComponents `json:"systemComponents,omitempty" protobuf:"bytes,19,opt,name=systemComponents"`
// ControlPlane contains general settings for the control plane of the shoot.
// +optional
ControlPlane *ControlPlane `json:"controlPlane,omitempty" protobuf:"bytes,20,opt,name=controlPlane"`
}
// GetProviderType gets the type of the provider.
func (s *Shoot) GetProviderType() string {
return s.Spec.Provider.Type
}
// ShootStatus holds the most recently observed status of the Shoot cluster.
type ShootStatus struct {
// Conditions represents the latest available observations of a Shoots's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +optional
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
// Constraints represents conditions of a Shoot's current state that constraint some operations on it.
// +patchMergeKey=type
// +patchStrategy=merge
// +optional
Constraints []Condition `json:"constraints,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,2,rep,name=constraints"`
// Gardener holds information about the Gardener which last acted on the Shoot.
Gardener Gardener `json:"gardener" protobuf:"bytes,3,opt,name=gardener"`
// IsHibernated indicates whether the Shoot is currently hibernated.
IsHibernated bool `json:"hibernated" protobuf:"varint,4,opt,name=hibernated"`
// LastOperation holds information about the last operation on the Shoot.
// +optional
LastOperation *LastOperation `json:"lastOperation,omitempty" protobuf:"bytes,5,opt,name=lastOperation"`
// LastErrors holds information about the last occurred error(s) during an operation.
// +optional
LastErrors []LastError `json:"lastErrors,omitempty" protobuf:"bytes,6,rep,name=lastErrors"`
// ObservedGeneration is the most recent generation observed for this Shoot. It corresponds to the
// Shoot's generation, which is updated on mutation by the API Server.
// +optional
ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,7,opt,name=observedGeneration"`
// RetryCycleStartTime is the start time of the last retry cycle (used to determine how often an operation
// must be retried until we give up).
// +optional
RetryCycleStartTime *metav1.Time `json:"retryCycleStartTime,omitempty" protobuf:"bytes,8,opt,name=retryCycleStartTime"`
// SeedName is the name of the seed cluster that runs the control plane of the Shoot. This value is only written
// after a successful create/reconcile operation. It will be used when control planes are moved between Seeds.
// +optional
SeedName *string `json:"seedName,omitempty" protobuf:"bytes,9,opt,name=seedName"`
// TechnicalID is the name that is used for creating the Seed namespace, the infrastructure resources, and
// basically everything that is related to this particular Shoot. This field is immutable.
TechnicalID string `json:"technicalID" protobuf:"bytes,10,opt,name=technicalID"`
// UID is a unique identifier for the Shoot cluster to avoid portability between Kubernetes clusters.
// It is used to compute unique hashes. This field is immutable.
UID types.UID `json:"uid" protobuf:"bytes,11,opt,name=uid,casttype=k8s.io/apimachinery/pkg/types.UID"`
// ClusterIdentity is the identity of the Shoot cluster. This field is immutable.
// +optional
ClusterIdentity *string `json:"clusterIdentity,omitempty" protobuf:"bytes,12,opt,name=clusterIdentity"`
// List of addresses on which the Kube API server can be reached.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
AdvertisedAddresses []ShootAdvertisedAddress `json:"advertisedAddresses,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,13,rep,name=advertisedAddresses"`
// MigrationStartTime is the time when a migration to a different seed was initiated.
// +optional
MigrationStartTime *metav1.Time `json:"migrationStartTime,omitempty" protobuf:"bytes,14,opt,name=migrationStartTime"`
// Credentials contains information about the shoot credentials.
// +optional
Credentials *ShootCredentials `json:"credentials,omitempty" protobuf:"bytes,15,opt,name=credentials"`
// LastHibernationTriggerTime indicates the last time when the hibernation controller
// managed to change the hibernation settings of the cluster
// +optional
LastHibernationTriggerTime *metav1.Time `json:"lastHibernationTriggerTime,omitempty" protobuf:"bytes,16,opt,name=lastHibernationTriggerTime"`
// LastMaintenance holds information about the last maintenance operations on the Shoot.
// +optional
LastMaintenance *LastMaintenance `json:"lastMaintenance,omitempty" protobuf:"bytes,17,opt,name=lastMaintenance"`
}
// LastMaintenance holds information about a maintenance operation on the Shoot.
type LastMaintenance struct {
// A human-readable message containing details about the operations performed in the last maintenance.
Description string `json:"description" protobuf:"bytes,1,opt,name=description"`
// TriggeredTime is the time when maintenance was triggered.
TriggeredTime metav1.Time `json:"triggeredTime" protobuf:"bytes,2,opt,name=triggeredTime"`
// Status of the last maintenance operation, one of Processing, Succeeded, Error.
State LastOperationState `json:"state" protobuf:"bytes,3,opt,name=state,casttype=LastOperationState"`
// FailureReason holds the information about the last maintenance operation failure reason.
// +optional
FailureReason *string `json:"failureReason,omitempty" protobuf:"bytes,4,opt,name=failureReason"`
}
// ShootCredentials contains information about the shoot credentials.
type ShootCredentials struct {
// Rotation contains information about the credential rotations.
// +optional
Rotation *ShootCredentialsRotation `json:"rotation,omitempty" protobuf:"bytes,1,opt,name=rotation"`
}
// ShootCredentialsRotation contains information about the rotation of credentials.
type ShootCredentialsRotation struct {
// CertificateAuthorities contains information about the certificate authority credential rotation.
// +optional
CertificateAuthorities *CARotation `json:"certificateAuthorities,omitempty" protobuf:"bytes,1,opt,name=certificateAuthorities"`
// Kubeconfig contains information about the kubeconfig credential rotation.
// +optional
Kubeconfig *ShootKubeconfigRotation `json:"kubeconfig,omitempty" protobuf:"bytes,2,opt,name=kubeconfig"`
// SSHKeypair contains information about the ssh-keypair credential rotation.
// +optional
SSHKeypair *ShootSSHKeypairRotation `json:"sshKeypair,omitempty" protobuf:"bytes,3,opt,name=sshKeypair"`
// Observability contains information about the observability credential rotation.
// +optional
Observability *ShootObservabilityRotation `json:"observability,omitempty" protobuf:"bytes,4,opt,name=observability"`
// ServiceAccountKey contains information about the service account key credential rotation.
// +optional
ServiceAccountKey *ShootServiceAccountKeyRotation `json:"serviceAccountKey,omitempty" protobuf:"bytes,5,opt,name=serviceAccountKey"`
// ETCDEncryptionKey contains information about the ETCD encryption key credential rotation.
// +optional
ETCDEncryptionKey *ShootETCDEncryptionKeyRotation `json:"etcdEncryptionKey,omitempty" protobuf:"bytes,6,opt,name=etcdEncryptionKey"`
}
// CARotation contains information about the certificate authority credential rotation.
type CARotation struct {
// Phase describes the phase of the certificate authority credential rotation.
Phase CredentialsRotationPhase `json:"phase" protobuf:"bytes,1,opt,name=phase"`
// LastCompletionTime is the most recent time when the certificate authority credential rotation was successfully
// completed.
// +optional
LastCompletionTime *metav1.Time `json:"lastCompletionTime,omitempty" protobuf:"bytes,2,opt,name=lastCompletionTime"`
// LastInitiationTime is the most recent time when the certificate authority credential rotation was initiated.
// +optional
LastInitiationTime *metav1.Time `json:"lastInitiationTime,omitempty" protobuf:"bytes,3,opt,name=lastInitiationTime"`
// LastInitiationFinishedTime is the recent time when the certificate authority credential rotation initiation was
// completed.
// +optional
LastInitiationFinishedTime *metav1.Time `json:"lastInitiationFinishedTime,omitempty" protobuf:"bytes,4,opt,name=lastInitiationFinishedTime"`
// LastCompletionTriggeredTime is the recent time when the certificate authority credential rotation completion was
// triggered.
// +optional
LastCompletionTriggeredTime *metav1.Time `json:"lastCompletionTriggeredTime,omitempty" protobuf:"bytes,5,opt,name=lastCompletionTriggeredTime"`
}
// ShootKubeconfigRotation contains information about the kubeconfig credential rotation.
type ShootKubeconfigRotation struct {
// LastInitiationTime is the most recent time when the kubeconfig credential rotation was initiated.
// +optional
LastInitiationTime *metav1.Time `json:"lastInitiationTime,omitempty" protobuf:"bytes,1,opt,name=lastInitiationTime"`
// LastCompletionTime is the most recent time when the kubeconfig credential rotation was successfully completed.
// +optional
LastCompletionTime *metav1.Time `json:"lastCompletionTime,omitempty" protobuf:"bytes,2,opt,name=lastCompletionTime"`
}
// ShootSSHKeypairRotation contains information about the ssh-keypair credential rotation.
type ShootSSHKeypairRotation struct {
// LastInitiationTime is the most recent time when the ssh-keypair credential rotation was initiated.
// +optional
LastInitiationTime *metav1.Time `json:"lastInitiationTime,omitempty" protobuf:"bytes,1,opt,name=lastInitiationTime"`
// LastCompletionTime is the most recent time when the ssh-keypair credential rotation was successfully completed.
// +optional
LastCompletionTime *metav1.Time `json:"lastCompletionTime,omitempty" protobuf:"bytes,2,opt,name=lastCompletionTime"`
}
// ShootObservabilityRotation contains information about the observability credential rotation.
type ShootObservabilityRotation struct {
// LastInitiationTime is the most recent time when the observability credential rotation was initiated.
// +optional
LastInitiationTime *metav1.Time `json:"lastInitiationTime,omitempty" protobuf:"bytes,1,opt,name=lastInitiationTime"`
// LastCompletionTime is the most recent time when the observability credential rotation was successfully completed.
// +optional
LastCompletionTime *metav1.Time `json:"lastCompletionTime,omitempty" protobuf:"bytes,2,opt,name=lastCompletionTime"`
}
// ShootServiceAccountKeyRotation contains information about the service account key credential rotation.
type ShootServiceAccountKeyRotation struct {
// Phase describes the phase of the service account key credential rotation.
Phase CredentialsRotationPhase `json:"phase" protobuf:"bytes,1,opt,name=phase"`
// LastCompletionTime is the most recent time when the service account key credential rotation was successfully
// completed.
// +optional
LastCompletionTime *metav1.Time `json:"lastCompletionTime,omitempty" protobuf:"bytes,2,opt,name=lastCompletionTime"`
// LastInitiationTime is the most recent time when the service account key credential rotation was initiated.
// +optional
LastInitiationTime *metav1.Time `json:"lastInitiationTime,omitempty" protobuf:"bytes,3,opt,name=lastInitiationTime"`
// LastInitiationFinishedTime is the recent time when the certificate authority credential rotation initiation was
// completed.
// +optional
LastInitiationFinishedTime *metav1.Time `json:"lastInitiationFinishedTime,omitempty" protobuf:"bytes,4,opt,name=lastInitiationFinishedTime"`
// LastCompletionTriggeredTime is the recent time when the certificate authority credential rotation completion was
// triggered.
// +optional
LastCompletionTriggeredTime *metav1.Time `json:"lastCompletionTriggeredTime,omitempty" protobuf:"bytes,5,opt,name=lastCompletionTriggeredTime"`
}
// ShootETCDEncryptionKeyRotation contains information about the ETCD encryption key credential rotation.
type ShootETCDEncryptionKeyRotation struct {
// Phase describes the phase of the ETCD encryption key credential rotation.
Phase CredentialsRotationPhase `json:"phase" protobuf:"bytes,1,opt,name=phase"`
// LastCompletionTime is the most recent time when the ETCD encryption key credential rotation was successfully
// completed.
// +optional
LastCompletionTime *metav1.Time `json:"lastCompletionTime,omitempty" protobuf:"bytes,2,opt,name=lastCompletionTime"`
// LastInitiationTime is the most recent time when the ETCD encryption key credential rotation was initiated.
// +optional
LastInitiationTime *metav1.Time `json:"lastInitiationTime,omitempty" protobuf:"bytes,3,opt,name=lastInitiationTime"`
// LastInitiationFinishedTime is the recent time when the certificate authority credential rotation initiation was
// completed.
// +optional
LastInitiationFinishedTime *metav1.Time `json:"lastInitiationFinishedTime,omitempty" protobuf:"bytes,4,opt,name=lastInitiationFinishedTime"`
// LastCompletionTriggeredTime is the recent time when the certificate authority credential rotation completion was
// triggered.
// +optional
LastCompletionTriggeredTime *metav1.Time `json:"lastCompletionTriggeredTime,omitempty" protobuf:"bytes,5,opt,name=lastCompletionTriggeredTime"`
}
// CredentialsRotationPhase is a string alias.
type CredentialsRotationPhase string
const (
// RotationPreparing is a constant for the credentials rotation phase describing that the procedure is being prepared.
RotationPreparing CredentialsRotationPhase = "Preparing"
// RotationPrepared is a constant for the credentials rotation phase describing that the procedure was prepared.
RotationPrepared CredentialsRotationPhase = "Prepared"
// RotationCompleting is a constant for the credentials rotation phase describing that the procedure is being
// completed.
RotationCompleting CredentialsRotationPhase = "Completing"
// RotationCompleted is a constant for the credentials rotation phase describing that the procedure was completed.
RotationCompleted CredentialsRotationPhase = "Completed"
)
// ShootAdvertisedAddress contains information for the shoot's Kube API server.
type ShootAdvertisedAddress struct {
// Name of the advertised address. e.g. external
Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
// The URL of the API Server. e.g. https://api.foo.bar or https://1.2.3.4
URL string `json:"url" protobuf:"bytes,2,opt,name=url"`
}
// Addons is a collection of configuration for specific addons which are managed by the Gardener.
type Addons struct {
// KubernetesDashboard holds configuration settings for the kubernetes dashboard addon.
// +optional
KubernetesDashboard *KubernetesDashboard `json:"kubernetesDashboard,omitempty" protobuf:"bytes,1,opt,name=kubernetesDashboard"`
// NginxIngress holds configuration settings for the nginx-ingress addon.
// +optional
NginxIngress *NginxIngress `json:"nginxIngress,omitempty" protobuf:"bytes,2,opt,name=nginxIngress"`
}
// Addon allows enabling or disabling a specific addon and is used to derive from.
type Addon struct {
// Enabled indicates whether the addon is enabled or not.
Enabled bool `json:"enabled" protobuf:"varint,1,opt,name=enabled"`
}
// KubernetesDashboard describes configuration values for the kubernetes-dashboard addon.
type KubernetesDashboard struct {
Addon `json:",inline" protobuf:"bytes,2,opt,name=addon"`
// AuthenticationMode defines the authentication mode for the kubernetes-dashboard.
// +optional
AuthenticationMode *string `json:"authenticationMode,omitempty" protobuf:"bytes,1,opt,name=authenticationMode"`
}
const (
// KubernetesDashboardAuthModeBasic uses basic authentication mode for auth.
// Deprecated: basic authentication has been removed in Kubernetes v1.19+.
KubernetesDashboardAuthModeBasic = "basic"
// KubernetesDashboardAuthModeToken uses token-based mode for auth.
KubernetesDashboardAuthModeToken = "token"
)
// NginxIngress describes configuration values for the nginx-ingress addon.
type NginxIngress struct {
Addon `json:",inline" protobuf:"bytes,1,opt,name=addon"`
// LoadBalancerSourceRanges is list of allowed IP sources for NginxIngress
// +optional
LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty" protobuf:"bytes,2,rep,name=loadBalancerSourceRanges"`
// Config contains custom configuration for the nginx-ingress-controller configuration.
// See https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/configmap.md#configuration-options
// +optional
Config map[string]string `json:"config,omitempty" protobuf:"bytes,3,rep,name=config"`
// ExternalTrafficPolicy controls the `.spec.externalTrafficPolicy` value of the load balancer `Service`
// exposing the nginx-ingress. Defaults to `Cluster`.
// +optional
ExternalTrafficPolicy *corev1.ServiceExternalTrafficPolicyType `json:"externalTrafficPolicy,omitempty" protobuf:"bytes,4,opt,name=externalTrafficPolicy,casttype=k8s.io/api/core/v1.ServiceExternalTrafficPolicyType"`
}
// ControlPlane holds information about the general settings for the control plane of a shoot.
type ControlPlane struct {
// HighAvailability holds the configuration settings for high availability of the
// control plane of a shoot.
// +optional
HighAvailability *HighAvailability `json:"highAvailability,omitempty" protobuf:"bytes,1,name=highAvailability"`
}
// DNS holds information about the provider, the hosted zone id and the domain.
type DNS struct {
// Domain is the external available domain of the Shoot cluster. This domain will be written into the
// kubeconfig that is handed out to end-users. This field is immutable.
// +optional
Domain *string `json:"domain,omitempty" protobuf:"bytes,1,opt,name=domain"`
// Providers is a list of DNS providers that shall be enabled for this shoot cluster. Only relevant if
// not a default domain is used.
// +patchMergeKey=type
// +patchStrategy=merge
// +optional
Providers []DNSProvider `json:"providers,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,2,rep,name=providers"`
}
// DNSProvider contains information about a DNS provider.
type DNSProvider struct {
// Domains contains information about which domains shall be included/excluded for this provider.
// +optional
Domains *DNSIncludeExclude `json:"domains,omitempty" protobuf:"bytes,1,opt,name=domains"`
// Primary indicates that this DNSProvider is used for shoot related domains.
// +optional
Primary *bool `json:"primary,omitempty" protobuf:"varint,2,opt,name=primary"`
// SecretName is a name of a secret containing credentials for the stated domain and the
// provider. When not specified, the Gardener will use the cloud provider credentials referenced
// by the Shoot and try to find respective credentials there (primary provider only). Specifying this field may override
// this behavior, i.e. forcing the Gardener to only look into the given secret.
// +optional
SecretName *string `json:"secretName,omitempty" protobuf:"bytes,3,opt,name=secretName"`
// Type is the DNS provider type.
// +optional
Type *string `json:"type,omitempty" protobuf:"bytes,4,opt,name=type"`
// Zones contains information about which hosted zones shall be included/excluded for this provider.
// +optional
Zones *DNSIncludeExclude `json:"zones,omitempty" protobuf:"bytes,5,opt,name=zones"`
}
// DNSIncludeExclude contains information about which domains shall be included/excluded.
type DNSIncludeExclude struct {
// Include is a list of domains that shall be included.
// +optional
Include []string `json:"include,omitempty" protobuf:"bytes,1,rep,name=include"`
// Exclude is a list of domains that shall be excluded.
// +optional
Exclude []string `json:"exclude,omitempty" protobuf:"bytes,2,rep,name=exclude"`
}
// DefaultDomain is the default value in the Shoot's '.spec.dns.domain' when '.spec.dns.provider' is 'unmanaged'
const DefaultDomain = "cluster.local"
// Extension contains type and provider information for Shoot extensions.
type Extension struct {
// Type is the type of the extension resource.
Type string `json:"type" protobuf:"bytes,1,opt,name=type"`
// ProviderConfig is the configuration passed to extension resource.
// +optional
ProviderConfig *runtime.RawExtension `json:"providerConfig,omitempty" protobuf:"bytes,2,opt,name=providerConfig"`
// Disabled allows to disable extensions that were marked as 'globally enabled' by Gardener administrators.
// +optional
Disabled *bool `json:"disabled,omitempty" protobuf:"varint,3,opt,name=disabled"`
}
// NamedResourceReference is a named reference to a resource.
type NamedResourceReference struct {
// Name of the resource reference.
Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
// ResourceRef is a reference to a resource.
ResourceRef autoscalingv1.CrossVersionObjectReference `json:"resourceRef" protobuf:"bytes,2,opt,name=resourceRef"`
}
// Hibernation contains information whether the Shoot is suspended or not.
type Hibernation struct {
// Enabled specifies whether the Shoot needs to be hibernated or not. If it is true, the Shoot's desired state is to be hibernated.
// If it is false or nil, the Shoot's desired state is to be awakened.
// +optional
Enabled *bool `json:"enabled,omitempty" protobuf:"varint,1,opt,name=enabled"`
// Schedules determine the hibernation schedules.
// +optional
Schedules []HibernationSchedule `json:"schedules,omitempty" protobuf:"bytes,2,rep,name=schedules"`
}
// HibernationSchedule determines the hibernation schedule of a Shoot.
// A Shoot will be regularly hibernated at each start time and will be woken up at each end time.
// Start or End can be omitted, though at least one of each has to be specified.
type HibernationSchedule struct {
// Start is a Cron spec at which time a Shoot will be hibernated.
// +optional
Start *string `json:"start,omitempty" protobuf:"bytes,1,opt,name=start"`
// End is a Cron spec at which time a Shoot will be woken up.
// +optional
End *string `json:"end,omitempty" protobuf:"bytes,2,opt,name=end"`
// Location is the time location in which both start and and shall be evaluated.
// +optional
Location *string `json:"location,omitempty" protobuf:"bytes,3,opt,name=location"`
}
// Kubernetes contains the version and configuration variables for the Shoot control plane.
type Kubernetes struct {
// AllowPrivilegedContainers indicates whether privileged containers are allowed in the Shoot.
// Defaults to true for Kubernetes versions below v1.25. Unusable for Kubernetes versions v1.25 and higher.
// +optional
AllowPrivilegedContainers *bool `json:"allowPrivilegedContainers,omitempty" protobuf:"varint,1,opt,name=allowPrivilegedContainers"`
// ClusterAutoscaler contains the configuration flags for the Kubernetes cluster autoscaler.
// +optional
ClusterAutoscaler *ClusterAutoscaler `json:"clusterAutoscaler,omitempty" protobuf:"bytes,2,opt,name=clusterAutoscaler"`
// KubeAPIServer contains configuration settings for the kube-apiserver.
// +optional
KubeAPIServer *KubeAPIServerConfig `json:"kubeAPIServer,omitempty" protobuf:"bytes,3,opt,name=kubeAPIServer"`
// KubeControllerManager contains configuration settings for the kube-controller-manager.
// +optional
KubeControllerManager *KubeControllerManagerConfig `json:"kubeControllerManager,omitempty" protobuf:"bytes,4,opt,name=kubeControllerManager"`
// KubeScheduler contains configuration settings for the kube-scheduler.
// +optional
KubeScheduler *KubeSchedulerConfig `json:"kubeScheduler,omitempty" protobuf:"bytes,5,opt,name=kubeScheduler"`
// KubeProxy contains configuration settings for the kube-proxy.
// +optional
KubeProxy *KubeProxyConfig `json:"kubeProxy,omitempty" protobuf:"bytes,6,opt,name=kubeProxy"`
// Kubelet contains configuration settings for the kubelet.
// +optional
Kubelet *KubeletConfig `json:"kubelet,omitempty" protobuf:"bytes,7,opt,name=kubelet"`
// Version is the semantic Kubernetes version to use for the Shoot cluster.
Version string `json:"version" protobuf:"bytes,8,opt,name=version"`
// VerticalPodAutoscaler contains the configuration flags for the Kubernetes vertical pod autoscaler.
// +optional
VerticalPodAutoscaler *VerticalPodAutoscaler `json:"verticalPodAutoscaler,omitempty" protobuf:"bytes,9,opt,name=verticalPodAutoscaler"`
// EnableStaticTokenKubeconfig indicates whether static token kubeconfig secret will be created for the Shoot cluster.
// Defaults to true for Shoots with Kubernetes versions < 1.26. Defaults to false for Shoots with Kubernetes versions >= 1.26.
// Starting Kubernetes 1.27 the field will be locked to false.
// +optional
EnableStaticTokenKubeconfig *bool `json:"enableStaticTokenKubeconfig,omitempty" protobuf:"varint,10,opt,name=enableStaticTokenKubeconfig"`
}
// ClusterAutoscaler contains the configuration flags for the Kubernetes cluster autoscaler.
type ClusterAutoscaler struct {
// ScaleDownDelayAfterAdd defines how long after scale up that scale down evaluation resumes (default: 1 hour).
// +optional
ScaleDownDelayAfterAdd *metav1.Duration `json:"scaleDownDelayAfterAdd,omitempty" protobuf:"bytes,1,opt,name=scaleDownDelayAfterAdd"`
// ScaleDownDelayAfterDelete how long after node deletion that scale down evaluation resumes, defaults to scanInterval (default: 0 secs).
// +optional
ScaleDownDelayAfterDelete *metav1.Duration `json:"scaleDownDelayAfterDelete,omitempty" protobuf:"bytes,2,opt,name=scaleDownDelayAfterDelete"`
// ScaleDownDelayAfterFailure how long after scale down failure that scale down evaluation resumes (default: 3 mins).
// +optional
ScaleDownDelayAfterFailure *metav1.Duration `json:"scaleDownDelayAfterFailure,omitempty" protobuf:"bytes,3,opt,name=scaleDownDelayAfterFailure"`
// ScaleDownUnneededTime defines how long a node should be unneeded before it is eligible for scale down (default: 30 mins).
// +optional
ScaleDownUnneededTime *metav1.Duration `json:"scaleDownUnneededTime,omitempty" protobuf:"bytes,4,opt,name=scaleDownUnneededTime"`
// ScaleDownUtilizationThreshold defines the threshold in fraction (0.0 - 1.0) under which a node is being removed (default: 0.5).
// +optional
ScaleDownUtilizationThreshold *float64 `json:"scaleDownUtilizationThreshold,omitempty" protobuf:"fixed64,5,opt,name=scaleDownUtilizationThreshold"`
// ScanInterval how often cluster is reevaluated for scale up or down (default: 10 secs).
// +optional
ScanInterval *metav1.Duration `json:"scanInterval,omitempty" protobuf:"bytes,6,opt,name=scanInterval"`
// Expander defines the algorithm to use during scale up (default: least-waste).
// See: https://github.com/gardener/autoscaler/blob/machine-controller-manager-provider/cluster-autoscaler/FAQ.md#what-are-expanders.
// +optional
Expander *ExpanderMode `json:"expander,omitempty" protobuf:"bytes,7,opt,name=expander"`
// MaxNodeProvisionTime defines how long CA waits for node to be provisioned (default: 20 mins).
// +optional
MaxNodeProvisionTime *metav1.Duration `json:"maxNodeProvisionTime,omitempty" protobuf:"bytes,8,opt,name=maxNodeProvisionTime"`
// MaxGracefulTerminationSeconds is the number of seconds CA waits for pod termination when trying to scale down a node (default: 600).
// +optional
MaxGracefulTerminationSeconds *int32 `json:"maxGracefulTerminationSeconds,omitempty" protobuf:"varint,9,opt,name=maxGracefulTerminationSeconds"`
// IgnoreTaints specifies a list of taint keys to ignore in node templates when considering to scale a node group.
// +optional
IgnoreTaints []string `json:"ignoreTaints,omitempty" protobuf:"bytes,10,opt,name=ignoreTaints"`
}
// ExpanderMode is type used for Expander values
type ExpanderMode string
const (
// ClusterAutoscalerExpanderLeastWaste selects the node group that will have the least idle CPU (if tied, unused memory) after scale-up.
// This is useful when you have different classes of nodes, for example, high CPU or high memory nodes, and
// only want to expand those when there are pending pods that need a lot of those resources.
// This is the default value.
ClusterAutoscalerExpanderLeastWaste ExpanderMode = "least-waste"
// ClusterAutoscalerExpanderMostPods selects the node group that would be able to schedule the most pods when scaling up.
// This is useful when you are using nodeSelector to make sure certain pods land on certain nodes.
// Note that this won't cause the autoscaler to select bigger nodes vs. smaller, as it can add multiple smaller nodes at once.
ClusterAutoscalerExpanderMostPods ExpanderMode = "most-pods"
// ClusterAutoscalerExpanderPriority selects the node group that has the highest priority assigned by the user. For configurations,
// See: https://github.com/gardener/autoscaler/blob/machine-controller-manager-provider/cluster-autoscaler/expander/priority/readme.md
ClusterAutoscalerExpanderPriority ExpanderMode = "priority"
// ClusterAutoscalerExpanderRandom should be used when you don't have a particular need
// for the node groups to scale differently.
ClusterAutoscalerExpanderRandom ExpanderMode = "random"
)
// VerticalPodAutoscaler contains the configuration flags for the Kubernetes vertical pod autoscaler.
type VerticalPodAutoscaler struct {
// Enabled specifies whether the Kubernetes VPA shall be enabled for the shoot cluster.
Enabled bool `json:"enabled" protobuf:"varint,1,opt,name=enabled"`
// EvictAfterOOMThreshold defines the threshold that will lead to pod eviction in case it OOMed in less than the given
// threshold since its start and if it has only one container (default: 10m0s).
// +optional
EvictAfterOOMThreshold *metav1.Duration `json:"evictAfterOOMThreshold,omitempty" protobuf:"bytes,2,opt,name=evictAfterOOMThreshold"`
// EvictionRateBurst defines the burst of pods that can be evicted (default: 1)
// +optional
EvictionRateBurst *int32 `json:"evictionRateBurst,omitempty" protobuf:"varint,3,opt,name=evictionRateBurst"`
// EvictionRateLimit defines the number of pods that can be evicted per second. A rate limit set to 0 or -1 will
// disable the rate limiter (default: -1).
// +optional
EvictionRateLimit *float64 `json:"evictionRateLimit,omitempty" protobuf:"fixed64,4,opt,name=evictionRateLimit"`
// EvictionTolerance defines the fraction of replica count that can be evicted for update in case more than one
// pod can be evicted (default: 0.5).
// +optional
EvictionTolerance *float64 `json:"evictionTolerance,omitempty" protobuf:"fixed64,5,opt,name=evictionTolerance"`
// RecommendationMarginFraction is the fraction of usage added as the safety margin to the recommended request
// (default: 0.15).
// +optional
RecommendationMarginFraction *float64 `json:"recommendationMarginFraction,omitempty" protobuf:"fixed64,6,opt,name=recommendationMarginFraction"`
// UpdaterInterval is the interval how often the updater should run (default: 1m0s).
// +optional
UpdaterInterval *metav1.Duration `json:"updaterInterval,omitempty" protobuf:"bytes,7,opt,name=updaterInterval"`
// RecommenderInterval is the interval how often metrics should be fetched (default: 1m0s).
// +optional
RecommenderInterval *metav1.Duration `json:"recommenderInterval,omitempty" protobuf:"bytes,8,opt,name=recommenderInterval"`
}
const (
// DefaultEvictionRateBurst is the default value for the EvictionRateBurst field in the VPA configuration.
DefaultEvictionRateBurst int32 = 1
// DefaultEvictionRateLimit is the default value for the EvictionRateLimit field in the VPA configuration.
DefaultEvictionRateLimit float64 = -1
// DefaultEvictionTolerance is the default value for the EvictionTolerance field in the VPA configuration.
DefaultEvictionTolerance = 0.5
// DefaultRecommendationMarginFraction is the default value for the RecommendationMarginFraction field in the VPA configuration.
DefaultRecommendationMarginFraction = 0.15
)
var (
// DefaultEvictAfterOOMThreshold is the default value for the EvictAfterOOMThreshold field in the VPA configuration.
DefaultEvictAfterOOMThreshold = metav1.Duration{Duration: 10 * time.Minute}
// DefaultUpdaterInterval is the default value for the UpdaterInterval field in the VPA configuration.
DefaultUpdaterInterval = metav1.Duration{Duration: time.Minute}
// DefaultRecommenderInterval is the default value for the RecommenderInterval field in the VPA configuration.
DefaultRecommenderInterval = metav1.Duration{Duration: time.Minute}
)
// KubernetesConfig contains common configuration fields for the control plane components.
type KubernetesConfig struct {
// FeatureGates contains information about enabled feature gates.
// +optional
FeatureGates map[string]bool `json:"featureGates,omitempty" protobuf:"bytes,1,rep,name=featureGates"`
}
// KubeAPIServerConfig contains configuration settings for the kube-apiserver.
type KubeAPIServerConfig struct {
KubernetesConfig `json:",inline" protobuf:"bytes,1,opt,name=kubernetesConfig"`
// AdmissionPlugins contains the list of user-defined admission plugins (additional to those managed by Gardener), and, if desired, the corresponding
// configuration.
// +patchMergeKey=name
// +patchStrategy=merge
// +optional
AdmissionPlugins []AdmissionPlugin `json:"admissionPlugins,omitempty" patchStrategy:"merge" patchMergeKey:"name" protobuf:"bytes,2,rep,name=admissionPlugins"`
// APIAudiences are the identifiers of the API. The service account token authenticator will
// validate that tokens used against the API are bound to at least one of these audiences.
// Defaults to ["kubernetes"].
// +optional
APIAudiences []string `json:"apiAudiences,omitempty" protobuf:"bytes,3,rep,name=apiAudiences"`
// AuditConfig contains configuration settings for the audit of the kube-apiserver.
// +optional
AuditConfig *AuditConfig `json:"auditConfig,omitempty" protobuf:"bytes,4,opt,name=auditConfig"`
// EnableBasicAuthentication defines whether basic authentication should be enabled for this cluster or not.
// +optional
// Defaults to false.
// Deprecated: basic authentication has been removed in Kubernetes v1.19+. This field will be removed in a future version.
EnableBasicAuthentication *bool `json:"enableBasicAuthentication,omitempty" protobuf:"varint,5,opt,name=enableBasicAuthentication"`
// OIDCConfig contains configuration settings for the OIDC provider.
// +optional
OIDCConfig *OIDCConfig `json:"oidcConfig,omitempty" protobuf:"bytes,6,opt,name=oidcConfig"`
// RuntimeConfig contains information about enabled or disabled APIs.
// +optional
RuntimeConfig map[string]bool `json:"runtimeConfig,omitempty" protobuf:"bytes,7,rep,name=runtimeConfig"`
// ServiceAccountConfig contains configuration settings for the service account handling
// of the kube-apiserver.
// +optional
ServiceAccountConfig *ServiceAccountConfig `json:"serviceAccountConfig,omitempty" protobuf:"bytes,8,opt,name=serviceAccountConfig"`
// WatchCacheSizes contains configuration of the API server's watch cache sizes.
// Configuring these flags might be useful for large-scale Shoot clusters with a lot of parallel update requests
// and a lot of watching controllers (e.g. large ManagedSeed clusters). When the API server's watch cache's
// capacity is too small to cope with the amount of update requests and watchers for a particular resource, it
// might happen that controller watches are permanently stopped with `too old resource version` errors.
// Starting from kubernetes v1.19, the API server's watch cache size is adapted dynamically and setting the watch
// cache size flags will have no effect, except when setting it to 0 (which disables the watch cache).
// +optional
WatchCacheSizes *WatchCacheSizes `json:"watchCacheSizes,omitempty" protobuf:"bytes,9,opt,name=watchCacheSizes"`
// Requests contains configuration for request-specific settings for the kube-apiserver.
// +optional
Requests *KubeAPIServerRequests `json:"requests,omitempty" protobuf:"bytes,10,opt,name=requests"`
// EnableAnonymousAuthentication defines whether anonymous requests to the secure port
// of the API server should be allowed (flag `--anonymous-auth`).
// See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
// +optional
EnableAnonymousAuthentication *bool `json:"enableAnonymousAuthentication,omitempty" protobuf:"varint,11,opt,name=enableAnonymousAuthentication"`
// EventTTL controls the amount of time to retain events.
// Defaults to 1h.
// +optional
EventTTL *metav1.Duration `json:"eventTTL,omitempty" protobuf:"bytes,12,opt,name=eventTTL"`
// Logging contains configuration for the log level and HTTP access logs.
// +optional
Logging *KubeAPIServerLogging `json:"logging,omitempty" protobuf:"bytes,13,opt,name=logging"`
// DefaultNotReadyTolerationSeconds indicates the tolerationSeconds of the toleration for notReady:NoExecute
// that is added by default to every pod that does not already have such a toleration (flag `--default-not-ready-toleration-seconds`).
// The field has effect only when the `DefaultTolerationSeconds` admission plugin is enabled.
// Defaults to 300.
// +optional
DefaultNotReadyTolerationSeconds *int64 `json:"defaultNotReadyTolerationSeconds,omitempty" protobuf:"varint,14,opt,name=defaultNotReadyTolerationSeconds"`
// DefaultUnreachableTolerationSeconds indicates the tolerationSeconds of the toleration for unreachable:NoExecute
// that is added by default to every pod that does not already have such a toleration (flag `--default-unreachable-toleration-seconds`).
// The field has effect only when the `DefaultTolerationSeconds` admission plugin is enabled.
// Defaults to 300.
// +optional
DefaultUnreachableTolerationSeconds *int64 `json:"defaultUnreachableTolerationSeconds,omitempty" protobuf:"varint,15,opt,name=defaultUnreachableTolerationSeconds"`
}
// KubeAPIServerLogging contains configuration for the logs level and http access logs
type KubeAPIServerLogging struct {
// Verbosity is the kube-apiserver log verbosity level
// Defaults to 2.
// +optional
Verbosity *int32 `json:"verbosity,omitempty" protobuf:"varint,1,opt,name=verbosity"`
// HTTPAccessVerbosity is the kube-apiserver access logs level
// +optional
HTTPAccessVerbosity *int32 `json:"httpAccessVerbosity,omitempty" protobuf:"varint,2,opt,name=httpAccessVerbosity"`
}
// KubeAPIServerRequests contains configuration for request-specific settings for the kube-apiserver.
type KubeAPIServerRequests struct {
// MaxNonMutatingInflight is the maximum number of non-mutating requests in flight at a given time. When the server
// exceeds this, it rejects requests.
// +optional
MaxNonMutatingInflight *int32 `json:"maxNonMutatingInflight,omitempty" protobuf:"bytes,1,name=maxNonMutatingInflight"`
// MaxMutatingInflight is the maximum number of mutating requests in flight at a given time. When the server
// exceeds this, it rejects requests.
// +optional
MaxMutatingInflight *int32 `json:"maxMutatingInflight,omitempty" protobuf:"bytes,2,name=maxMutatingInflight"`
}
// ServiceAccountConfig is the kube-apiserver configuration for service accounts.
type ServiceAccountConfig struct {
// Issuer is the identifier of the service account token issuer. The issuer will assert this
// identifier in "iss" claim of issued tokens. This value is used to generate new service account tokens.
// This value is a string or URI. Defaults to URI of the API server.
// +optional
Issuer *string `json:"issuer,omitempty" protobuf:"bytes,1,opt,name=issuer"`
// SigningKeySecret is tombstoned to show why 2 is reserved protobuf tag.
// SigningKeySecret *corev1.LocalObjectReference `json:"signingKeySecretName,omitempty" protobuf:"bytes,2,opt,name=signingKeySecretName"`
// ExtendTokenExpiration turns on projected service account expiration extension during token generation, which
// helps safe transition from legacy token to bound service account token feature. If this flag is enabled,
// admission injected tokens would be extended up to 1 year to prevent unexpected failure during transition,
// ignoring value of service-account-max-token-expiration.
// +optional
ExtendTokenExpiration *bool `json:"extendTokenExpiration,omitempty" protobuf:"bytes,3,opt,name=extendTokenExpiration"`
// MaxTokenExpiration is the maximum validity duration of a token created by the service account token issuer. If an
// otherwise valid TokenRequest with a validity duration larger than this value is requested, a token will be issued
// with a validity duration of this value.
// This field must be within [30d,90d].
// +optional
MaxTokenExpiration *metav1.Duration `json:"maxTokenExpiration,omitempty" protobuf:"bytes,4,opt,name=maxTokenExpiration"`
// AcceptedIssuers is an additional set of issuers that are used to determine which service account tokens are accepted.
// These values are not used to generate new service account tokens. Only useful when service account tokens are also
// issued by another external system or a change of the current issuer that is used for generating tokens is being performed.
// This field is only available for Kubernetes v1.22 or later.
// +optional
AcceptedIssuers []string `json:"acceptedIssuers,omitempty" protobuf:"bytes,5,opt,name=acceptedIssuers"`
}
// AuditConfig contains settings for audit of the api server
type AuditConfig struct {
// AuditPolicy contains configuration settings for audit policy of the kube-apiserver.
// +optional
AuditPolicy *AuditPolicy `json:"auditPolicy,omitempty" protobuf:"bytes,1,opt,name=auditPolicy"`
}
// AuditPolicy contains audit policy for kube-apiserver
type AuditPolicy struct {
// ConfigMapRef is a reference to a ConfigMap object in the same namespace,
// which contains the audit policy for the kube-apiserver.
// +optional
ConfigMapRef *corev1.ObjectReference `json:"configMapRef,omitempty" protobuf:"bytes,1,opt,name=configMapRef"`
}
// OIDCConfig contains configuration settings for the OIDC provider.
// Note: Descriptions were taken from the Kubernetes documentation.
type OIDCConfig struct {
// If set, the OpenID server's certificate will be verified by one of the authorities in the oidc-ca-file, otherwise the host's root CA set will be used.
// +optional
CABundle *string `json:"caBundle,omitempty" protobuf:"bytes,1,opt,name=caBundle"`
// ClientAuthentication can optionally contain client configuration used for kubeconfig generation.
// +optional
ClientAuthentication *OpenIDConnectClientAuthentication `json:"clientAuthentication,omitempty" protobuf:"bytes,2,opt,name=clientAuthentication"`
// The client ID for the OpenID Connect client, must be set if oidc-issuer-url is set.
// +optional
ClientID *string `json:"clientID,omitempty" protobuf:"bytes,3,opt,name=clientID"`
// If provided, the name of a custom OpenID Connect claim for specifying user groups. The claim value is expected to be a string or array of strings. This flag is experimental, please see the authentication documentation for further details.
// +optional
GroupsClaim *string `json:"groupsClaim,omitempty" protobuf:"bytes,4,opt,name=groupsClaim"`
// If provided, all groups will be prefixed with this value to prevent conflicts with other authentication strategies.
// +optional
GroupsPrefix *string `json:"groupsPrefix,omitempty" protobuf:"bytes,5,opt,name=groupsPrefix"`
// The URL of the OpenID issuer, only HTTPS scheme will be accepted. If set, it will be used to verify the OIDC JSON Web Token (JWT).
// +optional
IssuerURL *string `json:"issuerURL,omitempty" protobuf:"bytes,6,opt,name=issuerURL"`
// key=value pairs that describes a required claim in the ID Token. If set, the claim is verified to be present in the ID Token with a matching value.
// +optional
RequiredClaims map[string]string `json:"requiredClaims,omitempty" protobuf:"bytes,7,rep,name=requiredClaims"`
// List of allowed JOSE asymmetric signing algorithms. JWTs with a 'alg' header value not in this list will be rejected. Values are defined by RFC 7518 https://tools.ietf.org/html/rfc7518#section-3.1
// +optional
SigningAlgs []string `json:"signingAlgs,omitempty" protobuf:"bytes,8,rep,name=signingAlgs"`
// The OpenID claim to use as the user name. Note that claims other than the default ('sub') is not guaranteed to be unique and immutable. This flag is experimental, please see the authentication documentation for further details. (default "sub")
// +optional
UsernameClaim *string `json:"usernameClaim,omitempty" protobuf:"bytes,9,opt,name=usernameClaim"`
// If provided, all usernames will be prefixed with this value. If not provided, username claims other than 'email' are prefixed by the issuer URL to avoid clashes. To skip any prefixing, provide the value '-'.
// +optional
UsernamePrefix *string `json:"usernamePrefix,omitempty" protobuf:"bytes,10,opt,name=usernamePrefix"`
}
// OpenIDConnectClientAuthentication contains configuration for OIDC clients.
type OpenIDConnectClientAuthentication struct {
// Extra configuration added to kubeconfig's auth-provider.
// Must not be any of idp-issuer-url, client-id, client-secret, idp-certificate-authority, idp-certificate-authority-data, id-token or refresh-token
// +optional
ExtraConfig map[string]string `json:"extraConfig,omitempty" protobuf:"bytes,1,rep,name=extraConfig"`
// The client Secret for the OpenID Connect client.
// +optional
Secret *string `json:"secret,omitempty" protobuf:"bytes,2,opt,name=secret"`
}
// AdmissionPlugin contains information about a specific admission plugin and its corresponding configuration.
type AdmissionPlugin struct {
// Name is the name of the plugin.
Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
// Config is the configuration of the plugin.
// +optional
Config *runtime.RawExtension `json:"config,omitempty" protobuf:"bytes,2,opt,name=config"`
// Disabled specifies whether this plugin should be disabled.
// +optional
Disabled *bool `json:"disabled,omitempty" protobuf:"varint,3,opt,name=disabled"`
}
// WatchCacheSizes contains configuration of the API server's watch cache sizes.
type WatchCacheSizes struct {
// Default configures the default watch cache size of the kube-apiserver
// (flag `--default-watch-cache-size`, defaults to 100).
// See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
// +optional
Default *int32 `json:"default,omitempty" protobuf:"varint,1,opt,name=default"`
// Resources configures the watch cache size of the kube-apiserver per resource
// (flag `--watch-cache-sizes`).
// See: https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
// +optional
Resources []ResourceWatchCacheSize `json:"resources,omitempty" protobuf:"bytes,2,rep,name=resources"`
}
// ResourceWatchCacheSize contains configuration of the API server's watch cache size for one specific resource.
type ResourceWatchCacheSize struct {
// APIGroup is the API group of the resource for which the watch cache size should be configured.
// An unset value is used to specify the legacy core API (e.g. for `secrets`).
// +optional
APIGroup *string `json:"apiGroup,omitempty" protobuf:"bytes,1,opt,name=apiGroup"`
// Resource is the name of the resource for which the watch cache size should be configured
// (in lowercase plural form, e.g. `secrets`).
Resource string `json:"resource" protobuf:"bytes,2,opt,name=resource"`
// CacheSize specifies the watch cache size that should be configured for the specified resource.
CacheSize int32 `json:"size" protobuf:"varint,3,opt,name=size"`
}
// KubeControllerManagerConfig contains configuration settings for the kube-controller-manager.
type KubeControllerManagerConfig struct {
KubernetesConfig `json:",inline" protobuf:"bytes,1,opt,name=kubernetesConfig"`
// HorizontalPodAutoscalerConfig contains horizontal pod autoscaler configuration settings for the kube-controller-manager.
// +optional
HorizontalPodAutoscalerConfig *HorizontalPodAutoscalerConfig `json:"horizontalPodAutoscaler,omitempty" protobuf:"bytes,2,opt,name=horizontalPodAutoscaler"`
// NodeCIDRMaskSize defines the mask size for node cidr in cluster (default is 24). This field is immutable.
// +optional
NodeCIDRMaskSize *int32 `json:"nodeCIDRMaskSize,omitempty" protobuf:"varint,3,opt,name=nodeCIDRMaskSize"`
// PodEvictionTimeout defines the grace period for deleting pods on failed nodes. Defaults to 2m.
//
// Deprecated: The corresponding kube-controller-manager flag `--pod-eviction-timeout` is deprecated
// in favor of the kube-apiserver flags `--default-not-ready-toleration-seconds` and `--default-unreachable-toleration-seconds`.
// The `--pod-eviction-timeout` flag does not have effect when the taint besed eviction is enabled. The taint
// based eviction is beta (enabled by default) since Kubernetes 1.13 and GA since Kubernetes 1.18. Hence,
// instead of setting this field, set the `spec.kubernetes.kubeAPIServer.defaultNotReadyTolerationSeconds` and
// `spec.kubernetes.kubeAPIServer.defaultUnreachableTolerationSeconds`.
// +optional
PodEvictionTimeout *metav1.Duration `json:"podEvictionTimeout,omitempty" protobuf:"bytes,4,opt,name=podEvictionTimeout"`
// NodeMonitorGracePeriod defines the grace period before an unresponsive node is marked unhealthy.
// +optional
NodeMonitorGracePeriod *metav1.Duration `json:"nodeMonitorGracePeriod,omitempty" protobuf:"bytes,5,opt,name=nodeMonitorGracePeriod"`
}
// HorizontalPodAutoscalerConfig contains horizontal pod autoscaler configuration settings for the kube-controller-manager.
// Note: Descriptions were taken from the Kubernetes documentation.
type HorizontalPodAutoscalerConfig struct {
// The period after which a ready pod transition is considered to be the first.
// +optional
CPUInitializationPeriod *metav1.Duration `json:"cpuInitializationPeriod,omitempty" protobuf:"bytes,1,opt,name=cpuInitializationPeriod"`
// The configurable window at which the controller will choose the highest recommendation for autoscaling.
// +optional
DownscaleStabilization *metav1.Duration `json:"downscaleStabilization,omitempty" protobuf:"bytes,3,opt,name=downscaleStabilization"`
// The configurable period at which the horizontal pod autoscaler considers a Pod “not yet ready” given that it’s unready and it has transitioned to unready during that time.
// +optional
InitialReadinessDelay *metav1.Duration `json:"initialReadinessDelay,omitempty" protobuf:"bytes,4,opt,name=initialReadinessDelay"`
// The period for syncing the number of pods in horizontal pod autoscaler.
// +optional
SyncPeriod *metav1.Duration `json:"syncPeriod,omitempty" protobuf:"bytes,5,opt,name=syncPeriod"`
// The minimum change (from 1.0) in the desired-to-actual metrics ratio for the horizontal pod autoscaler to consider scaling.
// +optional
Tolerance *float64 `json:"tolerance,omitempty" protobuf:"fixed64,6,opt,name=tolerance"`
}
const (
// DefaultHPASyncPeriod is a constant for the default HPA sync period for a Shoot cluster.
DefaultHPASyncPeriod = 30 * time.Second
// DefaultHPATolerance is a constant for the default HPA tolerance for a Shoot cluster.
DefaultHPATolerance = 0.1
// DefaultDownscaleStabilization is the default HPA downscale stabilization window for a Shoot cluster
DefaultDownscaleStabilization = 5 * time.Minute
// DefaultInitialReadinessDelay is for the default HPA ReadinessDelay value in the Shoot cluster
DefaultInitialReadinessDelay = 30 * time.Second
// DefaultCPUInitializationPeriod is the for the default value of the CPUInitializationPeriod in the Shoot cluster
DefaultCPUInitializationPeriod = 5 * time.Minute
)
// KubeSchedulerConfig contains configuration settings for the kube-scheduler.
type KubeSchedulerConfig struct {
KubernetesConfig `json:",inline" protobuf:"bytes,1,opt,name=kubernetesConfig"`
// KubeMaxPDVols allows to configure the `KUBE_MAX_PD_VOLS` environment variable for the kube-scheduler.
// Please find more information here: https://kubernetes.io/docs/concepts/storage/storage-limits/#custom-limits
// Note that using this field is considered alpha-/experimental-level and is on your own risk. You should be aware
// of all the side-effects and consequences when changing it.
// +optional
KubeMaxPDVols *string `json:"kubeMaxPDVols,omitempty" protobuf:"bytes,2,opt,name=kubeMaxPDVols"`
// Profile configures the scheduling profile for the cluster.
// If not specified, the used profile is "balanced" (provides the default kube-scheduler behavior).
// +optional
Profile *SchedulingProfile `json:"profile,omitempty" protobuf:"bytes,3,opt,name=profile,casttype=SchedulingProfile"`
}
// SchedulingProfile is a string alias used for scheduling profile values.
type SchedulingProfile string
const (
// SchedulingProfileBalanced is a scheduling profile that attempts to spread Pods evenly across Nodes
// to obtain a more balanced resource usage. This profile provides the default kube-scheduler behavior.
SchedulingProfileBalanced SchedulingProfile = "balanced"
// SchedulingProfileBinPacking is a scheduling profile that scores Nodes based on the allocation of resources.
// It prioritizes Nodes with most allocated resources. This leads the Node count in the cluster to be minimized and
// the Node resource utilization to be increased.
SchedulingProfileBinPacking SchedulingProfile = "bin-packing"
)
// KubeProxyConfig contains configuration settings for the kube-proxy.
type KubeProxyConfig struct {
KubernetesConfig `json:",inline" protobuf:"bytes,1,opt,name=kubernetesConfig"`
// Mode specifies which proxy mode to use.
// defaults to IPTables.
// +optional
Mode *ProxyMode `json:"mode,omitempty" protobuf:"bytes,2,opt,name=mode,casttype=ProxyMode"`
// Enabled indicates whether kube-proxy should be deployed or not.
// Depending on the networking extensions switching kube-proxy off might be rejected. Consulting the respective documentation of the used networking extension is recommended before using this field.
// defaults to true if not specified.
// +optional
Enabled *bool `json:"enabled,omitempty" protobuf:"varint,3,opt,name=enabled"`
}
// ProxyMode available in Linux platform: 'userspace' (older, going to be EOL), 'iptables'
// (newer, faster), 'ipvs' (newest, better in performance and scalability).
// As of now only 'iptables' and 'ipvs' is supported by Gardener.
// In Linux platform, if the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are
// insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs',
// and the fall back path is firstly iptables and then userspace.
type ProxyMode string
const (
// ProxyModeIPTables uses iptables as proxy implementation.
ProxyModeIPTables ProxyMode = "IPTables"
// ProxyModeIPVS uses ipvs as proxy implementation.
ProxyModeIPVS ProxyMode = "IPVS"
)
// KubeletConfig contains configuration settings for the kubelet.
type KubeletConfig struct {