配置 API
- 1: Client Authentication (v1beta1)
- 2: kube-apiserver Audit 配置 (v1)
- 3: kube-proxy Configuration (v1alpha1)
- 4: kube-scheduler Configuration (v1beta1)
- 5: kube-scheduler Policy Configuration (v1)
- 6: kubeadm 配置 (v1beta3)
- 7: Kubelet Configuration (v1beta1)
- 8: WebhookAdmission 配置 (v1)
- 9: 客户端身份认证(Client Authentication) (v1)
1 - Client Authentication (v1beta1)
Resource Types
ExecCredential
ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports.
Field | Description |
---|---|
apiVersion string | client.authentication.k8s.io/v1beta1 |
kind string | ExecCredential |
spec [Required]ExecCredentialSpec
|
Spec holds information passed to the plugin by the transport. |
status ExecCredentialStatus
|
Status is filled in by the plugin and holds the credentials that the transport should use to contact the API. |
Cluster
Appears in:
Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to.
To ensure that this struct contains everything someone would need to communicate with a kubernetes cluster (just like they would via a kubeconfig), the fields should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception of CertificateAuthority, since CA data will always be passed to the plugin as bytes.
Field | Description |
---|---|
server [Required]string
|
Server is the address of the kubernetes cluster (https://hostname:port). |
tls-server-name string
|
TLSServerName is passed to the server for SNI and is used in the client to check server certificates against. If ServerName is empty, the hostname used to contact the server is used. |
insecure-skip-tls-verify bool
|
InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure. |
certificate-authority-data []byte
|
CAData contains PEM-encoded certificate authority certificates. If empty, system roots should be used. |
proxy-url string
|
ProxyURL is the URL to the proxy to be used for all requests to this cluster. |
config k8s.io/apimachinery/pkg/runtime.RawExtension
|
Config holds additional config data that is specific to the exec
plugin with regards to the cluster being authenticated to.
This data is sourced from the clientcmd Cluster object's extensions[client.authentication.k8s.io/exec] field: clusters:
In some environments, the user config may be exactly the same across many clusters (i.e. call this exec plugin) minus some details that are specific to each cluster such as the audience. This field allows the per cluster config to be directly specified with the cluster info. Using this field to store secret data is not recommended as one of the prime benefits of exec plugins is that no secrets need to be stored directly in the kubeconfig. |
ExecCredentialSpec
Appears in:
ExecCredentialSpec holds request and runtime specific information provided by the transport.
Field | Description |
---|---|
cluster Cluster
|
Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to. Note that Cluster is non-nil only when provideClusterInfo is set to true in the exec provider config (i.e., ExecConfig.ProvideClusterInfo). |
ExecCredentialStatus
Appears in:
ExecCredentialStatus holds credentials for the transport to use.
Token and ClientKeyData are sensitive fields. This data should only be transmitted in-memory between client and exec plugin process. Exec plugin itself should at least be protected via file permissions.
Field | Description |
---|---|
expirationTimestamp meta/v1.Time
|
ExpirationTimestamp indicates a time when the provided credentials expire. |
token [Required]string
|
Token is a bearer token used by the client for request authentication. |
clientCertificateData [Required]string
|
PEM-encoded client TLS certificates (including intermediates, if any). |
clientKeyData [Required]string
|
PEM-encoded private key for the above certificate. |
2 - kube-apiserver Audit 配置 (v1)
资源类型
Event
出现在:
Event 结构包含可出现在 API 审计日志中的所有信息。
字段 | 描述 |
---|---|
apiVersion string | audit.k8s.io/v1 |
kind string | Event |
level [必需]Level
|
生成事件所对应的审计级别。 |
auditID [必需]k8s.io/apimachinery/pkg/types.UID
|
为每个请求所生成的唯一审计 ID。 |
stage [必需]Stage
|
生成此事件时请求的处理阶段。 |
requestURI [必需]string
|
requestURI 是客户端发送到服务器端的请求 URI。 |
verb [必需]string
|
verb 是与请求对应的 Kubernetes 动词。对于非资源请求,此字段为 HTTP 方法的小写形式。 |
user [必需]authentication/v1.UserInfo
|
关于认证用户的信息。 |
impersonatedUser authentication/v1.UserInfo
|
关于所伪装(impersonated)的用户的信息。 |
sourceIPs []string
|
发起请求和中间代理的源 IP 地址。 |
userAgent string
|
userAgent 中记录客户端所报告的用户代理(User Agent)字符串。 注意 userAgent 信息是由客户端提供的,一定不要信任。 |
objectRef ObjectReference
|
此请求所指向的对象引用。对于 List 类型的请求或者非资源请求,此字段可忽略。 |
responseStatus meta/v1.Status
|
响应的状态,当 responseObject 不是 Status 类型时被赋值。 对于成功的请求,此字段仅包含 code 和 statusSuccess。 对于非 Status 类型的错误响应,此字段会被自动赋值为出错信息。 |
requestObject k8s.io/apimachinery/pkg/runtime.Unknown
|
来自请求的 API 对象,以 JSON 格式呈现。requestObject 在请求中按原样记录 (可能会采用 JSON 重新编码),之后会进入版本转换、默认值填充、准入控制以及 配置信息合并等阶段。此对象为外部版本化的对象类型,甚至其自身可能并不是一个 合法的对象。对于非资源请求,此字段被忽略。 只有当审计级别为 Request 或更高的时候才会记录。 |
responseObject k8s.io/apimachinery/pkg/runtime.Unknown
|
响应中包含的 API 对象,以 JSON 格式呈现。requestObject 是在被转换为外部类型 并序列化为 JSON 格式之后才被记录的。 对于非资源请求,此字段会被忽略。 只有审计级别为 Response 时才会记录。 |
requestReceivedTimestamp meta/v1.MicroTime
|
请求到达 API 服务器时的时间。 |
stageTimestamp meta/v1.MicroTime
|
请求到达当前审计阶段时的时间。 |
annotations map[string]string
|
annotations 是一个无结构的键-值映射,其中保存的是一个审计事件。 该事件可以由请求处理链路上的插件来设置,包括身份认证插件、鉴权插件以及 准入控制插件等。 注意这些注解是针对审计事件本身的,与所提交的对象中的 metadata.annotations 之间不存在对应关系。 映射中的键名应该唯一性地标识生成该事件的组件,从而避免名字上的冲突 (例如 podsecuritypolicy.admission.k8s.io/policy)。 映射中的键值应该比较简洁。 当审计级别为 Metadata 时会包含 annotations 字段。 |
EventList
EventList 是审计事件(Event)的列表。
字段 | 描述 |
---|---|
apiVersion string | audit.k8s.io/v1 |
kind string | EventList |
metadata meta/v1.ListMeta
|
列表结构元数据 |
items [必需][]Event
|
事件对象列表 |
Policy
出现在:
Policy 定义的是审计日志的配置以及不同类型请求的日志记录规则。
字段 | 描述 |
---|---|
apiVersion string | audit.k8s.io/v1 |
kind string | Policy |
metadata meta/v1.ObjectMeta
|
包含 metadata 字段是为了便于与 API 基础设施之间实现互操作。
参考 Kubernetes API 文档了解 metadata 字段的详细信息。
|
rules [必需][]PolicyRule
|
字段 rules 设置请求要被记录的审计级别(level)。 每个请求可能会与多条规则相匹配;发生这种状况时遵从第一条匹配规则。 默认的审计级别是 None,不过可以在列表的末尾使用一条全抓(catch-all)规则 重载其设置。 列表中的规则(PolicyRule)是严格有序的。 |
omitStages []Stage
|
字段 omitStages 是一个阶段(Stage)列表,其中包含无须生成事件的阶段。 注意这一选项也可以通过每条规则来设置。 审计组件最终会忽略出现在 omitStages 中阶段,也会忽略规则中的阶段。 |
PolicyList
PolicyList 是由审计策略(Policy)组成的列表。
字段 | 描述 |
---|---|
apiVersion string | audit.k8s.io/v1 |
kind string | PolicyList |
metadata meta/v1.ListMeta
|
列表结构元数据。 |
items [必需][]Policy
|
策略(Policy)对象列表。 |
GroupResources
出现在:
GroupResources 代表的是某 API 组中的资源类别。
字段 | 描述 |
---|---|
group string
|
字段 group 给出包含资源的 API 组的名称。
空字符串代表 core API 组。
|
resources []string
|
如果存在通配符,则合法性检查逻辑会确保 resources 中的条目不会彼此重叠。 |
resourceNames []string
|
字段 resourceNames 是策略将匹配的资源实例名称列表。
使用此字段时,resources 必须指定。
空的 resourceNames 列表意味着资源的所有实例都会匹配到此策略。
|
Level
string
数据类型的别名。
出现在:
Level 定义的是审计过程中在日志内记录的信息量。
ObjectReference
出现在:
ObjectReference 包含的是用来检查或修改所引用对象时将需要的全部信息。
字段 | 描述 |
---|---|
resource string
|
资源类别。 |
namespace string
|
资源对象所在名字空间。 |
name string
|
资源对象名称。 |
uid k8s.io/apimachinery/pkg/types.UID
|
资源对象的唯一标识(UID)。 |
apiGroup string
|
字段 apiGroup 给出包含所引用对象的 API 组的名称。
空字符串代表 core API 组。
|
apiVersion string
|
字段 apiVersion 是包含所引用对象的 API 组的版本。 |
resourceVersion string
|
资源对象自身的版本值。 |
subresource string
|
子资源的类别。 |
PolicyRule
出现在:
PolicyRule 包含一个映射,基于元数据将请求映射到某审计级别。 请求必须与每个字段所定义的规则都匹配(即 rules 的交集)才被视为匹配。
字段 | 描述 |
---|---|
level [必需]Level
|
与此规则匹配的请求所对应的日志记录级别(Level)。 |
users []string
|
根据身份认证所确定的用户名的列表,给出此规则所适用的用户。 空列表意味着适用于所有用户。 |
userGroups []string
|
此规则所适用的用户组的列表。如果用户是所列用户组中任一用户组的成员,则视为匹配。 空列表意味着适用于所有用户组。 |
verbs []string
|
此规则所适用的动词(verb)列表。 空列表意味着适用于所有动词。 |
resources []GroupResources
|
此规则所适用的资源类别列表。 空列表意味着适用于 API 组中的所有资源类别。 |
namespaces []string
|
此规则所适用的名字空间列表。 空字符串("")意味着适用于非名字空间作用域的资源。 空列表意味着适用于所有名字空间。 |
nonResourceURLs []string
|
字段 nonResourceURLs 给出一组需要被审计的 URL 路径。
允许使用 ∗,但只能作为路径中最后一个完整分段。 例如: "/metrics" - 记录对 API 服务器度量值(metrics)的所有请求; "/healthz∗" - 记录所有健康检查请求。 |
omitStages []Stage
|
字段 omitStages 是一个阶段(Stage)列表,针对所列的阶段服务器不会生成审计事件。 注意这一选项也可以在策略(Policy)级别指定。服务器审计组件会忽略 omitStages 中给出的阶段,也会忽略策略中给出的阶段。 空列表意味着不对阶段作任何限制。 |
Stage
string
数据类型的别名。
出现在:
Stage 定义在请求处理过程中可以生成审计事件的阶段。
3 - kube-proxy Configuration (v1alpha1)
Resource Types
KubeProxyConfiguration
KubeProxyConfiguration contains everything necessary to configure the Kubernetes proxy server.
Field | Description |
---|---|
apiVersion string | kubeproxy.config.k8s.io/v1alpha1 |
kind string | KubeProxyConfiguration |
featureGates [Required]map[string]bool
|
featureGates is a map of feature names to bools that enable or disable alpha/experimental features. |
bindAddress [Required]string
|
bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces) |
healthzBindAddress [Required]string
|
healthzBindAddress is the IP address and port for the health check server to serve on, defaulting to 0.0.0.0:10256 |
metricsBindAddress [Required]string
|
metricsBindAddress is the IP address and port for the metrics server to serve on, defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces) |
bindAddressHardFail [Required]bool
|
bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit |
enableProfiling [Required]bool
|
enableProfiling enables profiling via web interface on /debug/pprof handler. Profiling handlers will be handled by metrics server. |
clusterCIDR [Required]string
|
clusterCIDR is the CIDR range of the pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed. |
hostnameOverride [Required]string
|
hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname. |
clientConnection [Required]ClientConnectionConfiguration
|
clientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver. |
iptables [Required]KubeProxyIPTablesConfiguration
|
iptables contains iptables-related configuration options. |
ipvs [Required]KubeProxyIPVSConfiguration
|
ipvs contains ipvs-related configuration options. |
oomScoreAdj [Required]int32
|
oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000] |
mode [Required]ProxyMode
|
mode specifies which proxy mode to use. |
portRange [Required]string
|
portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen. |
udpIdleTimeout [Required]meta/v1.Duration
|
udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxyMode=userspace. |
conntrack [Required]KubeProxyConntrackConfiguration
|
conntrack contains conntrack-related configuration options. |
configSyncPeriod [Required]meta/v1.Duration
|
configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater than 0. |
nodePortAddresses [Required][]string
|
nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid IP blocks. These values are as a parameter to select the interfaces where nodeport works. In case someone would like to expose a service on localhost for local visit and some other interfaces for particular purpose, a list of IP blocks would do that. If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. An empty string slice is meant to select all network interfaces. |
winkernel [Required]KubeProxyWinkernelConfiguration
|
winkernel contains winkernel-related configuration options. |
showHiddenMetricsForVersion [Required]string
|
ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics. |
detectLocalMode [Required]LocalMode
|
DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR |
KubeProxyConntrackConfiguration
Appears in:
KubeProxyConntrackConfiguration contains conntrack settings for the Kubernetes proxy server.
Field | Description |
---|---|
maxPerCore [Required]int32
|
maxPerCore is the maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore min). |
min [Required]int32
|
min is the minimum value of connect-tracking records to allocate, regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is). |
tcpEstablishedTimeout [Required]meta/v1.Duration
|
tcpEstablishedTimeout is how long an idle TCP connection will be kept open (e.g. '2s'). Must be greater than 0 to set. |
tcpCloseWaitTimeout [Required]meta/v1.Duration
|
tcpCloseWaitTimeout is how long an idle conntrack entry in CLOSE_WAIT state will remain in the conntrack table. (e.g. '60s'). Must be greater than 0 to set. |
KubeProxyIPTablesConfiguration
Appears in:
KubeProxyIPTablesConfiguration contains iptables-related configuration details for the Kubernetes proxy server.
Field | Description |
---|---|
masqueradeBit [Required]int32
|
masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using the pure iptables proxy mode. Values must be within the range [0, 31]. |
masqueradeAll [Required]bool
|
masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. |
syncPeriod [Required]meta/v1.Duration
|
syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. |
minSyncPeriod [Required]meta/v1.Duration
|
minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). |
KubeProxyIPVSConfiguration
Appears in:
KubeProxyIPVSConfiguration contains ipvs-related configuration details for the Kubernetes proxy server.
Field | Description |
---|---|
syncPeriod [Required]meta/v1.Duration
|
syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0. |
minSyncPeriod [Required]meta/v1.Duration
|
minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). |
scheduler [Required]string
|
ipvs scheduler |
excludeCIDRs [Required][]string
|
excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch when cleaning up ipvs services. |
strictARP [Required]bool
|
strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface |
tcpTimeout [Required]meta/v1.Duration
|
tcpTimeout is the timeout value used for idle IPVS TCP sessions. The default value is 0, which preserves the current timeout value on the system. |
tcpFinTimeout [Required]meta/v1.Duration
|
tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN. The default value is 0, which preserves the current timeout value on the system. |
udpTimeout [Required]meta/v1.Duration
|
udpTimeout is the timeout value used for IPVS UDP packets. The default value is 0, which preserves the current timeout value on the system. |
KubeProxyWinkernelConfiguration
Appears in:
KubeProxyWinkernelConfiguration contains Windows/HNS settings for the Kubernetes proxy server.
Field | Description |
---|---|
networkName [Required]string
|
networkName is the name of the network kube-proxy will use to create endpoints and policies |
sourceVip [Required]string
|
sourceVip is the IP address of the source VIP endoint used for NAT when loadbalancing |
enableDSR [Required]bool
|
enableDSR tells kube-proxy whether HNS policies should be created with DSR |
LocalMode
(Alias of string
)
Appears in:
LocalMode represents modes to detect local traffic from the node
ProxyMode
(Alias of string
)
Appears in:
ProxyMode represents modes used by the Kubernetes proxy server.
Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables' (newer, faster), 'ipvs'(newest, better in performance and scalability).
Two modes of proxy are available in Windows platform: 'userspace'(older, stable) and 'kernelspace' (newer, faster).
In Linux platform, if proxy mode is blank, use the best-available proxy (currently iptables, but may change in the future). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs', and the fall back path is firstly iptables and then userspace.
In Windows platform, if proxy mode is blank, use the best-available proxy (currently userspace, but may change in the future). If winkernel proxy is selected, regardless of how, but the Windows kernel can't support this mode of proxy, this always falls back to the userspace proxy.
ClientConnectionConfiguration
Appears in:
ClientConnectionConfiguration contains details for constructing a client.
Field | Description |
---|---|
kubeconfig [Required]string
|
kubeconfig is the path to a KubeConfig file. |
acceptContentTypes [Required]string
|
acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client. |
contentType [Required]string
|
contentType is the content type used when sending data to the server from this client. |
qps [Required]float32
|
qps controls the number of queries per second allowed for this connection. |
burst [Required]int32
|
burst allows extra queries to accumulate when a client is exceeding its rate. |
4 - kube-scheduler Configuration (v1beta1)
Resource Types
- Policy
- DefaultPreemptionArgs
- InterPodAffinityArgs
- KubeSchedulerConfiguration
- NodeAffinityArgs
- NodeLabelArgs
- NodeResourcesFitArgs
- NodeResourcesLeastAllocatedArgs
- NodeResourcesMostAllocatedArgs
- PodTopologySpreadArgs
- RequestedToCapacityRatioArgs
- ServiceAffinityArgs
- VolumeBindingArgs
Policy
Policy describes a struct for a policy resource used in api.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1 |
kind string | Policy |
predicates [Required][]PredicatePolicy
|
Holds the information to configure the fit predicate functions |
priorities [Required][]PriorityPolicy
|
Holds the information to configure the priority functions |
extenders [Required][]LegacyExtender
|
Holds the information to communicate with the extender(s) |
hardPodAffinitySymmetricWeight [Required]int32
|
RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. HardPodAffinitySymmetricWeight represents the weight of implicit PreferredDuringScheduling affinity rule, in the range 1-100. |
alwaysCheckAllPredicates [Required]bool
|
When AlwaysCheckAllPredicates is set to true, scheduler checks all the configured predicates even after one or more of them fails. When the flag is set to false, scheduler skips checking the rest of the predicates after it finds one predicate that failed. |
ExtenderManagedResource
Appears in:
ExtenderManagedResource describes the arguments of extended resources managed by an extender.
Field | Description |
---|---|
name [Required]string
|
Name is the extended resource name. |
ignoredByScheduler [Required]bool
|
IgnoredByScheduler indicates whether kube-scheduler should ignore this resource when applying predicates. |
ExtenderTLSConfig
Appears in:
ExtenderTLSConfig contains settings to enable TLS with extender
Field | Description |
---|---|
insecure [Required]bool
|
Server should be accessed without verifying the TLS certificate. For testing only. |
serverName [Required]string
|
ServerName is passed to the server for SNI and is used in the client to check server certificates against. If ServerName is empty, the hostname used to contact the server is used. |
certFile [Required]string
|
Server requires TLS client certificate authentication |
keyFile [Required]string
|
Server requires TLS client certificate authentication |
caFile [Required]string
|
Trusted root certificates for server |
certData [Required][]byte
|
CertData holds PEM-encoded bytes (typically read from a client certificate file). CertData takes precedence over CertFile |
keyData [Required][]byte
|
KeyData holds PEM-encoded bytes (typically read from a client certificate key file). KeyData takes precedence over KeyFile |
caData [Required][]byte
|
CAData holds PEM-encoded bytes (typically read from a root certificates bundle). CAData takes precedence over CAFile |
LabelPreference
Appears in:
LabelPreference holds the parameters that are used to configure the corresponding priority function
Field | Description |
---|---|
label [Required]string
|
Used to identify node "groups" |
presence [Required]bool
|
This is a boolean flag If true, higher priority is given to nodes that have the label If false, higher priority is given to nodes that do not have the label |
LabelsPresence
Appears in:
LabelsPresence holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.
Field | Description |
---|---|
labels [Required][]string
|
The list of labels that identify node "groups" All of the labels should be either present (or absent) for the node to be considered a fit for hosting the pod |
presence [Required]bool
|
The boolean flag that indicates whether the labels should be present or absent from the node |
LegacyExtender
Appears in:
LegacyExtender holds the parameters used to communicate with the extender. If a verb is unspecified/empty, it is assumed that the extender chose not to provide that extension.
Field | Description |
---|---|
urlPrefix [Required]string
|
URLPrefix at which the extender is available |
filterVerb [Required]string
|
Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender. |
preemptVerb [Required]string
|
Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender. |
prioritizeVerb [Required]string
|
Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender. |
weight [Required]int64
|
The numeric multiplier for the node scores that the prioritize call generates. The weight should be a positive integer |
bindVerb [Required]string
|
Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender can implement this function. |
enableHttps [Required]bool
|
EnableHTTPS specifies whether https should be used to communicate with the extender |
tlsConfig [Required]ExtenderTLSConfig
|
TLSConfig specifies the transport layer security config |
httpTimeout [Required]time.Duration
|
HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node. |
nodeCacheCapable [Required]bool
|
NodeCacheCapable specifies that the extender is capable of caching node information, so the scheduler should only send minimal information about the eligible nodes assuming that the extender already cached full details of all nodes in the cluster |
managedResources []ExtenderManagedResource
|
ManagedResources is a list of extended resources that are managed by this extender. - A pod will be sent to the extender on the Filter, Prioritize and Bind (if the extender is the binder) phases iff the pod requests at least one of the extended resources in this list. If empty or unspecified, all pods will be sent to this extender. - If IgnoredByScheduler is set to true for a resource, kube-scheduler will skip checking the resource in predicates. |
ignorable [Required]bool
|
Ignorable specifies if the extender is ignorable, i.e. scheduling should not fail when the extender returns an error or is not reachable. |
PredicateArgument
Appears in:
PredicateArgument represents the arguments to configure predicate functions in scheduler policy configuration. Only one of its members may be specified
Field | Description |
---|---|
serviceAffinity [Required]ServiceAffinity
|
The predicate that provides affinity for pods belonging to a service It uses a label to identify nodes that belong to the same "group" |
labelsPresence [Required]LabelsPresence
|
The predicate that checks whether a particular node has a certain label defined or not, regardless of value |
PredicatePolicy
Appears in:
PredicatePolicy describes a struct of a predicate policy.
Field | Description |
---|---|
name [Required]string
|
Identifier of the predicate policy For a custom predicate, the name can be user-defined For the Kubernetes provided predicates, the name is the identifier of the pre-defined predicate |
argument [Required]PredicateArgument
|
Holds the parameters to configure the given predicate |
PriorityArgument
Appears in:
PriorityArgument represents the arguments to configure priority functions in scheduler policy configuration. Only one of its members may be specified
Field | Description |
---|---|
serviceAntiAffinity [Required]ServiceAntiAffinity
|
The priority function that ensures a good spread (anti-affinity) for pods belonging to a service It uses a label to identify nodes that belong to the same "group" |
labelPreference [Required]LabelPreference
|
The priority function that checks whether a particular node has a certain label defined or not, regardless of value |
requestedToCapacityRatioArguments [Required]RequestedToCapacityRatioArguments
|
The RequestedToCapacityRatio priority function is parametrized with function shape. |
PriorityPolicy
Appears in:
PriorityPolicy describes a struct of a priority policy.
Field | Description |
---|---|
name [Required]string
|
Identifier of the priority policy For a custom priority, the name can be user-defined For the Kubernetes provided priority functions, the name is the identifier of the pre-defined priority function |
weight [Required]int64
|
The numeric multiplier for the node scores that the priority function generates The weight should be non-zero and can be a positive or a negative integer |
argument [Required]PriorityArgument
|
Holds the parameters to configure the given priority function |
RequestedToCapacityRatioArguments
Appears in:
RequestedToCapacityRatioArguments holds arguments specific to RequestedToCapacityRatio priority function.
Field | Description |
---|---|
shape [Required][]UtilizationShapePoint
|
Array of point defining priority function shape. |
resources [Required][]ResourceSpec
|
No description provided. |
ResourceSpec
Appears in:
ResourceSpec represents single resource and weight for bin packing of priority RequestedToCapacityRatioArguments.
Field | Description |
---|---|
name [Required]string
|
Name of the resource to be managed by RequestedToCapacityRatio function. |
weight [Required]int64
|
Weight of the resource. |
ServiceAffinity
Appears in:
ServiceAffinity holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.
Field | Description |
---|---|
labels [Required][]string
|
The list of labels that identify node "groups" All of the labels should match for the node to be considered a fit for hosting the pod |
ServiceAntiAffinity
Appears in:
ServiceAntiAffinity holds the parameters that are used to configure the corresponding priority function
Field | Description |
---|---|
label [Required]string
|
Used to identify node "groups" |
UtilizationShapePoint
Appears in:
UtilizationShapePoint represents single point of priority function shape.
Field | Description |
---|---|
utilization [Required]int32
|
Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100. |
score [Required]int32
|
Score assigned to given utilization (y axis). Valid values are 0 to 10. |
ClientConnectionConfiguration
Appears in:
ClientConnectionConfiguration contains details for constructing a client.
Field | Description |
---|---|
kubeconfig [Required]string
|
kubeconfig is the path to a KubeConfig file. |
acceptContentTypes [Required]string
|
acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client. |
contentType [Required]string
|
contentType is the content type used when sending data to the server from this client. |
qps [Required]float32
|
qps controls the number of queries per second allowed for this connection. |
burst [Required]int32
|
burst allows extra queries to accumulate when a client is exceeding its rate. |
DebuggingConfiguration
Appears in:
DebuggingConfiguration holds configuration for Debugging related features.
Field | Description |
---|---|
enableProfiling [Required]bool
|
enableProfiling enables profiling via web interface host:port/debug/pprof/ |
enableContentionProfiling [Required]bool
|
enableContentionProfiling enables lock contention profiling, if enableProfiling is true. |
LeaderElectionConfiguration
Appears in:
LeaderElectionConfiguration defines the configuration of leader election clients for components that can run with leader election enabled.
Field | Description |
---|---|
leaderElect [Required]bool
|
leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability. |
leaseDuration [Required]meta/v1.Duration
|
leaseDuration is the duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled. |
renewDeadline [Required]meta/v1.Duration
|
renewDeadline is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled. |
retryPeriod [Required]meta/v1.Duration
|
retryPeriod is the duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled. |
resourceLock [Required]string
|
resourceLock indicates the resource object type that will be used to lock during leader election cycles. |
resourceName [Required]string
|
resourceName indicates the name of resource object that will be used to lock during leader election cycles. |
resourceNamespace [Required]string
|
resourceName indicates the namespace of resource object that will be used to lock during leader election cycles. |
LoggingConfiguration
Appears in:
LoggingConfiguration contains logging options Refer Logs Options for more information.
Field | Description |
---|---|
format [Required]string
|
Format Flag specifies the structure of log messages. default value of format is `text` |
sanitization [Required]bool
|
[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`) |
DefaultPreemptionArgs
DefaultPreemptionArgs holds arguments used to configure the DefaultPreemption plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | DefaultPreemptionArgs |
minCandidateNodesPercentage [Required]int32
|
MinCandidateNodesPercentage is the minimum number of candidates to shortlist when dry running preemption as a percentage of number of nodes. Must be in the range [0, 100]. Defaults to 10% of the cluster size if unspecified. |
minCandidateNodesAbsolute [Required]int32
|
MinCandidateNodesAbsolute is the absolute minimum number of candidates to shortlist. The likely number of candidates enumerated for dry running preemption is given by the formula: numCandidates = max(numNodes ∗ minCandidateNodesPercentage, minCandidateNodesAbsolute) We say "likely" because there are other factors such as PDB violations that play a role in the number of candidates shortlisted. Must be at least 0 nodes. Defaults to 100 nodes if unspecified. |
InterPodAffinityArgs
InterPodAffinityArgs holds arguments used to configure the InterPodAffinity plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | InterPodAffinityArgs |
hardPodAffinityWeight [Required]int32
|
HardPodAffinityWeight is the scoring weight for existing pods with a matching hard affinity to the incoming pod. |
KubeSchedulerConfiguration
KubeSchedulerConfiguration configures a scheduler
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | KubeSchedulerConfiguration |
parallelism [Required]int32
|
Parallelism defines the amount of parallelism in algorithms for scheduling a Pods. Must be greater than 0. Defaults to 16 |
leaderElection [Required]LeaderElectionConfiguration
|
LeaderElection defines the configuration of leader election client. |
clientConnection [Required]ClientConnectionConfiguration
|
ClientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver. |
healthzBindAddress [Required]string
|
HealthzBindAddress is the IP address and port for the health check server to serve on, defaulting to 0.0.0.0:10251 |
metricsBindAddress [Required]string
|
MetricsBindAddress is the IP address and port for the metrics server to serve on, defaulting to 0.0.0.0:10251. |
DebuggingConfiguration [Required]DebuggingConfiguration
|
(Members of DebuggingConfiguration are embedded into this type.)
DebuggingConfiguration holds configuration for Debugging related features
TODO: We might wanna make this a substruct like Debugging componentbaseconfigv1alpha1.DebuggingConfiguration |
percentageOfNodesToScore [Required]int32
|
PercentageOfNodesToScore is the percentage of all nodes that once found feasible for running a pod, the scheduler stops its search for more feasible nodes in the cluster. This helps improve scheduler's performance. Scheduler always tries to find at least "minFeasibleNodesToFind" feasible nodes no matter what the value of this flag is. Example: if the cluster size is 500 nodes and the value of this flag is 30, then scheduler stops finding further feasible nodes once it finds 150 feasible ones. When the value is 0, default percentage (5%--50% based on the size of the cluster) of the nodes will be scored. |
podInitialBackoffSeconds [Required]int64
|
PodInitialBackoffSeconds is the initial backoff for unschedulable pods. If specified, it must be greater than 0. If this value is null, the default value (1s) will be used. |
podMaxBackoffSeconds [Required]int64
|
PodMaxBackoffSeconds is the max backoff for unschedulable pods. If specified, it must be greater than podInitialBackoffSeconds. If this value is null, the default value (10s) will be used. |
profiles [Required][]KubeSchedulerProfile
|
Profiles are scheduling profiles that kube-scheduler supports. Pods can choose to be scheduled under a particular profile by setting its associated scheduler name. Pods that don't specify any scheduler name are scheduled with the "default-scheduler" profile, if present here. |
extenders [Required][]Extender
|
Extenders are the list of scheduler extenders, each holding the values of how to communicate with the extender. These extenders are shared by all scheduler profiles. |
NodeAffinityArgs
NodeAffinityArgs holds arguments to configure the NodeAffinity plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | NodeAffinityArgs |
addedAffinity core/v1.NodeAffinity
|
AddedAffinity is applied to all Pods additionally to the NodeAffinity specified in the PodSpec. That is, Nodes need to satisfy AddedAffinity AND .spec.NodeAffinity. AddedAffinity is empty by default (all Nodes match). When AddedAffinity is used, some Pods with affinity requirements that match a specific Node (such as Daemonset Pods) might remain unschedulable. |
NodeLabelArgs
NodeLabelArgs holds arguments used to configure the NodeLabel plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | NodeLabelArgs |
presentLabels [Required][]string
|
PresentLabels should be present for the node to be considered a fit for hosting the pod |
absentLabels [Required][]string
|
AbsentLabels should be absent for the node to be considered a fit for hosting the pod |
presentLabelsPreference [Required][]string
|
Nodes that have labels in the list will get a higher score. |
absentLabelsPreference [Required][]string
|
Nodes that don't have labels in the list will get a higher score. |
NodeResourcesFitArgs
NodeResourcesFitArgs holds arguments used to configure the NodeResourcesFit plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | NodeResourcesFitArgs |
ignoredResources [Required][]string
|
IgnoredResources is the list of resources that NodeResources fit filter should ignore. |
ignoredResourceGroups [Required][]string
|
IgnoredResourceGroups defines the list of resource groups that NodeResources fit filter should ignore. e.g. if group is ["example.com"], it will ignore all resource names that begin with "example.com", such as "example.com/aaa" and "example.com/bbb". A resource group name can't contain '/'. |
NodeResourcesLeastAllocatedArgs
NodeResourcesLeastAllocatedArgs holds arguments used to configure NodeResourcesLeastAllocated plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | NodeResourcesLeastAllocatedArgs |
resources [Required][]ResourceSpec
|
Resources to be managed, if no resource is provided, default resource set with both the weight of "cpu" and "memory" set to "1" will be applied. Resource with "0" weight will not accountable for the final score. |
NodeResourcesMostAllocatedArgs
NodeResourcesMostAllocatedArgs holds arguments used to configure NodeResourcesMostAllocated plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | NodeResourcesMostAllocatedArgs |
resources [Required][]ResourceSpec
|
Resources to be managed, if no resource is provided, default resource set with both the weight of "cpu" and "memory" set to "1" will be applied. Resource with "0" weight will not accountable for the final score. |
PodTopologySpreadArgs
PodTopologySpreadArgs holds arguments used to configure the PodTopologySpread plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | PodTopologySpreadArgs |
defaultConstraints []core/v1.TopologySpreadConstraint
|
DefaultConstraints defines topology spread constraints to be applied to Pods that don't define any in `pod.spec.topologySpreadConstraints`. `.defaultConstraints[∗].labelSelectors` must be empty, as they are deduced from the Pod's membership to Services, ReplicationControllers, ReplicaSets or StatefulSets. When not empty, .defaultingType must be "List". |
defaultingType PodTopologySpreadConstraintsDefaulting
|
DefaultingType determines how .defaultConstraints are deduced. Can be one
of "System" or "List".
Defaults to "List" if feature gate DefaultPodTopologySpread is disabled and to "System" if enabled. |
RequestedToCapacityRatioArgs
RequestedToCapacityRatioArgs holds arguments used to configure RequestedToCapacityRatio plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | RequestedToCapacityRatioArgs |
shape [Required][]UtilizationShapePoint
|
Points defining priority function shape |
resources [Required][]ResourceSpec
|
Resources to be managed |
ServiceAffinityArgs
ServiceAffinityArgs holds arguments used to configure the ServiceAffinity plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | ServiceAffinityArgs |
affinityLabels [Required][]string
|
AffinityLabels are homogeneous for pods that are scheduled to a node. (i.e. it returns true IFF this pod can be added to this node such that all other pods in the same service are running on nodes with the exact same values for Labels). |
antiAffinityLabelsPreference [Required][]string
|
AntiAffinityLabelsPreference are the labels to consider for service anti affinity scoring. |
VolumeBindingArgs
VolumeBindingArgs holds arguments used to configure the VolumeBinding plugin.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1beta1 |
kind string | VolumeBindingArgs |
bindTimeoutSeconds [Required]int64
|
BindTimeoutSeconds is the timeout in seconds in volume binding operation. Value must be non-negative integer. The value zero indicates no waiting. If this value is nil, the default value (600) will be used. |
Extender
Appears in:
Extender holds the parameters used to communicate with the extender. If a verb is unspecified/empty, it is assumed that the extender chose not to provide that extension.
Field | Description |
---|---|
urlPrefix [Required]string
|
URLPrefix at which the extender is available |
filterVerb [Required]string
|
Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender. |
preemptVerb [Required]string
|
Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender. |
prioritizeVerb [Required]string
|
Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender. |
weight [Required]int64
|
The numeric multiplier for the node scores that the prioritize call generates. The weight should be a positive integer |
bindVerb [Required]string
|
Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender can implement this function. |
enableHTTPS [Required]bool
|
EnableHTTPS specifies whether https should be used to communicate with the extender |
tlsConfig [Required]ExtenderTLSConfig
|
TLSConfig specifies the transport layer security config |
httpTimeout [Required]meta/v1.Duration
|
HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node. |
nodeCacheCapable [Required]bool
|
NodeCacheCapable specifies that the extender is capable of caching node information, so the scheduler should only send minimal information about the eligible nodes assuming that the extender already cached full details of all nodes in the cluster |
managedResources []ExtenderManagedResource
|
ManagedResources is a list of extended resources that are managed by this extender. - A pod will be sent to the extender on the Filter, Prioritize and Bind (if the extender is the binder) phases iff the pod requests at least one of the extended resources in this list. If empty or unspecified, all pods will be sent to this extender. - If IgnoredByScheduler is set to true for a resource, kube-scheduler will skip checking the resource in predicates. |
ignorable [Required]bool
|
Ignorable specifies if the extender is ignorable, i.e. scheduling should not fail when the extender returns an error or is not reachable. |
KubeSchedulerProfile
Appears in:
KubeSchedulerProfile is a scheduling profile.
Field | Description |
---|---|
schedulerName [Required]string
|
SchedulerName is the name of the scheduler associated to this profile. If SchedulerName matches with the pod's "spec.schedulerName", then the pod is scheduled with this profile. |
plugins [Required]Plugins
|
Plugins specify the set of plugins that should be enabled or disabled. Enabled plugins are the ones that should be enabled in addition to the default plugins. Disabled plugins are any of the default plugins that should be disabled. When no enabled or disabled plugin is specified for an extension point, default plugins for that extension point will be used if there is any. If a QueueSort plugin is specified, the same QueueSort Plugin and PluginConfig must be specified for all profiles. |
pluginConfig [Required][]PluginConfig
|
PluginConfig is an optional set of custom plugin arguments for each plugin. Omitting config args for a plugin is equivalent to using the default config for that plugin. |
Plugin
Appears in:
Plugin specifies a plugin name and its weight when applicable. Weight is used only for Score plugins.
Field | Description |
---|---|
name [Required]string
|
Name defines the name of plugin |
weight [Required]int32
|
Weight defines the weight of plugin, only used for Score plugins. |
PluginConfig
Appears in:
PluginConfig specifies arguments that should be passed to a plugin at the time of initialization. A plugin that is invoked at multiple extension points is initialized once. Args can have arbitrary structure. It is up to the plugin to process these Args.
Field | Description |
---|---|
name [Required]string
|
Name defines the name of plugin being configured |
args [Required]k8s.io/apimachinery/pkg/runtime.RawExtension
|
Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure. |
PluginSet
Appears in:
PluginSet specifies enabled and disabled plugins for an extension point. If an array is empty, missing, or nil, default plugins at that extension point will be used.
Field | Description |
---|---|
enabled [Required][]Plugin
|
Enabled specifies plugins that should be enabled in addition to default plugins. These are called after default plugins and in the same order specified here. |
disabled [Required][]Plugin
|
Disabled specifies default plugins that should be disabled. When all default plugins need to be disabled, an array containing only one "∗" should be provided. |
Plugins
Appears in:
Plugins include multiple extension points. When specified, the list of plugins for a particular extension point are the only ones enabled. If an extension point is omitted from the config, then the default set of plugins is used for that extension point. Enabled plugins are called in the order specified here, after default plugins. If they need to be invoked before default plugins, default plugins must be disabled and re-enabled here in desired order.
Field | Description |
---|---|
queueSort [Required]PluginSet
|
QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue. |
preFilter [Required]PluginSet
|
PreFilter is a list of plugins that should be invoked at "PreFilter" extension point of the scheduling framework. |
filter [Required]PluginSet
|
Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod. |
postFilter [Required]PluginSet
|
PostFilter is a list of plugins that are invoked after filtering phase, no matter whether filtering succeeds or not. |
preScore [Required]PluginSet
|
PreScore is a list of plugins that are invoked before scoring. |
score [Required]PluginSet
|
Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase. |
reserve [Required]PluginSet
|
Reserve is a list of plugins invoked when reserving/unreserving resources after a node is assigned to run the pod. |
permit [Required]PluginSet
|
Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod. |
preBind [Required]PluginSet
|
PreBind is a list of plugins that should be invoked before a pod is bound. |
bind [Required]PluginSet
|
Bind is a list of plugins that should be invoked at "Bind" extension point of the scheduling framework. The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success. |
postBind [Required]PluginSet
|
PostBind is a list of plugins that should be invoked after a pod is successfully bound. |
PodTopologySpreadConstraintsDefaulting
(Alias of string
)
Appears in:
PodTopologySpreadConstraintsDefaulting defines how to set default constraints for the PodTopologySpread plugin.
ResourceSpec
Appears in:
ResourceSpec represents single resource and weight for bin packing of priority RequestedToCapacityRatioArguments.
Field | Description |
---|---|
name [Required]string
|
Name of the resource to be managed by RequestedToCapacityRatio function. |
weight [Required]int64
|
Weight of the resource. |
UtilizationShapePoint
Appears in:
UtilizationShapePoint represents single point of priority function shape.
Field | Description |
---|---|
utilization [Required]int32
|
Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100. |
score [Required]int32
|
Score assigned to given utilization (y axis). Valid values are 0 to 10. |
5 - kube-scheduler Policy Configuration (v1)
Resource Types
Policy
Policy describes a struct for a policy resource used in api.
Field | Description |
---|---|
apiVersion string | kubescheduler.config.k8s.io/v1 |
kind string | Policy |
predicates [Required][]PredicatePolicy
|
Holds the information to configure the fit predicate functions |
priorities [Required][]PriorityPolicy
|
Holds the information to configure the priority functions |
extenders [Required][]LegacyExtender
|
Holds the information to communicate with the extender(s) |
hardPodAffinitySymmetricWeight [Required]int32
|
RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. HardPodAffinitySymmetricWeight represents the weight of implicit PreferredDuringScheduling affinity rule, in the range 1-100. |
alwaysCheckAllPredicates [Required]bool
|
When AlwaysCheckAllPredicates is set to true, scheduler checks all the configured predicates even after one or more of them fails. When the flag is set to false, scheduler skips checking the rest of the predicates after it finds one predicate that failed. |
ExtenderManagedResource
Appears in:
ExtenderManagedResource describes the arguments of extended resources managed by an extender.
Field | Description |
---|---|
name [Required]string
|
Name is the extended resource name. |
ignoredByScheduler [Required]bool
|
IgnoredByScheduler indicates whether kube-scheduler should ignore this resource when applying predicates. |
ExtenderTLSConfig
Appears in:
ExtenderTLSConfig contains settings to enable TLS with extender
Field | Description |
---|---|
insecure [Required]bool
|
Server should be accessed without verifying the TLS certificate. For testing only. |
serverName [Required]string
|
ServerName is passed to the server for SNI and is used in the client to check server certificates against. If ServerName is empty, the hostname used to contact the server is used. |
certFile [Required]string
|
Server requires TLS client certificate authentication |
keyFile [Required]string
|
Server requires TLS client certificate authentication |
caFile [Required]string
|
Trusted root certificates for server |
certData [Required][]byte
|
CertData holds PEM-encoded bytes (typically read from a client certificate file). CertData takes precedence over CertFile |
keyData [Required][]byte
|
KeyData holds PEM-encoded bytes (typically read from a client certificate key file). KeyData takes precedence over KeyFile |
caData [Required][]byte
|
CAData holds PEM-encoded bytes (typically read from a root certificates bundle). CAData takes precedence over CAFile |
LabelPreference
Appears in:
LabelPreference holds the parameters that are used to configure the corresponding priority function
Field | Description |
---|---|
label [Required]string
|
Used to identify node "groups" |
presence [Required]bool
|
This is a boolean flag If true, higher priority is given to nodes that have the label If false, higher priority is given to nodes that do not have the label |
LabelsPresence
Appears in:
LabelsPresence holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.
Field | Description |
---|---|
labels [Required][]string
|
The list of labels that identify node "groups" All of the labels should be either present (or absent) for the node to be considered a fit for hosting the pod |
presence [Required]bool
|
The boolean flag that indicates whether the labels should be present or absent from the node |
LegacyExtender
Appears in:
LegacyExtender holds the parameters used to communicate with the extender. If a verb is unspecified/empty, it is assumed that the extender chose not to provide that extension.
Field | Description |
---|---|
urlPrefix [Required]string
|
URLPrefix at which the extender is available |
filterVerb [Required]string
|
Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender. |
preemptVerb [Required]string
|
Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender. |
prioritizeVerb [Required]string
|
Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender. |
weight [Required]int64
|
The numeric multiplier for the node scores that the prioritize call generates. The weight should be a positive integer |
bindVerb [Required]string
|
Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender can implement this function. |
enableHttps [Required]bool
|
EnableHTTPS specifies whether https should be used to communicate with the extender |
tlsConfig [Required]ExtenderTLSConfig
|
TLSConfig specifies the transport layer security config |
httpTimeout [Required]time.Duration
|
HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node. |
nodeCacheCapable [Required]bool
|
NodeCacheCapable specifies that the extender is capable of caching node information, so the scheduler should only send minimal information about the eligible nodes assuming that the extender already cached full details of all nodes in the cluster |
managedResources []ExtenderManagedResource
|
ManagedResources is a list of extended resources that are managed by this extender. - A pod will be sent to the extender on the Filter, Prioritize and Bind (if the extender is the binder) phases iff the pod requests at least one of the extended resources in this list. If empty or unspecified, all pods will be sent to this extender. - If IgnoredByScheduler is set to true for a resource, kube-scheduler will skip checking the resource in predicates. |
ignorable [Required]bool
|
Ignorable specifies if the extender is ignorable, i.e. scheduling should not fail when the extender returns an error or is not reachable. |
PredicateArgument
Appears in:
PredicateArgument represents the arguments to configure predicate functions in scheduler policy configuration. Only one of its members may be specified
Field | Description |
---|---|
serviceAffinity [Required]ServiceAffinity
|
The predicate that provides affinity for pods belonging to a service It uses a label to identify nodes that belong to the same "group" |
labelsPresence [Required]LabelsPresence
|
The predicate that checks whether a particular node has a certain label defined or not, regardless of value |
PredicatePolicy
Appears in:
PredicatePolicy describes a struct of a predicate policy.
Field | Description |
---|---|
name [Required]string
|
Identifier of the predicate policy For a custom predicate, the name can be user-defined For the Kubernetes provided predicates, the name is the identifier of the pre-defined predicate |
argument [Required]PredicateArgument
|
Holds the parameters to configure the given predicate |
PriorityArgument
Appears in:
PriorityArgument represents the arguments to configure priority functions in scheduler policy configuration. Only one of its members may be specified
Field | Description |
---|---|
serviceAntiAffinity [Required]ServiceAntiAffinity
|
The priority function that ensures a good spread (anti-affinity) for pods belonging to a service It uses a label to identify nodes that belong to the same "group" |
labelPreference [Required]LabelPreference
|
The priority function that checks whether a particular node has a certain label defined or not, regardless of value |
requestedToCapacityRatioArguments [Required]RequestedToCapacityRatioArguments
|
The RequestedToCapacityRatio priority function is parametrized with function shape. |
PriorityPolicy
Appears in:
PriorityPolicy describes a struct of a priority policy.
Field | Description |
---|---|
name [Required]string
|
Identifier of the priority policy For a custom priority, the name can be user-defined For the Kubernetes provided priority functions, the name is the identifier of the pre-defined priority function |
weight [Required]int64
|
The numeric multiplier for the node scores that the priority function generates The weight should be non-zero and can be a positive or a negative integer |
argument [Required]PriorityArgument
|
Holds the parameters to configure the given priority function |
RequestedToCapacityRatioArguments
Appears in:
RequestedToCapacityRatioArguments holds arguments specific to RequestedToCapacityRatio priority function.
Field | Description |
---|---|
shape [Required][]UtilizationShapePoint
|
Array of point defining priority function shape. |
resources [Required][]ResourceSpec
|
No description provided. |
ResourceSpec
Appears in:
ResourceSpec represents single resource and weight for bin packing of priority RequestedToCapacityRatioArguments.
Field | Description |
---|---|
name [Required]string
|
Name of the resource to be managed by RequestedToCapacityRatio function. |
weight [Required]int64
|
Weight of the resource. |
ServiceAffinity
Appears in:
ServiceAffinity holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.
Field | Description |
---|---|
labels [Required][]string
|
The list of labels that identify node "groups" All of the labels should match for the node to be considered a fit for hosting the pod |
ServiceAntiAffinity
Appears in:
ServiceAntiAffinity holds the parameters that are used to configure the corresponding priority function
Field | Description |
---|---|
label [Required]string
|
Used to identify node "groups" |
UtilizationShapePoint
Appears in:
UtilizationShapePoint represents single point of priority function shape.
Field | Description |
---|---|
utilization [Required]int32
|
Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100. |
score [Required]int32
|
Score assigned to given utilization (y axis). Valid values are 0 to 10. |
6 - kubeadm 配置 (v1beta3)
概述
包 v1beta3 定义 kubeadm 配置文件格式的 v1beta3 版本。 此版本改进了 v1beta2 的格式,修复了一些小问题并添加了一些新的字段。
从 v1beta2 版本以来的变更列表:
- 已弃用的字段 "ClusterConfiguration.useHyperKubeImage" 现在被移除。 kubeadm 不再支持 hyperkube 镜像。
- 字段 "ClusterConfiguration.dns.type" 已经被移除,因为 CoreDNS 是 kubeadm 所支持 的唯一 DNS 服务器类型。
- 保存私密信息的字段现在包含了 "datapolicy" 标记(tag)。 这一标记会导致 API 结构通过 klog 打印输出时,会忽略这些字段的值。
- 添加了 "InitConfiguration.skipPhases", "JoinConfiguration.skipPhases", 以允许在执行 kubeadm init/join 命令时略过某些阶段。
- 添加了 "InitConfiguration.nodeRegistration.imagePullPolicy" 和 "JoinConfiguration.nodeRegistration.imagePullPolicy" 以允许在 kubeadm init 和 kubeadm join 期间指定镜像拉取策略。 这两个字段的值必须是 "Always"、"Never" 或 "IfNotPresent" 之一。 默认值是 "IfNotPresent",也是添加此字段之前的默认行为。
- 添加了 "InitConfiguration.patches.directory", "JoinConfiguration.patches.directory" 以允许用户配置一个目录, kubeadm 将从该目录中提取组件的补丁包。
- BootstrapToken∗ API 和相关的工具被从 "kubeadm" API 组中移出, 放到一个新的 "bootstraptoken" 组中。kubeadm API 版本 v1beta3 不再包含 BootstrapToken∗ 结构。
从老的 kubeadm 配置版本迁移:
- kubeadm v1.15.x 及更新的版本可以用来从 v1beta1 迁移到 v1beta2 版本;
- kubeadm v1.22.x 及更新的版本不再支持 v1beta1 和更老的 API,但可以用来 从 v1beta2 迁移到 v1beta3。
基础知识
配置 kubeadm 的推荐方式是使用 --config
选项向其传递一个 YAML 配置文件。
kubeadm 配置文件中定义的某些配置选项也可以作为命令行标志来使用,不过这种
方法所支持的都是一些最常见的、最简单的使用场景。
一个 kubeadm 配置文件中可以包含多个配置类型,使用三根横线(---
)作为分隔符。
kubeadm 支持以下配置类型:
apiVersion: kubeadm.k8s.io/v1beta3 kind: InitConfiguration apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration apiVersion: kubeadm.k8s.io/v1beta3 kind: JoinConfiguration
要输出 "init" 和 "join" 动作的默认值,可以使用下面的命令:
kubeadm config print init-defaults kubeadm config print join-defaults
配置文件中必须包含的配置类型列表取决于你在执行的动作(init
或 join
),
也取决于你要使用的配置选项(默认值或者高级定制)。
如果某些配置类型没有提供,或者仅部分提供,kubeadm 将使用默认值;
kubeadm 所提供的默认值在必要时也会保证其在多个组件之间是一致的
(例如控制器管理器上的 --cluster-cidr
参数和 kube-proxy 上的
clusterCIDR
)。
用户总是可以重载默认配置值,唯一的例外是一小部分与安全性相关联的配置 (例如在 API 服务器上强制实施 Node 和 RBAC 鉴权模式)。
如果用户所提供的配置类型并非你所执行的操作需要的,kubeadm 会忽略这些配置类型 并打印警告信息。
kubeadm init 配置类型
当带有 --config
选项来执行 kubeadm init 命令时,可以使用下面的配置类型:
`InitConfiguration`、`ClusterConfiguration`、`KubeProxyConfiguration`、`KubeletConfiguration`,
但 `InitConfiguration` 和 `ClusterConfiguration`
之间只有一个是必须提供的。
apiVersion: kubeadm.k8s.io/v1beta3 kind: InitConfiguration bootstrapTokens: ... nodeRegistration: ...
类型 InitConfiguration 用来配置运行时设置,就 kubeadm init 命令而言,包括 启动引导令牌以及所有与 kubeadm 所在节点相关的设置,包括:
- nodeRegistration:其中包含与向集群注册新节点相关的字段;使用这个类型来 定制节点名称、要使用的 CRI 套接字或者其他仅对当前节点起作用的设置 (例如节点 IP 地址)。
- localAPIEndpoint:代表的是要部署到此节点上的 API 服务器示例的端点; 使用这个类型可以完成定制 API 服务器公告地址这类操作。
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
networking:
...
etcd:
...
apiServer:
extraArgs:
...
extraVolumes:
...
...
类型 `ClusterConfiguration` 用来定制集群范围的设置,具体包括以下设置:
networking
:其中包含集群的网络拓扑配置。使用这一部分可以定制 Pod 的 子网或者 Service 的子网。etcd
:etcd 数据库的配置。例如使用这个部分可以定制本地 etcd 或者配置 API 服务器 使用一个外部的 etcd 集群。kube-apiserver
、kube-scheduler
、kube-controller-manager
配置:这些部分可以通过添加定制的设置或者重载 kubeadm 的默认设置来定制控制面组件。
apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration ...
KubeProxyConfiguration 类型用来更改传递给在集群中部署的 kube-proxy 实例 的配置。如果此对象没有提供,或者仅部分提供,kubeadm 使用默认值。
关于 kube-proxy 的官方文档,可参阅 https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kube-proxy/ 或者 https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration。
apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration ...
KubeletConfiguration 类型用来更改传递给在集群中部署的 kubelet 实例的配置。 如果此对象没有提供,或者仅部分提供,kubeadm 使用默认值。
关于 kubelet 的官方文档,可参阅 https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kubelet/ 或者 https://godoc.org/k8s.io/kubelet/config/v1beta1#KubeletConfiguration。
下面是一个为执行 kubeadm init
而提供的、包含多个配置类型的单一 YAML 文件,
其中填充了很多部分。
apiVersion: kubeadm.k8s.io/v1beta3 kind: InitConfiguration bootstrapTokens: - token: "9a08jv.c0izixklcxtmnze7" description: "kubeadm bootstrap token" ttl: "24h" - token: "783bde.3f89s0fje9f38fhf" description: "another bootstrap token" usages: - authentication - signing groups: - system:bootstrappers:kubeadm:default-node-token nodeRegistration: name: "ec2-10-100-0-1" criSocket: "/var/run/dockershim.sock" taints: - key: "kubeadmNode" value: "master" effect: "NoSchedule" kubeletExtraArgs: v: 4 ignorePreflightErrors: - IsPrivilegedUser imagePullPolicy: "IfNotPresent" localAPIEndpoint: advertiseAddress: "10.100.0.1" bindPort: 6443 certificateKey: "e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204" skipPhases: - addon/kube-proxy --- apiVersion: kubeadm.k8s.io/v1beta3 kind: ClusterConfiguration etcd: # one of local or external local: imageRepository: "k8s.gcr.io" imageTag: "3.2.24" dataDir: "/var/lib/etcd" extraArgs: listen-client-urls: "http://10.100.0.1:2379" serverCertSANs: - "ec2-10-100-0-1.compute-1.amazonaws.com" peerCertSANs: - "10.100.0.1" # external: # endpoints: # - "10.100.0.1:2379" # - "10.100.0.2:2379" # caFile: "/etcd/kubernetes/pki/etcd/etcd-ca.crt" # certFile: "/etcd/kubernetes/pki/etcd/etcd.crt" # keyFile: "/etcd/kubernetes/pki/etcd/etcd.key" networking: serviceSubnet: "10.96.0.0/16" podSubnet: "10.244.0.0/24" dnsDomain: "cluster.local" kubernetesVersion: "v1.21.0" controlPlaneEndpoint: "10.100.0.1:6443" apiServer: extraArgs: authorization-mode: "Node,RBAC" extraVolumes: - name: "some-volume" hostPath: "/etc/some-path" mountPath: "/etc/some-pod-path" readOnly: false pathType: File certSANs: - "10.100.1.1" - "ec2-10-100-0-1.compute-1.amazonaws.com" timeoutForControlPlane: 4m0s controllerManager: extraArgs: "node-cidr-mask-size": "20" extraVolumes: - name: "some-volume" hostPath: "/etc/some-path" mountPath: "/etc/some-pod-path" readOnly: false pathType: File scheduler: extraArgs: address: "10.100.0.1" extraVolumes: - name: "some-volume" hostPath: "/etc/some-path" mountPath: "/etc/some-pod-path" readOnly: false pathType: File certificatesDir: "/etc/kubernetes/pki" imageRepository: "k8s.gcr.io" clusterName: "example-cluster" --- apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration # kubelet specific options here --- apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration # kube-proxy specific options here
kubeadm join 配置类型
当带有 --config
选项来执行 kubeadm join
操作时,
需要提供 JoinConfiguration 类型。
apiVersion: kubeadm.k8s.io/v1beta3 kind: JoinConfiguration ...
JoinConfiguration 类型用来配置运行时设置,就 kubeadm join
而言包括
用来访问集群信息的发现方法,以及所有特定于 kubeadm 执行所在节点的设置,包括:
nodeRegistration
:其中包含向集群注册新节点相关的配置字段; 使用这个类型可以定制节点名称、用使用的 CRI 套接字和所有其他仅适用于当前节点的设置 (例如节点 IP 地址)。apiEndpoint
:用来代表最终要部署到此节点上的 API 服务器实例的端点。
资源类型
ClusterConfiguration
ClusterConfiguration 包含一个 kubadm 集群的集群范围配置信息。
字段 | 描述 |
---|---|
apiVersion string | kubeadm.k8s.io/v1beta3 |
kind string | ClusterConfiguration |
etcd Etcd
|
|
networking Networking
|
networking 字段包含集群的网络拓扑配置。
|
kubernetesVersion string
|
|
controlPlaneEndpoint string
|
可能的用法有:
|
apiServer APIServer
|
|
controllerManager ControlPlaneComponent
|
|
scheduler ControlPlaneComponent
|
|
dns DNS
|
|
certificatesDir string
|
|
imageRepository string
|
|
featureGates map[string]bool
|
|
clusterName string
|
集群名称。 |
InitConfiguration
InitConfiguration 包含一组特定于 "kubeadm init" 的运行时元素。
这里的字段仅用于第一次运行 kubeadm init
命令。
之后,此结构中的字段信息不会再被上传到 kubeadm upgrade
所要使用的
kubeadm-config
ConfigMap 中。
这些字段必须设置 "omitempty"
字段 | 描述 |
---|---|
apiVersion string | kubeadm.k8s.io/v1beta3 |
kind string | InitConfiguration |
bootstrapTokens []BootstrapToken
|
|
nodeRegistration NodeRegistrationOptions
|
|
localAPIEndpoint APIEndpoint
|
|
certificateKey string
|
|
skipPhases []string
|
|
patches Patches
|
|
JoinConfiguration
JoinConfiguration 包含描述特定节点的元素。
字段 | 描述 |
---|---|
apiVersion string | kubeadm.k8s.io/v1beta3 |
kind string | JoinConfiguration |
nodeRegistration NodeRegistrationOptions
|
|
caCertPath string
|
|
discovery [必需]-->[必需]Discovery
|
|
controlPlane JoinControlPlane
|
|
skipPhases []string
|
此字段包含在命令执行过程中要略过的阶段。通过 |
patches Patches
|
此字段包含 |
APIEndpoint
出现在:
APIEndpoint 结构包含某节点上部署的 API 服务器的配置元素。
字段 | 描述 |
---|---|
advertiseAddress string
|
|
bindPort int32
|
|
APIServer
出现在:
APIServer 包含集群中 API 服务器部署所必需的设置。
字段 | 描述 |
---|---|
ControlPlaneComponent [必需]-->[必需]ControlPlaneComponent
|
(ControlPlaneComponent 结构的字段被嵌入到此类型中)
无描述.
|
certSANs []string
|
|
timeoutForControlPlane meta/v1.Duration
|
|
BootstrapTokenDiscovery
出现在:
BootstrapTokenDiscovery 用来设置基于引导令牌的服务发现选项。
字段 | 描述 |
---|---|
token [必需]-->[必需]string
|
|
apiServerEndpoint string
|
|
caCertHashes []string
|
|
unsafeSkipCAVerification bool
|
|
ControlPlaneComponent
出现在:
ControlPlaneComponent 中包含对集群中所有控制面组件都适用的设置。
字段 | 描述 |
---|---|
extraArgs map[string]string
|
|
extraVolumes []HostPathMount
|
|
DNS
出现在:
DNS 结构定义要在集群中使用的 DNS 插件。
字段 | 描述 |
---|---|
ImageMeta [必需]-->[必需]ImageMeta
|
(ImageMeta 的成员被内嵌到此类型中)。
|
Discovery
出现在:
Discovery 设置 TLS 启动引导过程中 kubelet 要使用的配置选项。
字段 | 描述 |
---|---|
bootstrapToken BootstrapTokenDiscovery
|
|
file FileDiscovery
|
|
tlsBootstrapToken string
|
|
timeout meta/v1.Duration
|
|
Etcd
出现在:
Etcd 包含用来描述 etcd 配置的元素。
字段 | 描述 |
---|---|
local LocalEtcd
|
|
external ExternalEtcd
|
|
ExternalEtcd
出现在:
ExternalEtcd 描述外部 etcd 集群。 kubeadm 不清楚证书文件的存放位置,因此必须单独提供证书信息。
字段 | 描述 |
---|---|
endpoints [必需]-->[必需][]string
|
|
caFile [必需]-->[必需]string
|
|
certFile [必需]string
|
|
keyFile [必需]string
|
|
FileDiscovery
出现在:
FileDiscovery 用来指定一个文件或者 URL 路径,指向一个 kubeconfig 文件;该配置文件 可用来加载集群信息。
字段 | 描述 |
---|---|
kubeConfigPath [必需]string
|
|
HostPathMount
出现在:
HostPathMount 包含从宿主节点挂载的卷的信息。
字段 | 描述 |
---|---|
name [必需]string
|
|
hostPath [必需]string
|
|
mountPath [必需]string
|
|
readOnly bool
|
|
pathType core/v1.HostPathType
|
|
ImageMeta
出现在:
ImageMeta 用来配置来源不是 Kubernetes/kubernetes 发布过程的组件所使用的镜像。
字段 | 描述 |
---|---|
imageRepository string
|
|
imageTag string
|
|
JoinControlPlane
出现在:
JoinControlPlane 包含在正在加入集群的节点上要部署的额外的控制面组件的 设置。
字段 | 描述 |
---|---|
localAPIEndpoint APIEndpoint
|
|
certificateKey string
|
|
LocalEtcd
出现在:
LocalEtcd 描述的是 kubeadm 要使用的本地 etcd 集群。
字段 | 描述 |
---|---|
ImageMeta [必需]ImageMeta
|
(ImageMeta 结构的字段被嵌入到此类型中。)
ImageMeta 允许用户为 etcd 定制要使用的容器。 |
dataDir [必需]string
|
|
extraArgs map[string]string
|
|
serverCertSANs []string
|
|
peerCertSANs []string
|
|
Networking
出现在:
Networking 中包含描述集群网络配置的元素。
字段 | 描述 |
---|---|
serviceSubnet string
|
|
podSubnet string
|
|
dnsDomain string
|
|
NodeRegistrationOptions
出现在:
NodeRegistrationOptions 包含向集群中注册新的控制面或节点所需要的信息; 节点注册可能通过 "kubeadm init" 或 "kubeadm join" 完成。
字段 | 描述 |
---|---|
name string
|
|
criSocket string
|
|
taints [必需][]core/v1.Taint
|
|
kubeletExtraArgs map[string]string
|
|
ignorePreflightErrors []string
|
|
imagePullPolicy core/v1.PullPolicy
|
|
Patches
出现在:
Patches 包含要向 kubeadm 所部署的组件应用的补丁信息。
字段 | 描述 |
---|---|
directory string
|
|
BootstrapToken
出现在:
BootstrapToken 描述的是一个启动引导令牌,以 Secret 形式存储在集群中。
字段 | 描述 |
---|---|
token [必需]BootstrapTokenString
|
|
description string
|
|
ttl meta/v1.Duration
|
|
expires meta/v1.Time
|
|
usages []string
|
|
groups []string
|
|
BootstrapTokenString
出现在:
BootstrapTokenString 形式为 abcdef.abcdef0123456789
的一个令牌,
用来从加入集群的节点角度验证 API 服务器的身份,或者 "kubeadm join"
在节点启动引导是作为一种身份认证方法。
此令牌的生命期是短暂的,并且应该如此。
字段 | 描述 |
---|---|
id [必需]string
|
无描述 |
secret [必需]string
|
无描述 |
7 - Kubelet Configuration (v1beta1)
Resource Types
KubeletConfiguration
KubeletConfiguration contains the configuration for the Kubelet
Field | Description |
---|---|
apiVersion string | kubelet.config.k8s.io/v1beta1 |
kind string | KubeletConfiguration |
enableServer [Required]bool
|
enableServer enables Kubelet's secured server. Note: Kubelet's insecure port is controlled by the readOnlyPort option. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: true |
staticPodPath string
|
staticPodPath is the path to the directory containing local (static) pods to run, or the path to a single static pod file. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that the set of static pods specified at the new path may be different than the ones the Kubelet initially started with, and this may disrupt your node. Default: "" |
syncFrequency meta/v1.Duration
|
syncFrequency is the max period between synchronizing running containers and config. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening this duration may have a negative performance impact, especially as the number of Pods on the node increases. Alternatively, increasing this duration will result in longer refresh times for ConfigMaps and Secrets. Default: "1m" |
fileCheckFrequency meta/v1.Duration
|
fileCheckFrequency is the duration between checking config files for new data Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the duration will cause the Kubelet to reload local Static Pod configurations more frequently, which may have a negative performance impact. Default: "20s" |
httpCheckFrequency meta/v1.Duration
|
httpCheckFrequency is the duration between checking http for new data Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the duration will cause the Kubelet to poll staticPodURL more frequently, which may have a negative performance impact. Default: "20s" |
staticPodURL string
|
staticPodURL is the URL for accessing static pods to run Dynamic Kubelet Config (beta): If dynamically updating this field, consider that the set of static pods specified at the new URL may be different than the ones the Kubelet initially started with, and this may disrupt your node. Default: "" |
staticPodURLHeader map[string][]string
|
staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt the ability to read the latest set of static pods from StaticPodURL. Default: nil |
address string
|
address is the IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "0.0.0.0" |
port int32
|
port is the port for the Kubelet to serve on. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: 10250 |
readOnlyPort int32
|
readOnlyPort is the read-only port for the Kubelet to serve on with no authentication/authorization. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: 0 (disabled) |
tlsCertFile string
|
tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If tlsCertFile and tlsPrivateKeyFile are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to the Kubelet's --cert-dir flag. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "" |
tlsPrivateKeyFile string
|
tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "" |
tlsCipherSuites []string
|
TLSCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: nil |
tlsMinVersion string
|
TLSMinVersion is the minimum TLS version supported. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "" |
rotateCertificates bool
|
rotateCertificates enables client certificate rotation. The Kubelet will request a new certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may disrupt the Kubelet's ability to authenticate with the API server after the current certificate expires. Default: false |
serverTLSBootstrap bool
|
serverTLSBootstrap enables server certificate bootstrap. Instead of self signing a serving certificate, the Kubelet will request a certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests. The RotateKubeletServerCertificate feature must be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it will stop the renewal of Kubelet server certificates, which can disrupt components that interact with the Kubelet server in the long term, due to certificate expiration. Default: false |
authentication KubeletAuthentication
|
authentication specifies how requests to the Kubelet's server are authenticated Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Defaults: anonymous: enabled: false webhook: enabled: true cacheTTL: "2m" |
authorization KubeletAuthorization
|
authorization specifies how requests to the Kubelet's server are authorized Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Defaults: mode: Webhook webhook: cacheAuthorizedTTL: "5m" cacheUnauthorizedTTL: "30s" |
registryPullQPS int32
|
registryPullQPS is the limit of registry pulls per second. Set to 0 for no limit. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by image pulls. Default: 5 |
registryBurst int32
|
registryBurst is the maximum size of bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registryPullQPS. Only used if registryPullQPS > 0. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by image pulls. Default: 10 |
eventRecordQPS int32
|
eventRecordQPS is the maximum event creations per second. If 0, there is no limit enforced. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by event creations. Default: 5 |
eventBurst int32
|
eventBurst is the maximum size of a burst of event creations, temporarily allows event creations to burst to this number, while still not exceeding eventRecordQPS. Only used if eventRecordQPS > 0. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by event creations. Default: 10 |
enableDebuggingHandlers bool
|
enableDebuggingHandlers enables server endpoints for log access and local running of containers and commands, including the exec, attach, logs, and portforward features. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may disrupt components that interact with the Kubelet server. Default: true |
enableContentionProfiling bool
|
enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that enabling it may carry a performance impact. Default: false |
healthzPort int32
|
healthzPort is the port of the localhost healthz endpoint (set to 0 to disable) Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that monitor Kubelet health. Default: 10248 |
healthzBindAddress string
|
healthzBindAddress is the IP address for the healthz server to serve on Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that monitor Kubelet health. Default: "127.0.0.1" |
oomScoreAdj int32
|
oomScoreAdj is The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000]. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the stability of nodes under memory pressure. Default: -999 |
clusterDomain string
|
clusterDomain is the DNS domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains. Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended, as it should be kept in sync with the rest of the cluster. Default: "" |
clusterDNS []string
|
clusterDNS is a list of IP addresses for the cluster DNS server. If set, kubelet will configure all containers to use this for DNS resolution instead of the host's DNS servers. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes will only take effect on Pods created after the update. Draining the node is recommended before changing this field. Default: nil |
streamingConnectionIdleTimeout meta/v1.Duration
|
streamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact components that rely on infrequent updates over streaming connections to the Kubelet server. Default: "4h" |
nodeStatusUpdateFrequency meta/v1.Duration
|
nodeStatusUpdateFrequency is the frequency that kubelet computes node status. If node lease feature is not enabled, it is also the frequency that kubelet posts node status to master. Note: When node lease feature is not enabled, be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact node scalability, and also that the node controller's nodeMonitorGracePeriod must be set to N∗NodeStatusUpdateFrequency, where N is the number of retries before the node controller marks the node unhealthy. Default: "10s" |
nodeStatusReportFrequency meta/v1.Duration
|
nodeStatusReportFrequency is the frequency that kubelet posts node status to master if node status does not change. Kubelet will ignore this frequency and post node status immediately if any change is detected. It is only used when node lease feature is enabled. nodeStatusReportFrequency's default value is 1m. But if nodeStatusUpdateFrequency is set explicitly, nodeStatusReportFrequency's default value will be set to nodeStatusUpdateFrequency for backward compatibility. Default: "1m" |
nodeLeaseDurationSeconds int32
|
nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease, when the NodeLease feature is enabled. This feature provides an indicator of node health by having the Kubelet create and periodically renew a lease, named after the node, in the kube-node-lease namespace. If the lease expires, the node can be considered unhealthy. The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal interval may be set based on the lease duration. Requires the NodeLease feature gate to be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that decreasing the duration may reduce tolerance for issues that temporarily prevent the Kubelet from renewing the lease (e.g. a short-lived network issue). Default: 40 |
imageMinimumGCAge meta/v1.Duration
|
imageMinimumGCAge is the minimum age for an unused image before it is garbage collected. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: "2m" |
imageGCHighThresholdPercent int32
|
imageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run. The percent is calculated as this field value out of 100. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: 85 |
imageGCLowThresholdPercent int32
|
imageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. The percent is calculated as this field value out of 100. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: 80 |
volumeStatsAggPeriod meta/v1.Duration
|
How frequently to calculate and cache volume disk usage for all pods Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the period may carry a performance impact. Default: "1m" |
kubeletCgroups string
|
kubeletCgroups is the absolute name of cgroups to isolate the kubelet in Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "" |
systemCgroups string
|
systemCgroups is absolute name of cgroups in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "" |
cgroupRoot string
|
cgroupRoot is the root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "" |
cgroupsPerQOS bool
|
Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes And all Burstable and BestEffort pods are brought up under their specific top level QoS cgroup. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: true |
cgroupDriver string
|
driver that the kubelet uses to manipulate cgroups on the host (cgroupfs or systemd) Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "cgroupfs" |
cpuManagerPolicy string
|
CPUManagerPolicy is the name of the policy to use. Requires the CPUManager feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "none" |
cpuManagerReconcilePeriod meta/v1.Duration
|
CPU Manager reconciliation period. Requires the CPUManager feature gate to be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the period may carry a performance impact. Default: "10s" |
topologyManagerPolicy string
|
TopologyManagerPolicy is the name of the policy to use. Policies other than "none" require the TopologyManager feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "none" |
topologyManagerScope string
|
TopologyManagerScope represents the scope of topology hint generation that topology manager requests and hint providers generate. "pod" scope requires the TopologyManager feature gate to be enabled. Default: "container" |
qosReserved map[string]string
|
qosReserved is a set of resource name to percentage pairs that specify the minimum percentage of a resource reserved for exclusive use by the guaranteed QoS tier. Currently supported resources: "memory" Requires the QOSReserved feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: nil |
runtimeRequestTimeout meta/v1.Duration
|
runtimeRequestTimeout is the timeout for all runtime requests except long running requests - pull, logs, exec and attach. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "2m" |
hairpinMode string
|
hairpinMode specifies how the Kubelet should configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values: "promiscuous-bridge": make the container bridge promiscuous. "hairpin-veth": set the hairpin flag on container veth interfaces. "none": do nothing. Generally, one must set --hairpin-mode=hairpin-veth to achieve hairpin NAT, because promiscuous-bridge assumes the existence of a container bridge named cbr0. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may require a node reboot, depending on the network plugin. Default: "promiscuous-bridge" |
maxPods int32
|
maxPods is the number of pods that can run on this Kubelet. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes may cause Pods to fail admission on Kubelet restart, and may change the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting future scheduling decisions. Increasing this value may also decrease performance, as more Pods can be packed into a single node. Default: 110 |
podCIDR string
|
The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. Dynamic Kubelet Config (beta): This field should always be set to the empty default. It should only set for standalone Kubelets, which cannot use Dynamic Kubelet Config. Default: "" |
podPidsLimit int64
|
PodPidsLimit is the maximum number of pids in any pod. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may prevent container processes from forking after the change. Default: -1 |
resolvConf string
|
ResolverConfig is the resolver configuration file used as the basis for the container DNS resolution configuration. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes will only take effect on Pods created after the update. Draining the node is recommended before changing this field. Default: "/etc/resolv.conf" |
runOnce bool
|
RunOnce causes the Kubelet to check the API server once for pods, run those in addition to the pods specified by static pod files, and exit. Default: false |
cpuCFSQuota bool
|
cpuCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may reduce node stability. Default: true |
cpuCFSQuotaPeriod meta/v1.Duration
|
CPUCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that limits set for containers will result in different cpu.cfs_quota settings. This will trigger container restarts on the node being reconfigured. Default: "100ms" |
nodeStatusMaxImages int32
|
nodeStatusMaxImages caps the number of images reported in Node.Status.Images. Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that different values can be reported on node status. Default: 50 |
maxOpenFiles int64
|
maxOpenFiles is Number of files that can be opened by Kubelet process. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the ability of the Kubelet to interact with the node's filesystem. Default: 1000000 |
contentType string
|
contentType is contentType of requests sent to apiserver. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the ability for the Kubelet to communicate with the API server. If the Kubelet loses contact with the API server due to a change to this field, the change cannot be reverted via dynamic Kubelet config. Default: "application/vnd.kubernetes.protobuf" |
kubeAPIQPS int32
|
kubeAPIQPS is the QPS to use while talking with kubernetes apiserver Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic the Kubelet sends to the API server. Default: 5 |
kubeAPIBurst int32
|
kubeAPIBurst is the burst to allow while talking with kubernetes apiserver Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic the Kubelet sends to the API server. Default: 10 |
serializeImagePulls bool
|
serializeImagePulls when enabled, tells the Kubelet to pull images one at a time. We recommend ∗not∗ changing the default value on nodes that run docker daemon with version < 1.9 or an Aufs storage backend. Issue #10959 has more details. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the performance of image pulls. Default: true |
evictionHard map[string]string
|
Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}. To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions. Default: memory.available: "100Mi" nodefs.available: "10%" nodefs.inodesFree: "5%" imagefs.available: "15%" |
evictionSoft map[string]string
|
Map of signal names to quantities that defines soft eviction thresholds. For example: {"memory.available": "300Mi"}. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions, and may change the allocatable reported by the node. Default: nil |
evictionSoftGracePeriod map[string]string
|
Map of signal names to quantities that defines grace periods for each soft eviction signal. For example: {"memory.available": "30s"}. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions. Default: nil |
evictionPressureTransitionPeriod meta/v1.Duration
|
Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may decrease the stability of the node when the node is overcommitted. Default: "5m" |
evictionMaxPodGracePeriod int32
|
Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. This value effectively caps the Pod's TerminationGracePeriodSeconds value during soft evictions. Note: Due to issue #64530, the behavior has a bug where this value currently just overrides the grace period during soft eviction, which can increase the grace period from what is set on the Pod. This bug will be fixed in a future release. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it decreases the amount of time Pods will have to gracefully clean up before being killed during a soft eviction. Default: 0 |
evictionMinimumReclaim map[string]string
|
Map of signal names to quantities that defines minimum reclaims, which describe the minimum amount of a given resource the kubelet will reclaim when performing a pod eviction while that resource is under pressure. For example: {"imagefs.available": "2Gi"} Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may change how well eviction can manage resource pressure. Default: nil |
podsPerCore int32
|
podsPerCore is the maximum number of pods per core. Cannot exceed MaxPods. If 0, this field is ignored. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes may cause Pods to fail admission on Kubelet restart, and may change the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting future scheduling decisions. Increasing this value may also decrease performance, as more Pods can be packed into a single node. Default: 0 |
enableControllerAttachDetach bool
|
enableControllerAttachDetach enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changing which component is responsible for volume management on a live node may result in volumes refusing to detach if the node is not drained prior to the update, and if Pods are scheduled to the node before the volumes.kubernetes.io/controller-managed-attach-detach annotation is updated by the Kubelet. In general, it is safest to leave this value set the same as local config. Default: true |
protectKernelDefaults bool
|
protectKernelDefaults, if true, causes the Kubelet to error if kernel flags are not as it expects. Otherwise the Kubelet will attempt to modify kernel flags to match its expectation. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as Kubelet expects. Default: false |
makeIPTablesUtilChains bool
|
If true, Kubelet ensures a set of iptables rules are present on host. These rules will serve as utility rules for various components, e.g. KubeProxy. The rules will be created based on IPTablesMasqueradeBit and IPTablesDropBit. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it will prevent the Kubelet from healing locally misconfigured iptables rules. Default: true |
iptablesMasqueradeBit int32
|
iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT Values must be within the range [0, 31]. Must be different from other mark bits. Warning: Please match the value of the corresponding parameter in kube-proxy. TODO: clean up IPTablesMasqueradeBit in kube-proxy Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it needs to be coordinated with other components, like kube-proxy, and the update will only be effective if MakeIPTablesUtilChains is enabled. Default: 14 |
iptablesDropBit int32
|
iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. Values must be within the range [0, 31]. Must be different from other mark bits. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it needs to be coordinated with other components, like kube-proxy, and the update will only be effective if MakeIPTablesUtilChains is enabled. Default: 15 |
featureGates map[string]bool
|
featureGates is a map of feature names to bools that enable or disable alpha/experimental features. This field modifies piecemeal the built-in default values from "k8s.io/kubernetes/pkg/features/kube_features.go". Dynamic Kubelet Config (beta): If dynamically updating this field, consider the documentation for the features you are enabling or disabling. While we encourage feature developers to make it possible to dynamically enable and disable features, some changes may require node reboots, and some features may require careful coordination to retroactively disable. Default: nil |
failSwapOn bool
|
failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that setting it to true will cause the Kubelet to crash-loop if swap is enabled. Default: true |
containerLogMaxSize string
|
A quantity defines the maximum size of the container log file before it is rotated. For example: "5Mi" or "256Ki". Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger log rotation. Default: "10Mi" |
containerLogMaxFiles int32
|
Maximum number of container log files that can be present for a container. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may cause log files to be deleted. Default: 5 |
configMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy
|
ConfigMapAndSecretChangeDetectionStrategy is a mode in which config map and secret managers are running. Default: "Watch" |
systemReserved map[string]string
|
systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may not be possible to increase the reserved resources, because this requires resizing cgroups. Always look for a NodeAllocatableEnforced event after updating this field to ensure that the update was successful. Default: nil |
kubeReserved map[string]string
|
A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for kubernetes system components. Currently cpu, memory and local storage for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may not be possible to increase the reserved resources, because this requires resizing cgroups. Always look for a NodeAllocatableEnforced event after updating this field to ensure that the update was successful. Default: nil |
reservedSystemCPUs [Required]string
|
This ReservedSystemCPUs option specifies the cpu list reserved for the host level system threads and kubernetes related threads. This provide a "static" CPU list rather than the "dynamic" list by system-reserved and kube-reserved. This option overwrites CPUs provided by system-reserved and kube-reserved. |
showHiddenMetricsForVersion string
|
The previous version for which you want to show hidden metrics.
Only the previous minor version is meaningful, other values will not be allowed.
The format is |
systemReservedCgroup string
|
This flag helps kubelet identify absolute name of top level cgroup used to enforce `SystemReserved` compute resource reservation for OS system daemons. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "" |
kubeReservedCgroup string
|
This flag helps kubelet identify absolute name of top level cgroup used to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "" |
enforceNodeAllocatable []string
|
This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. This flag accepts a list of options. Acceptable options are `none`, `pods`, `system-reserved` & `kube-reserved`. If `none` is specified, no other options may be specified. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that removing enforcements may reduce the stability of the node. Alternatively, adding enforcements may reduce the stability of components which were using more than the reserved amount of resources; for example, enforcing kube-reserved may cause Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved may cause system daemons to OOM if they use more than the reserved resources. Default: ["pods"] |
allowedUnsafeSysctls []string
|
A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in ∗). Unsafe sysctl groups are kernel.shm∗, kernel.msg∗, kernel.sem, fs.mqueue.∗, and net.∗. These sysctls are namespaced but not allowed by default. For example: "kernel.msg∗,net.ipv4.route.min_pmtu" Default: [] |
volumePluginDir string
|
volumePluginDir is the full path of the directory in which to search for additional third party volume plugins. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changing the volumePluginDir may disrupt workloads relying on third party volume plugins. Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" |
providerID string
|
providerID, if set, sets the unique id of the instance that an external provider (i.e. cloudprovider) can use to identify a specific node. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the ability of the Kubelet to interact with cloud providers. Default: "" |
kernelMemcgNotification bool
|
kernelMemcgNotification, if set, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the way Kubelet interacts with the kernel. Default: false |
logging [Required]LoggingConfiguration
|
Logging specifies the options of logging. Refer [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information. Defaults: Format: text |
enableSystemLogHandler bool
|
enableSystemLogHandler enables system logs via web interface host:port/logs/ Default: true |
shutdownGracePeriod meta/v1.Duration
|
ShutdownGracePeriod specifies the total duration that the node should delay the shutdown and total grace period for pod termination during a node shutdown. Default: "30s" |
shutdownGracePeriodCriticalPods meta/v1.Duration
|
ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. This should be less than ShutdownGracePeriod. For example, if ShutdownGracePeriod=30s, and ShutdownGracePeriodCriticalPods=10s, during a node shutdown the first 20 seconds would be reserved for gracefully terminating normal pods, and the last 10 seconds would be reserved for terminating critical pods. Default: "10s" |
SerializedNodeConfigSource
SerializedNodeConfigSource allows us to serialize v1.NodeConfigSource. This type is used internally by the Kubelet for tracking checkpointed dynamic configs. It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet.
Field | Description |
---|---|
apiVersion string | kubelet.config.k8s.io/v1beta1 |
kind string | SerializedNodeConfigSource |
source core/v1.NodeConfigSource
|
Source is the source that we are serializing |
HairpinMode
(Alias of string
)
HairpinMode denotes how the kubelet should configure networking to handle hairpin packets.
KubeletAnonymousAuthentication
Appears in:
Field | Description |
---|---|
enabled bool
|
enabled allows anonymous requests to the kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated. |
KubeletAuthentication
Appears in:
Field | Description |
---|---|
x509 KubeletX509Authentication
|
x509 contains settings related to x509 client certificate authentication |
webhook KubeletWebhookAuthentication
|
webhook contains settings related to webhook bearer token authentication |
anonymous KubeletAnonymousAuthentication
|
anonymous contains settings related to anonymous authentication |
KubeletAuthorization
Appears in:
Field | Description |
---|---|
mode KubeletAuthorizationMode
|
mode is the authorization mode to apply to requests to the kubelet server. Valid values are AlwaysAllow and Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. |
webhook KubeletWebhookAuthorization
|
webhook contains settings related to Webhook authorization. |
KubeletAuthorizationMode
(Alias of string
)
Appears in:
KubeletWebhookAuthentication
Appears in:
Field | Description |
---|---|
enabled bool
|
enabled allows bearer token authentication backed by the tokenreviews.authentication.k8s.io API |
cacheTTL meta/v1.Duration
|
cacheTTL enables caching of authentication results |
KubeletWebhookAuthorization
Appears in:
Field | Description |
---|---|
cacheAuthorizedTTL meta/v1.Duration
|
cacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer. |
cacheUnauthorizedTTL meta/v1.Duration
|
cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer. |
KubeletX509Authentication
Appears in:
Field | Description |
---|---|
clientCAFile string
|
clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request presenting a client certificate signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, and groups corresponding to the Organization in the client certificate. |
ResourceChangeDetectionStrategy
(Alias of string
)
Appears in:
ResourceChangeDetectionStrategy denotes a mode in which internal managers (secret, configmap) are discovering object changes.
LoggingConfiguration
Appears in:
LoggingConfiguration contains logging options Refer Logs Options for more information.
Field | Description |
---|---|
format [Required]string
|
Format Flag specifies the structure of log messages. default value of format is `text` |
sanitization [Required]bool
|
[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`) |
8 - WebhookAdmission 配置 (v1)
此 API 的版本是 v1。
资源类型
WebhookAdmission
WebhookAdmission 为 Webhook 准入控制器提供配置信息。
字段 | 描述 |
---|---|
apiVersion string | apiserver.config.k8s.io/v1 |
kind string | WebhookAdmission |
kubeConfigFile [必需]string
|
字段 kubeConfigFile 包含指向 kubeconfig 文件的路径。 |
9 - 客户端身份认证(Client Authentication) (v1)
资源类型
ExecCredential
ExecCredential 由基于 exec 的插件使用,与 HTTP 传输组件沟通凭据信息。
字段 | 描述 |
---|---|
apiVersion string | client.authentication.k8s.io/v1 |
kind string | ExecCredential |
spec [必需]ExecCredentialSpec
|
字段 spec 包含由 HTTP 传输组件传递给插件的信息。 |
status ExecCredentialStatus
|
字段 status 由插件填充,包含传输组件与 API 服务器连接时需要提供的凭据。 |
Cluster
出现在:
Cluster 中包含允许 exec 插件与 Kubernetes 集群进行通信身份认证时所需 的信息。
字段 | 描述 |
---|---|
server [必需]string
|
字段 server 是 Kubernetes 集群的地址(https://hostname:port)。 |
tls-server-name string
|
tls-server-name 是用来提供给服务器用作 SNI 解析的,客户端以此检查服务器的证书。 如此字段为空,则使用链接服务器时使用的主机名。 |
insecure-skip-tls-verify bool
|
设置此字段之后,会令客户端跳过对服务器端证书的合法性检查。 这会使得你的 HTTPS 链接不再安全。 |
certificate-authority-data []byte
|
此字段包含 PEM 编码的证书机构(CA)证书。 如果为空,则使用系统的根证书。 |
proxy-url string
|
此字段用来设置向集群发送所有请求时要使用的代理服务器。 |
config k8s.io/apimachinery/pkg/runtime.RawExtension
|
在某些环境中,用户配置可能对很多集群而言都完全一样(即调用同一个 exec 插件), 只是针对不同集群会有一些细节上的差异,例如 audience。 此字段使得特定于集群的配置可以直接使用集群信息来设置。 不建议使用此字段来保存 Secret 数据,因为 exec 插件的主要优势之一是不需要在 kubeconfig 中保存 Secret 数据。 |
ExecCredentialSpec
出现在:
ExecCredentialSpec 保存传输组件所提供的特定于请求和运行时的信息。
字段 | 描述 |
---|---|
cluster Cluster
|
此字段中包含的信息使得 exec 插件能够与要访问的 Kubernetes 集群通信。 注意,cluster 字段只有在 exec 驱动的配置中 provideClusterInfo (即:ExecConfig.ProvideClusterInfo)被设置为 true 时才不能为空。 |
interactive [必需]bool
|
此字段用来标明标准输出信息是否已传递给 exec 插件。 |
ExecCredentialStatus
ExecCredentialStatus 中包含传输组件要使用的凭据。
字段 token 和 clientKeyData 都是敏感字段。此数据只能在 客户端与 exec 插件进程之间使用内存来传递。exec 插件本身至少 应通过文件访问许可来实施保护。
》字段 | 描述 |
---|---|
expirationTimestamp meta/v1.Time
|
给出所提供的凭据到期的时间。 |
token [必需]string
|
客户端用做请求身份认证的持有者令牌。 |
clientCertificateData [必需]string
|
PEM 编码的客户端 TLS 证书(如果有临时证书,也会包含)。 |
clientKeyData [必需]string
|
与上述证书对应的、PEM 编码的私钥。 |