1 - Client Authentication (v1beta1)

Resource Types

ExecCredential

ExecCredential is used by exec-based plugins to communicate credentials to HTTP transports.

FieldDescription
apiVersion
string
client.authentication.k8s.io/v1beta1
kind
string
ExecCredential
spec [Required]
ExecCredentialSpec
Spec holds information passed to the plugin by the transport.
status
ExecCredentialStatus
Status is filled in by the plugin and holds the credentials that the transport should use to contact the API.

Cluster

Appears in:

Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to.

To ensure that this struct contains everything someone would need to communicate with a kubernetes cluster (just like they would via a kubeconfig), the fields should shadow "k8s.io/client-go/tools/clientcmd/api/v1".Cluster, with the exception of CertificateAuthority, since CA data will always be passed to the plugin as bytes.

FieldDescription
server [Required]
string
Server is the address of the kubernetes cluster (https://hostname:port).
tls-server-name
string
TLSServerName is passed to the server for SNI and is used in the client to check server certificates against. If ServerName is empty, the hostname used to contact the server is used.
insecure-skip-tls-verify
bool
InsecureSkipTLSVerify skips the validity check for the server's certificate. This will make your HTTPS connections insecure.
certificate-authority-data
[]byte
CAData contains PEM-encoded certificate authority certificates. If empty, system roots should be used.
proxy-url
string
ProxyURL is the URL to the proxy to be used for all requests to this cluster.
config
k8s.io/apimachinery/pkg/runtime.RawExtension
Config holds additional config data that is specific to the exec plugin with regards to the cluster being authenticated to.

This data is sourced from the clientcmd Cluster object's extensions[client.authentication.k8s.io/exec] field:

clusters:

  • name: my-cluster cluster: ... extensions:
    • name: client.authentication.k8s.io/exec # reserved extension name for per cluster exec config extension: audience: 06e3fbd18de8 # arbitrary config

In some environments, the user config may be exactly the same across many clusters (i.e. call this exec plugin) minus some details that are specific to each cluster such as the audience. This field allows the per cluster config to be directly specified with the cluster info. Using this field to store secret data is not recommended as one of the prime benefits of exec plugins is that no secrets need to be stored directly in the kubeconfig.

ExecCredentialSpec

Appears in:

ExecCredentialSpec holds request and runtime specific information provided by the transport.

FieldDescription
cluster
Cluster
Cluster contains information to allow an exec plugin to communicate with the kubernetes cluster being authenticated to. Note that Cluster is non-nil only when provideClusterInfo is set to true in the exec provider config (i.e., ExecConfig.ProvideClusterInfo).

ExecCredentialStatus

Appears in:

ExecCredentialStatus holds credentials for the transport to use.

Token and ClientKeyData are sensitive fields. This data should only be transmitted in-memory between client and exec plugin process. Exec plugin itself should at least be protected via file permissions.

FieldDescription
expirationTimestamp
meta/v1.Time
ExpirationTimestamp indicates a time when the provided credentials expire.
token [Required]
string
Token is a bearer token used by the client for request authentication.
clientCertificateData [Required]
string
PEM-encoded client TLS certificates (including intermediates, if any).
clientKeyData [Required]
string
PEM-encoded private key for the above certificate.

2 - kube-apiserver Audit 配置 (v1)

资源类型

Event

出现在:

Event 结构包含可出现在 API 审计日志中的所有信息。

字段描述
apiVersion
string
audit.k8s.io/v1
kind
string
Event
level [必需]
Level
生成事件所对应的审计级别。
auditID [必需]
k8s.io/apimachinery/pkg/types.UID
为每个请求所生成的唯一审计 ID。
stage [必需]
Stage
生成此事件时请求的处理阶段。
requestURI [必需]
string
requestURI 是客户端发送到服务器端的请求 URI。
verb [必需]
string
verb 是与请求对应的 Kubernetes 动词。对于非资源请求,此字段为 HTTP 方法的小写形式。
user [必需]
authentication/v1.UserInfo
关于认证用户的信息。
impersonatedUser
authentication/v1.UserInfo
关于所伪装(impersonated)的用户的信息。
sourceIPs
[]string
发起请求和中间代理的源 IP 地址。
userAgent
string
userAgent 中记录客户端所报告的用户代理(User Agent)字符串。 注意 userAgent 信息是由客户端提供的,一定不要信任。
objectRef
ObjectReference
此请求所指向的对象引用。对于 List 类型的请求或者非资源请求,此字段可忽略。
responseStatus
meta/v1.Status
响应的状态,当 responseObject 不是 Status 类型时被赋值。 对于成功的请求,此字段仅包含 code 和 statusSuccess。 对于非 Status 类型的错误响应,此字段会被自动赋值为出错信息。
requestObject
k8s.io/apimachinery/pkg/runtime.Unknown
来自请求的 API 对象,以 JSON 格式呈现。requestObject 在请求中按原样记录 (可能会采用 JSON 重新编码),之后会进入版本转换、默认值填充、准入控制以及 配置信息合并等阶段。此对象为外部版本化的对象类型,甚至其自身可能并不是一个 合法的对象。对于非资源请求,此字段被忽略。 只有当审计级别为 Request 或更高的时候才会记录。
responseObject
k8s.io/apimachinery/pkg/runtime.Unknown
响应中包含的 API 对象,以 JSON 格式呈现。requestObject 是在被转换为外部类型 并序列化为 JSON 格式之后才被记录的。 对于非资源请求,此字段会被忽略。 只有审计级别为 Response 时才会记录。
requestReceivedTimestamp
meta/v1.MicroTime
请求到达 API 服务器时的时间。
stageTimestamp
meta/v1.MicroTime
请求到达当前审计阶段时的时间。
annotations
map[string]string
annotations 是一个无结构的键-值映射,其中保存的是一个审计事件。 该事件可以由请求处理链路上的插件来设置,包括身份认证插件、鉴权插件以及 准入控制插件等。 注意这些注解是针对审计事件本身的,与所提交的对象中的 metadata.annotations 之间不存在对应关系。 映射中的键名应该唯一性地标识生成该事件的组件,从而避免名字上的冲突 (例如 podsecuritypolicy.admission.k8s.io/policy)。 映射中的键值应该比较简洁。 当审计级别为 Metadata 时会包含 annotations 字段。

EventList

EventList 是审计事件(Event)的列表。

字段描述
apiVersion
string
audit.k8s.io/v1
kind
string
EventList
metadata
meta/v1.ListMeta
列表结构元数据
items [必需]
[]Event
事件对象列表

Policy

出现在:

Policy 定义的是审计日志的配置以及不同类型请求的日志记录规则。

字段描述
apiVersion
string
audit.k8s.io/v1
kind
string
Policy
metadata
meta/v1.ObjectMeta
包含 metadata 字段是为了便于与 API 基础设施之间实现互操作。 参考 Kubernetes API 文档了解 metadata 字段的详细信息。
rules [必需]
[]PolicyRule
字段 rules 设置请求要被记录的审计级别(level)。 每个请求可能会与多条规则相匹配;发生这种状况时遵从第一条匹配规则。 默认的审计级别是 None,不过可以在列表的末尾使用一条全抓(catch-all)规则 重载其设置。 列表中的规则(PolicyRule)是严格有序的。
omitStages
[]Stage
字段 omitStages 是一个阶段(Stage)列表,其中包含无须生成事件的阶段。 注意这一选项也可以通过每条规则来设置。 审计组件最终会忽略出现在 omitStages 中阶段,也会忽略规则中的阶段。

PolicyList

PolicyList 是由审计策略(Policy)组成的列表。

字段描述
apiVersion
string
audit.k8s.io/v1
kind
string
PolicyList
metadata
meta/v1.ListMeta
列表结构元数据。
items [必需]
[]Policy
策略(Policy)对象列表。

GroupResources

出现在:

GroupResources 代表的是某 API 组中的资源类别。

字段描述
group
string
字段 group 给出包含资源的 API 组的名称。 空字符串代表 core API 组。
resources
[]string

如果存在通配符,则合法性检查逻辑会确保 resources 中的条目不会彼此重叠。
空的列表意味着规则适用于该 API 组中的所有资源及其子资源。

resourceNames
[]string
字段 resourceNames 是策略将匹配的资源实例名称列表。 使用此字段时,resources 必须指定。 空的 resourceNames 列表意味着资源的所有实例都会匹配到此策略。

Level

string 数据类型的别名。

出现在:

Level 定义的是审计过程中在日志内记录的信息量。

ObjectReference

出现在:

ObjectReference 包含的是用来检查或修改所引用对象时将需要的全部信息。

字段描述
resource
string
资源类别。
namespace
string
资源对象所在名字空间。
name
string
资源对象名称。
uid
k8s.io/apimachinery/pkg/types.UID
资源对象的唯一标识(UID)。
apiGroup
string
字段 apiGroup 给出包含所引用对象的 API 组的名称。 空字符串代表 core API 组。
apiVersion
string
字段 apiVersion 是包含所引用对象的 API 组的版本。
resourceVersion
string
资源对象自身的版本值。
subresource
string
子资源的类别。

PolicyRule

出现在:

PolicyRule 包含一个映射,基于元数据将请求映射到某审计级别。 请求必须与每个字段所定义的规则都匹配(即 rules 的交集)才被视为匹配。

此规则所适用的名字空间列表。 空字符串("")意味着适用于非名字空间作用域的资源。 空列表意味着适用于所有名字空间。
字段描述
level [必需]
Level
与此规则匹配的请求所对应的日志记录级别(Level)。
users
[]string
根据身份认证所确定的用户名的列表,给出此规则所适用的用户。 空列表意味着适用于所有用户。
userGroups
[]string
此规则所适用的用户组的列表。如果用户是所列用户组中任一用户组的成员,则视为匹配。 空列表意味着适用于所有用户组。
verbs
[]string
此规则所适用的动词(verb)列表。 空列表意味着适用于所有动词。
resources
[]GroupResources
此规则所适用的资源类别列表。 空列表意味着适用于 API 组中的所有资源类别。
namespaces
[]string
nonResourceURLs
[]string
字段 nonResourceURLs 给出一组需要被审计的 URL 路径。 允许使用 ∗,但只能作为路径中最后一个完整分段。
例如:
"/metrics" - 记录对 API 服务器度量值(metrics)的所有请求;
"/healthz∗" - 记录所有健康检查请求。
omitStages
[]Stage
字段 omitStages 是一个阶段(Stage)列表,针对所列的阶段服务器不会生成审计事件。 注意这一选项也可以在策略(Policy)级别指定。服务器审计组件会忽略 omitStages 中给出的阶段,也会忽略策略中给出的阶段。 空列表意味着不对阶段作任何限制。

Stage

string 数据类型的别名。

出现在:

Stage 定义在请求处理过程中可以生成审计事件的阶段。

3 - kube-proxy Configuration (v1alpha1)

Resource Types

KubeProxyConfiguration

KubeProxyConfiguration contains everything necessary to configure the Kubernetes proxy server.

FieldDescription
apiVersion
string
kubeproxy.config.k8s.io/v1alpha1
kind
string
KubeProxyConfiguration
featureGates [Required]
map[string]bool
featureGates is a map of feature names to bools that enable or disable alpha/experimental features.
bindAddress [Required]
string
bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)
healthzBindAddress [Required]
string
healthzBindAddress is the IP address and port for the health check server to serve on, defaulting to 0.0.0.0:10256
metricsBindAddress [Required]
string
metricsBindAddress is the IP address and port for the metrics server to serve on, defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
bindAddressHardFail [Required]
bool
bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit
enableProfiling [Required]
bool
enableProfiling enables profiling via web interface on /debug/pprof handler. Profiling handlers will be handled by metrics server.
clusterCIDR [Required]
string
clusterCIDR is the CIDR range of the pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.
hostnameOverride [Required]
string
hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
clientConnection [Required]
ClientConnectionConfiguration
clientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver.
iptables [Required]
KubeProxyIPTablesConfiguration
iptables contains iptables-related configuration options.
ipvs [Required]
KubeProxyIPVSConfiguration
ipvs contains ipvs-related configuration options.
oomScoreAdj [Required]
int32
oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]
mode [Required]
ProxyMode
mode specifies which proxy mode to use.
portRange [Required]
string
portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
udpIdleTimeout [Required]
meta/v1.Duration
udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxyMode=userspace.
conntrack [Required]
KubeProxyConntrackConfiguration
conntrack contains conntrack-related configuration options.
configSyncPeriod [Required]
meta/v1.Duration
configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater than 0.
nodePortAddresses [Required]
[]string
nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid IP blocks. These values are as a parameter to select the interfaces where nodeport works. In case someone would like to expose a service on localhost for local visit and some other interfaces for particular purpose, a list of IP blocks would do that. If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. An empty string slice is meant to select all network interfaces.
winkernel [Required]
KubeProxyWinkernelConfiguration
winkernel contains winkernel-related configuration options.
showHiddenMetricsForVersion [Required]
string
ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.
detectLocalMode [Required]
LocalMode
DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR

KubeProxyConntrackConfiguration

Appears in:

KubeProxyConntrackConfiguration contains conntrack settings for the Kubernetes proxy server.

FieldDescription
maxPerCore [Required]
int32
maxPerCore is the maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore min).
min [Required]
int32
min is the minimum value of connect-tracking records to allocate, regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).
tcpEstablishedTimeout [Required]
meta/v1.Duration
tcpEstablishedTimeout is how long an idle TCP connection will be kept open (e.g. '2s'). Must be greater than 0 to set.
tcpCloseWaitTimeout [Required]
meta/v1.Duration
tcpCloseWaitTimeout is how long an idle conntrack entry in CLOSE_WAIT state will remain in the conntrack table. (e.g. '60s'). Must be greater than 0 to set.

KubeProxyIPTablesConfiguration

Appears in:

KubeProxyIPTablesConfiguration contains iptables-related configuration details for the Kubernetes proxy server.

FieldDescription
masqueradeBit [Required]
int32
masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using the pure iptables proxy mode. Values must be within the range [0, 31].
masqueradeAll [Required]
bool
masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
syncPeriod [Required]
meta/v1.Duration
syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.
minSyncPeriod [Required]
meta/v1.Duration
minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').

KubeProxyIPVSConfiguration

Appears in:

KubeProxyIPVSConfiguration contains ipvs-related configuration details for the Kubernetes proxy server.

FieldDescription
syncPeriod [Required]
meta/v1.Duration
syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.
minSyncPeriod [Required]
meta/v1.Duration
minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', '2h22m').
scheduler [Required]
string
ipvs scheduler
excludeCIDRs [Required]
[]string
excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch when cleaning up ipvs services.
strictARP [Required]
bool
strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries from kube-ipvs0 interface
tcpTimeout [Required]
meta/v1.Duration
tcpTimeout is the timeout value used for idle IPVS TCP sessions. The default value is 0, which preserves the current timeout value on the system.
tcpFinTimeout [Required]
meta/v1.Duration
tcpFinTimeout is the timeout value used for IPVS TCP sessions after receiving a FIN. The default value is 0, which preserves the current timeout value on the system.
udpTimeout [Required]
meta/v1.Duration
udpTimeout is the timeout value used for IPVS UDP packets. The default value is 0, which preserves the current timeout value on the system.

KubeProxyWinkernelConfiguration

Appears in:

KubeProxyWinkernelConfiguration contains Windows/HNS settings for the Kubernetes proxy server.

FieldDescription
networkName [Required]
string
networkName is the name of the network kube-proxy will use to create endpoints and policies
sourceVip [Required]
string
sourceVip is the IP address of the source VIP endoint used for NAT when loadbalancing
enableDSR [Required]
bool
enableDSR tells kube-proxy whether HNS policies should be created with DSR

LocalMode

(Alias of string)

Appears in:

LocalMode represents modes to detect local traffic from the node

ProxyMode

(Alias of string)

Appears in:

ProxyMode represents modes used by the Kubernetes proxy server.

Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables' (newer, faster), 'ipvs'(newest, better in performance and scalability).

Two modes of proxy are available in Windows platform: 'userspace'(older, stable) and 'kernelspace' (newer, faster).

In Linux platform, if proxy mode is blank, use the best-available proxy (currently iptables, but may change in the future). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs', and the fall back path is firstly iptables and then userspace.

In Windows platform, if proxy mode is blank, use the best-available proxy (currently userspace, but may change in the future). If winkernel proxy is selected, regardless of how, but the Windows kernel can't support this mode of proxy, this always falls back to the userspace proxy.

ClientConnectionConfiguration

Appears in:

ClientConnectionConfiguration contains details for constructing a client.

FieldDescription
kubeconfig [Required]
string
kubeconfig is the path to a KubeConfig file.
acceptContentTypes [Required]
string
acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.
contentType [Required]
string
contentType is the content type used when sending data to the server from this client.
qps [Required]
float32
qps controls the number of queries per second allowed for this connection.
burst [Required]
int32
burst allows extra queries to accumulate when a client is exceeding its rate.

4 - kube-scheduler Configuration (v1beta1)

Resource Types

Policy

Policy describes a struct for a policy resource used in api.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1
kind
string
Policy
predicates [Required]
[]PredicatePolicy
Holds the information to configure the fit predicate functions
priorities [Required]
[]PriorityPolicy
Holds the information to configure the priority functions
extenders [Required]
[]LegacyExtender
Holds the information to communicate with the extender(s)
hardPodAffinitySymmetricWeight [Required]
int32
RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. HardPodAffinitySymmetricWeight represents the weight of implicit PreferredDuringScheduling affinity rule, in the range 1-100.
alwaysCheckAllPredicates [Required]
bool
When AlwaysCheckAllPredicates is set to true, scheduler checks all the configured predicates even after one or more of them fails. When the flag is set to false, scheduler skips checking the rest of the predicates after it finds one predicate that failed.

ExtenderManagedResource

Appears in:

ExtenderManagedResource describes the arguments of extended resources managed by an extender.

FieldDescription
name [Required]
string
Name is the extended resource name.
ignoredByScheduler [Required]
bool
IgnoredByScheduler indicates whether kube-scheduler should ignore this resource when applying predicates.

ExtenderTLSConfig

Appears in:

ExtenderTLSConfig contains settings to enable TLS with extender

FieldDescription
insecure [Required]
bool
Server should be accessed without verifying the TLS certificate. For testing only.
serverName [Required]
string
ServerName is passed to the server for SNI and is used in the client to check server certificates against. If ServerName is empty, the hostname used to contact the server is used.
certFile [Required]
string
Server requires TLS client certificate authentication
keyFile [Required]
string
Server requires TLS client certificate authentication
caFile [Required]
string
Trusted root certificates for server
certData [Required]
[]byte
CertData holds PEM-encoded bytes (typically read from a client certificate file). CertData takes precedence over CertFile
keyData [Required]
[]byte
KeyData holds PEM-encoded bytes (typically read from a client certificate key file). KeyData takes precedence over KeyFile
caData [Required]
[]byte
CAData holds PEM-encoded bytes (typically read from a root certificates bundle). CAData takes precedence over CAFile

LabelPreference

Appears in:

LabelPreference holds the parameters that are used to configure the corresponding priority function

FieldDescription
label [Required]
string
Used to identify node "groups"
presence [Required]
bool
This is a boolean flag If true, higher priority is given to nodes that have the label If false, higher priority is given to nodes that do not have the label

LabelsPresence

Appears in:

LabelsPresence holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.

FieldDescription
labels [Required]
[]string
The list of labels that identify node "groups" All of the labels should be either present (or absent) for the node to be considered a fit for hosting the pod
presence [Required]
bool
The boolean flag that indicates whether the labels should be present or absent from the node

LegacyExtender

Appears in:

LegacyExtender holds the parameters used to communicate with the extender. If a verb is unspecified/empty, it is assumed that the extender chose not to provide that extension.

FieldDescription
urlPrefix [Required]
string
URLPrefix at which the extender is available
filterVerb [Required]
string
Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
preemptVerb [Required]
string
Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
prioritizeVerb [Required]
string
Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
weight [Required]
int64
The numeric multiplier for the node scores that the prioritize call generates. The weight should be a positive integer
bindVerb [Required]
string
Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender can implement this function.
enableHttps [Required]
bool
EnableHTTPS specifies whether https should be used to communicate with the extender
tlsConfig [Required]
ExtenderTLSConfig
TLSConfig specifies the transport layer security config
httpTimeout [Required]
time.Duration
HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node.
nodeCacheCapable [Required]
bool
NodeCacheCapable specifies that the extender is capable of caching node information, so the scheduler should only send minimal information about the eligible nodes assuming that the extender already cached full details of all nodes in the cluster
managedResources
[]ExtenderManagedResource
ManagedResources is a list of extended resources that are managed by this extender. - A pod will be sent to the extender on the Filter, Prioritize and Bind (if the extender is the binder) phases iff the pod requests at least one of the extended resources in this list. If empty or unspecified, all pods will be sent to this extender. - If IgnoredByScheduler is set to true for a resource, kube-scheduler will skip checking the resource in predicates.
ignorable [Required]
bool
Ignorable specifies if the extender is ignorable, i.e. scheduling should not fail when the extender returns an error or is not reachable.

PredicateArgument

Appears in:

PredicateArgument represents the arguments to configure predicate functions in scheduler policy configuration. Only one of its members may be specified

FieldDescription
serviceAffinity [Required]
ServiceAffinity
The predicate that provides affinity for pods belonging to a service It uses a label to identify nodes that belong to the same "group"
labelsPresence [Required]
LabelsPresence
The predicate that checks whether a particular node has a certain label defined or not, regardless of value

PredicatePolicy

Appears in:

PredicatePolicy describes a struct of a predicate policy.

FieldDescription
name [Required]
string
Identifier of the predicate policy For a custom predicate, the name can be user-defined For the Kubernetes provided predicates, the name is the identifier of the pre-defined predicate
argument [Required]
PredicateArgument
Holds the parameters to configure the given predicate

PriorityArgument

Appears in:

PriorityArgument represents the arguments to configure priority functions in scheduler policy configuration. Only one of its members may be specified

FieldDescription
serviceAntiAffinity [Required]
ServiceAntiAffinity
The priority function that ensures a good spread (anti-affinity) for pods belonging to a service It uses a label to identify nodes that belong to the same "group"
labelPreference [Required]
LabelPreference
The priority function that checks whether a particular node has a certain label defined or not, regardless of value
requestedToCapacityRatioArguments [Required]
RequestedToCapacityRatioArguments
The RequestedToCapacityRatio priority function is parametrized with function shape.

PriorityPolicy

Appears in:

PriorityPolicy describes a struct of a priority policy.

FieldDescription
name [Required]
string
Identifier of the priority policy For a custom priority, the name can be user-defined For the Kubernetes provided priority functions, the name is the identifier of the pre-defined priority function
weight [Required]
int64
The numeric multiplier for the node scores that the priority function generates The weight should be non-zero and can be a positive or a negative integer
argument [Required]
PriorityArgument
Holds the parameters to configure the given priority function

RequestedToCapacityRatioArguments

Appears in:

RequestedToCapacityRatioArguments holds arguments specific to RequestedToCapacityRatio priority function.

FieldDescription
shape [Required]
[]UtilizationShapePoint
Array of point defining priority function shape.
resources [Required]
[]ResourceSpec
No description provided.

ResourceSpec

Appears in:

ResourceSpec represents single resource and weight for bin packing of priority RequestedToCapacityRatioArguments.

FieldDescription
name [Required]
string
Name of the resource to be managed by RequestedToCapacityRatio function.
weight [Required]
int64
Weight of the resource.

ServiceAffinity

Appears in:

ServiceAffinity holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.

FieldDescription
labels [Required]
[]string
The list of labels that identify node "groups" All of the labels should match for the node to be considered a fit for hosting the pod

ServiceAntiAffinity

Appears in:

ServiceAntiAffinity holds the parameters that are used to configure the corresponding priority function

FieldDescription
label [Required]
string
Used to identify node "groups"

UtilizationShapePoint

Appears in:

UtilizationShapePoint represents single point of priority function shape.

FieldDescription
utilization [Required]
int32
Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
score [Required]
int32
Score assigned to given utilization (y axis). Valid values are 0 to 10.

ClientConnectionConfiguration

Appears in:

ClientConnectionConfiguration contains details for constructing a client.

FieldDescription
kubeconfig [Required]
string
kubeconfig is the path to a KubeConfig file.
acceptContentTypes [Required]
string
acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the default value of 'application/json'. This field will control all connections to the server used by a particular client.
contentType [Required]
string
contentType is the content type used when sending data to the server from this client.
qps [Required]
float32
qps controls the number of queries per second allowed for this connection.
burst [Required]
int32
burst allows extra queries to accumulate when a client is exceeding its rate.

DebuggingConfiguration

Appears in:

DebuggingConfiguration holds configuration for Debugging related features.

FieldDescription
enableProfiling [Required]
bool
enableProfiling enables profiling via web interface host:port/debug/pprof/
enableContentionProfiling [Required]
bool
enableContentionProfiling enables lock contention profiling, if enableProfiling is true.

LeaderElectionConfiguration

Appears in:

LeaderElectionConfiguration defines the configuration of leader election clients for components that can run with leader election enabled.

FieldDescription
leaderElect [Required]
bool
leaderElect enables a leader election client to gain leadership before executing the main loop. Enable this when running replicated components for high availability.
leaseDuration [Required]
meta/v1.Duration
leaseDuration is the duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. This is only applicable if leader election is enabled.
renewDeadline [Required]
meta/v1.Duration
renewDeadline is the interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. This is only applicable if leader election is enabled.
retryPeriod [Required]
meta/v1.Duration
retryPeriod is the duration the clients should wait between attempting acquisition and renewal of a leadership. This is only applicable if leader election is enabled.
resourceLock [Required]
string
resourceLock indicates the resource object type that will be used to lock during leader election cycles.
resourceName [Required]
string
resourceName indicates the name of resource object that will be used to lock during leader election cycles.
resourceNamespace [Required]
string
resourceName indicates the namespace of resource object that will be used to lock during leader election cycles.

LoggingConfiguration

Appears in:

LoggingConfiguration contains logging options Refer Logs Options for more information.

FieldDescription
format [Required]
string
Format Flag specifies the structure of log messages. default value of format is `text`
sanitization [Required]
bool
[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`)

DefaultPreemptionArgs

DefaultPreemptionArgs holds arguments used to configure the DefaultPreemption plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
DefaultPreemptionArgs
minCandidateNodesPercentage [Required]
int32
MinCandidateNodesPercentage is the minimum number of candidates to shortlist when dry running preemption as a percentage of number of nodes. Must be in the range [0, 100]. Defaults to 10% of the cluster size if unspecified.
minCandidateNodesAbsolute [Required]
int32
MinCandidateNodesAbsolute is the absolute minimum number of candidates to shortlist. The likely number of candidates enumerated for dry running preemption is given by the formula: numCandidates = max(numNodes ∗ minCandidateNodesPercentage, minCandidateNodesAbsolute) We say "likely" because there are other factors such as PDB violations that play a role in the number of candidates shortlisted. Must be at least 0 nodes. Defaults to 100 nodes if unspecified.

InterPodAffinityArgs

InterPodAffinityArgs holds arguments used to configure the InterPodAffinity plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
InterPodAffinityArgs
hardPodAffinityWeight [Required]
int32
HardPodAffinityWeight is the scoring weight for existing pods with a matching hard affinity to the incoming pod.

KubeSchedulerConfiguration

KubeSchedulerConfiguration configures a scheduler

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
KubeSchedulerConfiguration
parallelism [Required]
int32
Parallelism defines the amount of parallelism in algorithms for scheduling a Pods. Must be greater than 0. Defaults to 16
leaderElection [Required]
LeaderElectionConfiguration
LeaderElection defines the configuration of leader election client.
clientConnection [Required]
ClientConnectionConfiguration
ClientConnection specifies the kubeconfig file and client connection settings for the proxy server to use when communicating with the apiserver.
healthzBindAddress [Required]
string
HealthzBindAddress is the IP address and port for the health check server to serve on, defaulting to 0.0.0.0:10251
metricsBindAddress [Required]
string
MetricsBindAddress is the IP address and port for the metrics server to serve on, defaulting to 0.0.0.0:10251.
DebuggingConfiguration [Required]
DebuggingConfiguration
(Members of DebuggingConfiguration are embedded into this type.) DebuggingConfiguration holds configuration for Debugging related features TODO: We might wanna make this a substruct like Debugging componentbaseconfigv1alpha1.DebuggingConfiguration
percentageOfNodesToScore [Required]
int32
PercentageOfNodesToScore is the percentage of all nodes that once found feasible for running a pod, the scheduler stops its search for more feasible nodes in the cluster. This helps improve scheduler's performance. Scheduler always tries to find at least "minFeasibleNodesToFind" feasible nodes no matter what the value of this flag is. Example: if the cluster size is 500 nodes and the value of this flag is 30, then scheduler stops finding further feasible nodes once it finds 150 feasible ones. When the value is 0, default percentage (5%--50% based on the size of the cluster) of the nodes will be scored.
podInitialBackoffSeconds [Required]
int64
PodInitialBackoffSeconds is the initial backoff for unschedulable pods. If specified, it must be greater than 0. If this value is null, the default value (1s) will be used.
podMaxBackoffSeconds [Required]
int64
PodMaxBackoffSeconds is the max backoff for unschedulable pods. If specified, it must be greater than podInitialBackoffSeconds. If this value is null, the default value (10s) will be used.
profiles [Required]
[]KubeSchedulerProfile
Profiles are scheduling profiles that kube-scheduler supports. Pods can choose to be scheduled under a particular profile by setting its associated scheduler name. Pods that don't specify any scheduler name are scheduled with the "default-scheduler" profile, if present here.
extenders [Required]
[]Extender
Extenders are the list of scheduler extenders, each holding the values of how to communicate with the extender. These extenders are shared by all scheduler profiles.

NodeAffinityArgs

NodeAffinityArgs holds arguments to configure the NodeAffinity plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
NodeAffinityArgs
addedAffinity
core/v1.NodeAffinity
AddedAffinity is applied to all Pods additionally to the NodeAffinity specified in the PodSpec. That is, Nodes need to satisfy AddedAffinity AND .spec.NodeAffinity. AddedAffinity is empty by default (all Nodes match). When AddedAffinity is used, some Pods with affinity requirements that match a specific Node (such as Daemonset Pods) might remain unschedulable.

NodeLabelArgs

NodeLabelArgs holds arguments used to configure the NodeLabel plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
NodeLabelArgs
presentLabels [Required]
[]string
PresentLabels should be present for the node to be considered a fit for hosting the pod
absentLabels [Required]
[]string
AbsentLabels should be absent for the node to be considered a fit for hosting the pod
presentLabelsPreference [Required]
[]string
Nodes that have labels in the list will get a higher score.
absentLabelsPreference [Required]
[]string
Nodes that don't have labels in the list will get a higher score.

NodeResourcesFitArgs

NodeResourcesFitArgs holds arguments used to configure the NodeResourcesFit plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
NodeResourcesFitArgs
ignoredResources [Required]
[]string
IgnoredResources is the list of resources that NodeResources fit filter should ignore.
ignoredResourceGroups [Required]
[]string
IgnoredResourceGroups defines the list of resource groups that NodeResources fit filter should ignore. e.g. if group is ["example.com"], it will ignore all resource names that begin with "example.com", such as "example.com/aaa" and "example.com/bbb". A resource group name can't contain '/'.

NodeResourcesLeastAllocatedArgs

NodeResourcesLeastAllocatedArgs holds arguments used to configure NodeResourcesLeastAllocated plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
NodeResourcesLeastAllocatedArgs
resources [Required]
[]ResourceSpec
Resources to be managed, if no resource is provided, default resource set with both the weight of "cpu" and "memory" set to "1" will be applied. Resource with "0" weight will not accountable for the final score.

NodeResourcesMostAllocatedArgs

NodeResourcesMostAllocatedArgs holds arguments used to configure NodeResourcesMostAllocated plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
NodeResourcesMostAllocatedArgs
resources [Required]
[]ResourceSpec
Resources to be managed, if no resource is provided, default resource set with both the weight of "cpu" and "memory" set to "1" will be applied. Resource with "0" weight will not accountable for the final score.

PodTopologySpreadArgs

PodTopologySpreadArgs holds arguments used to configure the PodTopologySpread plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
PodTopologySpreadArgs
defaultConstraints
[]core/v1.TopologySpreadConstraint
DefaultConstraints defines topology spread constraints to be applied to Pods that don't define any in `pod.spec.topologySpreadConstraints`. `.defaultConstraints[∗].labelSelectors` must be empty, as they are deduced from the Pod's membership to Services, ReplicationControllers, ReplicaSets or StatefulSets. When not empty, .defaultingType must be "List".
defaultingType
PodTopologySpreadConstraintsDefaulting
DefaultingType determines how .defaultConstraints are deduced. Can be one of "System" or "List".
  • "System": Use kubernetes defined constraints that spread Pods among Nodes and Zones.
  • "List": Use constraints defined in .defaultConstraints.

Defaults to "List" if feature gate DefaultPodTopologySpread is disabled and to "System" if enabled.

RequestedToCapacityRatioArgs

RequestedToCapacityRatioArgs holds arguments used to configure RequestedToCapacityRatio plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
RequestedToCapacityRatioArgs
shape [Required]
[]UtilizationShapePoint
Points defining priority function shape
resources [Required]
[]ResourceSpec
Resources to be managed

ServiceAffinityArgs

ServiceAffinityArgs holds arguments used to configure the ServiceAffinity plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
ServiceAffinityArgs
affinityLabels [Required]
[]string
AffinityLabels are homogeneous for pods that are scheduled to a node. (i.e. it returns true IFF this pod can be added to this node such that all other pods in the same service are running on nodes with the exact same values for Labels).
antiAffinityLabelsPreference [Required]
[]string
AntiAffinityLabelsPreference are the labels to consider for service anti affinity scoring.

VolumeBindingArgs

VolumeBindingArgs holds arguments used to configure the VolumeBinding plugin.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1beta1
kind
string
VolumeBindingArgs
bindTimeoutSeconds [Required]
int64
BindTimeoutSeconds is the timeout in seconds in volume binding operation. Value must be non-negative integer. The value zero indicates no waiting. If this value is nil, the default value (600) will be used.

Extender

Appears in:

Extender holds the parameters used to communicate with the extender. If a verb is unspecified/empty, it is assumed that the extender chose not to provide that extension.

FieldDescription
urlPrefix [Required]
string
URLPrefix at which the extender is available
filterVerb [Required]
string
Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
preemptVerb [Required]
string
Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
prioritizeVerb [Required]
string
Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
weight [Required]
int64
The numeric multiplier for the node scores that the prioritize call generates. The weight should be a positive integer
bindVerb [Required]
string
Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender can implement this function.
enableHTTPS [Required]
bool
EnableHTTPS specifies whether https should be used to communicate with the extender
tlsConfig [Required]
ExtenderTLSConfig
TLSConfig specifies the transport layer security config
httpTimeout [Required]
meta/v1.Duration
HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node.
nodeCacheCapable [Required]
bool
NodeCacheCapable specifies that the extender is capable of caching node information, so the scheduler should only send minimal information about the eligible nodes assuming that the extender already cached full details of all nodes in the cluster
managedResources
[]ExtenderManagedResource
ManagedResources is a list of extended resources that are managed by this extender. - A pod will be sent to the extender on the Filter, Prioritize and Bind (if the extender is the binder) phases iff the pod requests at least one of the extended resources in this list. If empty or unspecified, all pods will be sent to this extender. - If IgnoredByScheduler is set to true for a resource, kube-scheduler will skip checking the resource in predicates.
ignorable [Required]
bool
Ignorable specifies if the extender is ignorable, i.e. scheduling should not fail when the extender returns an error or is not reachable.

KubeSchedulerProfile

Appears in:

KubeSchedulerProfile is a scheduling profile.

FieldDescription
schedulerName [Required]
string
SchedulerName is the name of the scheduler associated to this profile. If SchedulerName matches with the pod's "spec.schedulerName", then the pod is scheduled with this profile.
plugins [Required]
Plugins
Plugins specify the set of plugins that should be enabled or disabled. Enabled plugins are the ones that should be enabled in addition to the default plugins. Disabled plugins are any of the default plugins that should be disabled. When no enabled or disabled plugin is specified for an extension point, default plugins for that extension point will be used if there is any. If a QueueSort plugin is specified, the same QueueSort Plugin and PluginConfig must be specified for all profiles.
pluginConfig [Required]
[]PluginConfig
PluginConfig is an optional set of custom plugin arguments for each plugin. Omitting config args for a plugin is equivalent to using the default config for that plugin.

Plugin

Appears in:

Plugin specifies a plugin name and its weight when applicable. Weight is used only for Score plugins.

FieldDescription
name [Required]
string
Name defines the name of plugin
weight [Required]
int32
Weight defines the weight of plugin, only used for Score plugins.

PluginConfig

Appears in:

PluginConfig specifies arguments that should be passed to a plugin at the time of initialization. A plugin that is invoked at multiple extension points is initialized once. Args can have arbitrary structure. It is up to the plugin to process these Args.

FieldDescription
name [Required]
string
Name defines the name of plugin being configured
args [Required]
k8s.io/apimachinery/pkg/runtime.RawExtension
Args defines the arguments passed to the plugins at the time of initialization. Args can have arbitrary structure.

PluginSet

Appears in:

PluginSet specifies enabled and disabled plugins for an extension point. If an array is empty, missing, or nil, default plugins at that extension point will be used.

FieldDescription
enabled [Required]
[]Plugin
Enabled specifies plugins that should be enabled in addition to default plugins. These are called after default plugins and in the same order specified here.
disabled [Required]
[]Plugin
Disabled specifies default plugins that should be disabled. When all default plugins need to be disabled, an array containing only one "∗" should be provided.

Plugins

Appears in:

Plugins include multiple extension points. When specified, the list of plugins for a particular extension point are the only ones enabled. If an extension point is omitted from the config, then the default set of plugins is used for that extension point. Enabled plugins are called in the order specified here, after default plugins. If they need to be invoked before default plugins, default plugins must be disabled and re-enabled here in desired order.

FieldDescription
queueSort [Required]
PluginSet
QueueSort is a list of plugins that should be invoked when sorting pods in the scheduling queue.
preFilter [Required]
PluginSet
PreFilter is a list of plugins that should be invoked at "PreFilter" extension point of the scheduling framework.
filter [Required]
PluginSet
Filter is a list of plugins that should be invoked when filtering out nodes that cannot run the Pod.
postFilter [Required]
PluginSet
PostFilter is a list of plugins that are invoked after filtering phase, no matter whether filtering succeeds or not.
preScore [Required]
PluginSet
PreScore is a list of plugins that are invoked before scoring.
score [Required]
PluginSet
Score is a list of plugins that should be invoked when ranking nodes that have passed the filtering phase.
reserve [Required]
PluginSet
Reserve is a list of plugins invoked when reserving/unreserving resources after a node is assigned to run the pod.
permit [Required]
PluginSet
Permit is a list of plugins that control binding of a Pod. These plugins can prevent or delay binding of a Pod.
preBind [Required]
PluginSet
PreBind is a list of plugins that should be invoked before a pod is bound.
bind [Required]
PluginSet
Bind is a list of plugins that should be invoked at "Bind" extension point of the scheduling framework. The scheduler call these plugins in order. Scheduler skips the rest of these plugins as soon as one returns success.
postBind [Required]
PluginSet
PostBind is a list of plugins that should be invoked after a pod is successfully bound.

PodTopologySpreadConstraintsDefaulting

(Alias of string)

Appears in:

PodTopologySpreadConstraintsDefaulting defines how to set default constraints for the PodTopologySpread plugin.

ResourceSpec

Appears in:

ResourceSpec represents single resource and weight for bin packing of priority RequestedToCapacityRatioArguments.

FieldDescription
name [Required]
string
Name of the resource to be managed by RequestedToCapacityRatio function.
weight [Required]
int64
Weight of the resource.

UtilizationShapePoint

Appears in:

UtilizationShapePoint represents single point of priority function shape.

FieldDescription
utilization [Required]
int32
Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
score [Required]
int32
Score assigned to given utilization (y axis). Valid values are 0 to 10.

5 - kube-scheduler Policy Configuration (v1)

Resource Types

Policy

Policy describes a struct for a policy resource used in api.

FieldDescription
apiVersion
string
kubescheduler.config.k8s.io/v1
kind
string
Policy
predicates [Required]
[]PredicatePolicy
Holds the information to configure the fit predicate functions
priorities [Required]
[]PriorityPolicy
Holds the information to configure the priority functions
extenders [Required]
[]LegacyExtender
Holds the information to communicate with the extender(s)
hardPodAffinitySymmetricWeight [Required]
int32
RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule corresponding to every RequiredDuringScheduling affinity rule. HardPodAffinitySymmetricWeight represents the weight of implicit PreferredDuringScheduling affinity rule, in the range 1-100.
alwaysCheckAllPredicates [Required]
bool
When AlwaysCheckAllPredicates is set to true, scheduler checks all the configured predicates even after one or more of them fails. When the flag is set to false, scheduler skips checking the rest of the predicates after it finds one predicate that failed.

ExtenderManagedResource

Appears in:

ExtenderManagedResource describes the arguments of extended resources managed by an extender.

FieldDescription
name [Required]
string
Name is the extended resource name.
ignoredByScheduler [Required]
bool
IgnoredByScheduler indicates whether kube-scheduler should ignore this resource when applying predicates.

ExtenderTLSConfig

Appears in:

ExtenderTLSConfig contains settings to enable TLS with extender

FieldDescription
insecure [Required]
bool
Server should be accessed without verifying the TLS certificate. For testing only.
serverName [Required]
string
ServerName is passed to the server for SNI and is used in the client to check server certificates against. If ServerName is empty, the hostname used to contact the server is used.
certFile [Required]
string
Server requires TLS client certificate authentication
keyFile [Required]
string
Server requires TLS client certificate authentication
caFile [Required]
string
Trusted root certificates for server
certData [Required]
[]byte
CertData holds PEM-encoded bytes (typically read from a client certificate file). CertData takes precedence over CertFile
keyData [Required]
[]byte
KeyData holds PEM-encoded bytes (typically read from a client certificate key file). KeyData takes precedence over KeyFile
caData [Required]
[]byte
CAData holds PEM-encoded bytes (typically read from a root certificates bundle). CAData takes precedence over CAFile

LabelPreference

Appears in:

LabelPreference holds the parameters that are used to configure the corresponding priority function

FieldDescription
label [Required]
string
Used to identify node "groups"
presence [Required]
bool
This is a boolean flag If true, higher priority is given to nodes that have the label If false, higher priority is given to nodes that do not have the label

LabelsPresence

Appears in:

LabelsPresence holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.

FieldDescription
labels [Required]
[]string
The list of labels that identify node "groups" All of the labels should be either present (or absent) for the node to be considered a fit for hosting the pod
presence [Required]
bool
The boolean flag that indicates whether the labels should be present or absent from the node

LegacyExtender

Appears in:

LegacyExtender holds the parameters used to communicate with the extender. If a verb is unspecified/empty, it is assumed that the extender chose not to provide that extension.

FieldDescription
urlPrefix [Required]
string
URLPrefix at which the extender is available
filterVerb [Required]
string
Verb for the filter call, empty if not supported. This verb is appended to the URLPrefix when issuing the filter call to extender.
preemptVerb [Required]
string
Verb for the preempt call, empty if not supported. This verb is appended to the URLPrefix when issuing the preempt call to extender.
prioritizeVerb [Required]
string
Verb for the prioritize call, empty if not supported. This verb is appended to the URLPrefix when issuing the prioritize call to extender.
weight [Required]
int64
The numeric multiplier for the node scores that the prioritize call generates. The weight should be a positive integer
bindVerb [Required]
string
Verb for the bind call, empty if not supported. This verb is appended to the URLPrefix when issuing the bind call to extender. If this method is implemented by the extender, it is the extender's responsibility to bind the pod to apiserver. Only one extender can implement this function.
enableHttps [Required]
bool
EnableHTTPS specifies whether https should be used to communicate with the extender
tlsConfig [Required]
ExtenderTLSConfig
TLSConfig specifies the transport layer security config
httpTimeout [Required]
time.Duration
HTTPTimeout specifies the timeout duration for a call to the extender. Filter timeout fails the scheduling of the pod. Prioritize timeout is ignored, k8s/other extenders priorities are used to select the node.
nodeCacheCapable [Required]
bool
NodeCacheCapable specifies that the extender is capable of caching node information, so the scheduler should only send minimal information about the eligible nodes assuming that the extender already cached full details of all nodes in the cluster
managedResources
[]ExtenderManagedResource
ManagedResources is a list of extended resources that are managed by this extender. - A pod will be sent to the extender on the Filter, Prioritize and Bind (if the extender is the binder) phases iff the pod requests at least one of the extended resources in this list. If empty or unspecified, all pods will be sent to this extender. - If IgnoredByScheduler is set to true for a resource, kube-scheduler will skip checking the resource in predicates.
ignorable [Required]
bool
Ignorable specifies if the extender is ignorable, i.e. scheduling should not fail when the extender returns an error or is not reachable.

PredicateArgument

Appears in:

PredicateArgument represents the arguments to configure predicate functions in scheduler policy configuration. Only one of its members may be specified

FieldDescription
serviceAffinity [Required]
ServiceAffinity
The predicate that provides affinity for pods belonging to a service It uses a label to identify nodes that belong to the same "group"
labelsPresence [Required]
LabelsPresence
The predicate that checks whether a particular node has a certain label defined or not, regardless of value

PredicatePolicy

Appears in:

PredicatePolicy describes a struct of a predicate policy.

FieldDescription
name [Required]
string
Identifier of the predicate policy For a custom predicate, the name can be user-defined For the Kubernetes provided predicates, the name is the identifier of the pre-defined predicate
argument [Required]
PredicateArgument
Holds the parameters to configure the given predicate

PriorityArgument

Appears in:

PriorityArgument represents the arguments to configure priority functions in scheduler policy configuration. Only one of its members may be specified

FieldDescription
serviceAntiAffinity [Required]
ServiceAntiAffinity
The priority function that ensures a good spread (anti-affinity) for pods belonging to a service It uses a label to identify nodes that belong to the same "group"
labelPreference [Required]
LabelPreference
The priority function that checks whether a particular node has a certain label defined or not, regardless of value
requestedToCapacityRatioArguments [Required]
RequestedToCapacityRatioArguments
The RequestedToCapacityRatio priority function is parametrized with function shape.

PriorityPolicy

Appears in:

PriorityPolicy describes a struct of a priority policy.

FieldDescription
name [Required]
string
Identifier of the priority policy For a custom priority, the name can be user-defined For the Kubernetes provided priority functions, the name is the identifier of the pre-defined priority function
weight [Required]
int64
The numeric multiplier for the node scores that the priority function generates The weight should be non-zero and can be a positive or a negative integer
argument [Required]
PriorityArgument
Holds the parameters to configure the given priority function

RequestedToCapacityRatioArguments

Appears in:

RequestedToCapacityRatioArguments holds arguments specific to RequestedToCapacityRatio priority function.

FieldDescription
shape [Required]
[]UtilizationShapePoint
Array of point defining priority function shape.
resources [Required]
[]ResourceSpec
No description provided.

ResourceSpec

Appears in:

ResourceSpec represents single resource and weight for bin packing of priority RequestedToCapacityRatioArguments.

FieldDescription
name [Required]
string
Name of the resource to be managed by RequestedToCapacityRatio function.
weight [Required]
int64
Weight of the resource.

ServiceAffinity

Appears in:

ServiceAffinity holds the parameters that are used to configure the corresponding predicate in scheduler policy configuration.

FieldDescription
labels [Required]
[]string
The list of labels that identify node "groups" All of the labels should match for the node to be considered a fit for hosting the pod

ServiceAntiAffinity

Appears in:

ServiceAntiAffinity holds the parameters that are used to configure the corresponding priority function

FieldDescription
label [Required]
string
Used to identify node "groups"

UtilizationShapePoint

Appears in:

UtilizationShapePoint represents single point of priority function shape.

FieldDescription
utilization [Required]
int32
Utilization (x axis). Valid values are 0 to 100. Fully utilized node maps to 100.
score [Required]
int32
Score assigned to given utilization (y axis). Valid values are 0 to 10.

6 - kubeadm 配置 (v1beta3)

概述

包 v1beta3 定义 kubeadm 配置文件格式的 v1beta3 版本。 此版本改进了 v1beta2 的格式,修复了一些小问题并添加了一些新的字段。

从 v1beta2 版本以来的变更列表:

  • 已弃用的字段 "ClusterConfiguration.useHyperKubeImage" 现在被移除。 kubeadm 不再支持 hyperkube 镜像。
  • 字段 "ClusterConfiguration.dns.type" 已经被移除,因为 CoreDNS 是 kubeadm 所支持 的唯一 DNS 服务器类型。
  • 保存私密信息的字段现在包含了 "datapolicy" 标记(tag)。 这一标记会导致 API 结构通过 klog 打印输出时,会忽略这些字段的值。
  • 添加了 "InitConfiguration.skipPhases", "JoinConfiguration.skipPhases", 以允许在执行 kubeadm init/join 命令时略过某些阶段。
  • 添加了 "InitConfiguration.nodeRegistration.imagePullPolicy" 和 "JoinConfiguration.nodeRegistration.imagePullPolicy" 以允许在 kubeadm init 和 kubeadm join 期间指定镜像拉取策略。 这两个字段的值必须是 "Always"、"Never" 或 "IfNotPresent" 之一。 默认值是 "IfNotPresent",也是添加此字段之前的默认行为。
  • 添加了 "InitConfiguration.patches.directory", "JoinConfiguration.patches.directory" 以允许用户配置一个目录, kubeadm 将从该目录中提取组件的补丁包。
  • BootstrapToken∗ API 和相关的工具被从 "kubeadm" API 组中移出, 放到一个新的 "bootstraptoken" 组中。kubeadm API 版本 v1beta3 不再包含 BootstrapToken∗ 结构。

从老的 kubeadm 配置版本迁移:

  • kubeadm v1.15.x 及更新的版本可以用来从 v1beta1 迁移到 v1beta2 版本;
  • kubeadm v1.22.x 及更新的版本不再支持 v1beta1 和更老的 API,但可以用来 从 v1beta2 迁移到 v1beta3。
  • 基础知识

    配置 kubeadm 的推荐方式是使用 --config 选项向其传递一个 YAML 配置文件。 kubeadm 配置文件中定义的某些配置选项也可以作为命令行标志来使用,不过这种 方法所支持的都是一些最常见的、最简单的使用场景。

    一个 kubeadm 配置文件中可以包含多个配置类型,使用三根横线(---)作为分隔符。

    kubeadm 支持以下配置类型:

    apiVersion: kubeadm.k8s.io/v1beta3
    kind: InitConfiguration
    
    apiVersion: kubeadm.k8s.io/v1beta3
    kind: ClusterConfiguration
    
    apiVersion: kubelet.config.k8s.io/v1beta1
    kind: KubeletConfiguration
    
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    
    apiVersion: kubeadm.k8s.io/v1beta3
    kind: JoinConfiguration
    

    要输出 "init" 和 "join" 动作的默认值,可以使用下面的命令:

    kubeadm config print init-defaults
    kubeadm config print join-defaults
    

    配置文件中必须包含的配置类型列表取决于你在执行的动作(initjoin), 也取决于你要使用的配置选项(默认值或者高级定制)。

    如果某些配置类型没有提供,或者仅部分提供,kubeadm 将使用默认值; kubeadm 所提供的默认值在必要时也会保证其在多个组件之间是一致的 (例如控制器管理器上的 --cluster-cidr 参数和 kube-proxy 上的 clusterCIDR)。

    用户总是可以重载默认配置值,唯一的例外是一小部分与安全性相关联的配置 (例如在 API 服务器上强制实施 Node 和 RBAC 鉴权模式)。

    如果用户所提供的配置类型并非你所执行的操作需要的,kubeadm 会忽略这些配置类型 并打印警告信息。

    kubeadm init 配置类型

    当带有 --config 选项来执行 kubeadm init 命令时,可以使用下面的配置类型: `InitConfiguration`、`ClusterConfiguration`、`KubeProxyConfiguration`、`KubeletConfiguration`, 但 `InitConfiguration` 和 `ClusterConfiguration` 之间只有一个是必须提供的。

    apiVersion: kubeadm.k8s.io/v1beta3
    kind: InitConfiguration
    bootstrapTokens:
      ...
    nodeRegistration:
      ...
    

    类型 InitConfiguration 用来配置运行时设置,就 kubeadm init 命令而言,包括 启动引导令牌以及所有与 kubeadm 所在节点相关的设置,包括:

    • nodeRegistration:其中包含与向集群注册新节点相关的字段;使用这个类型来 定制节点名称、要使用的 CRI 套接字或者其他仅对当前节点起作用的设置 (例如节点 IP 地址)。
    • localAPIEndpoint:代表的是要部署到此节点上的 API 服务器示例的端点; 使用这个类型可以完成定制 API 服务器公告地址这类操作。
    apiVersion: kubeadm.k8s.io/v1beta3
    kind: ClusterConfiguration
    networking:
      ...
    etcd:
      ...
    apiServer:
      extraArgs:
        ...
      extraVolumes:
        ...
    ...
    

    类型 `ClusterConfiguration` 用来定制集群范围的设置,具体包括以下设置:

    • networking:其中包含集群的网络拓扑配置。使用这一部分可以定制 Pod 的 子网或者 Service 的子网。
    • etcd:etcd 数据库的配置。例如使用这个部分可以定制本地 etcd 或者配置 API 服务器 使用一个外部的 etcd 集群。
    • kube-apiserverkube-schedulerkube-controller-manager 配置:这些部分可以通过添加定制的设置或者重载 kubeadm 的默认设置来定制控制面组件。
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
      ...
    

    KubeProxyConfiguration 类型用来更改传递给在集群中部署的 kube-proxy 实例 的配置。如果此对象没有提供,或者仅部分提供,kubeadm 使用默认值。

    关于 kube-proxy 的官方文档,可参阅 https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kube-proxy/ 或者 https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration。

    apiVersion: kubelet.config.k8s.io/v1beta1
    kind: KubeletConfiguration
      ...
    

    KubeletConfiguration 类型用来更改传递给在集群中部署的 kubelet 实例的配置。 如果此对象没有提供,或者仅部分提供,kubeadm 使用默认值。

    关于 kubelet 的官方文档,可参阅 https://kubernetes.io/zh/docs/reference/command-line-tools-reference/kubelet/ 或者 https://godoc.org/k8s.io/kubelet/config/v1beta1#KubeletConfiguration。

    下面是一个为执行 kubeadm init 而提供的、包含多个配置类型的单一 YAML 文件, 其中填充了很多部分。

    apiVersion: kubeadm.k8s.io/v1beta3
    kind: InitConfiguration
    bootstrapTokens:
    - token: "9a08jv.c0izixklcxtmnze7"
      description: "kubeadm bootstrap token"
      ttl: "24h"
    - token: "783bde.3f89s0fje9f38fhf"
      description: "another bootstrap token"
      usages:
      - authentication
      - signing
      groups:
      - system:bootstrappers:kubeadm:default-node-token
    nodeRegistration:
      name: "ec2-10-100-0-1"
      criSocket: "/var/run/dockershim.sock"
      taints:
      - key: "kubeadmNode"
        value: "master"
        effect: "NoSchedule"
      kubeletExtraArgs:
        v: 4
    ignorePreflightErrors:
    - IsPrivilegedUser
       imagePullPolicy: "IfNotPresent"
    localAPIEndpoint:
      advertiseAddress: "10.100.0.1"
      bindPort: 6443
    certificateKey: "e6a2eb8581237ab72a4f494f30285ec12a9694d750b9785706a83bfcbbbd2204"
     skipPhases:
     - addon/kube-proxy
    ---
    apiVersion: kubeadm.k8s.io/v1beta3
    kind: ClusterConfiguration
    etcd:
      # one of local or external
      local:
        imageRepository: "k8s.gcr.io"
        imageTag: "3.2.24"
        dataDir: "/var/lib/etcd"
        extraArgs:
          listen-client-urls: "http://10.100.0.1:2379"
        serverCertSANs:
        -  "ec2-10-100-0-1.compute-1.amazonaws.com"
        peerCertSANs:
        - "10.100.0.1"
      # external:
        # endpoints:
        # - "10.100.0.1:2379"
        # - "10.100.0.2:2379"
        # caFile: "/etcd/kubernetes/pki/etcd/etcd-ca.crt"
        # certFile: "/etcd/kubernetes/pki/etcd/etcd.crt"
        # keyFile: "/etcd/kubernetes/pki/etcd/etcd.key"
    networking:
      serviceSubnet: "10.96.0.0/16"
      podSubnet: "10.244.0.0/24"
      dnsDomain: "cluster.local"
    kubernetesVersion: "v1.21.0"
    controlPlaneEndpoint: "10.100.0.1:6443"
    apiServer:
      extraArgs:
        authorization-mode: "Node,RBAC"
      extraVolumes:
      - name: "some-volume"
        hostPath: "/etc/some-path"
        mountPath: "/etc/some-pod-path"
        readOnly: false
        pathType: File
      certSANs:
      - "10.100.1.1"
      - "ec2-10-100-0-1.compute-1.amazonaws.com"
      timeoutForControlPlane: 4m0s
    controllerManager:
      extraArgs:
        "node-cidr-mask-size": "20"
      extraVolumes:
      - name: "some-volume"
        hostPath: "/etc/some-path"
        mountPath: "/etc/some-pod-path"
        readOnly: false
        pathType: File
    scheduler:
      extraArgs:
        address: "10.100.0.1"
      extraVolumes:
      - name: "some-volume"
        hostPath: "/etc/some-path"
        mountPath: "/etc/some-pod-path"
        readOnly: false
        pathType: File
    certificatesDir: "/etc/kubernetes/pki"
    imageRepository: "k8s.gcr.io"
    clusterName: "example-cluster"
    ---
    apiVersion: kubelet.config.k8s.io/v1beta1
    kind: KubeletConfiguration
    # kubelet specific options here
    ---
    apiVersion: kubeproxy.config.k8s.io/v1alpha1
    kind: KubeProxyConfiguration
    # kube-proxy specific options here
    

    kubeadm join 配置类型

    当带有 --config 选项来执行 kubeadm join 操作时, 需要提供 JoinConfiguration 类型。

    apiVersion: kubeadm.k8s.io/v1beta3
    kind: JoinConfiguration
      ...
    

    JoinConfiguration 类型用来配置运行时设置,就 kubeadm join 而言包括 用来访问集群信息的发现方法,以及所有特定于 kubeadm 执行所在节点的设置,包括:

    • nodeRegistration:其中包含向集群注册新节点相关的配置字段; 使用这个类型可以定制节点名称、用使用的 CRI 套接字和所有其他仅适用于当前节点的设置 (例如节点 IP 地址)。
    • apiEndpoint:用来代表最终要部署到此节点上的 API 服务器实例的端点。

    资源类型

    ClusterConfiguration

    ClusterConfiguration 包含一个 kubadm 集群的集群范围配置信息。

    字段描述
    apiVersion
    string
    kubeadm.k8s.io/v1beta3
    kind
    string
    ClusterConfiguration
    etcd
    Etcd

    etcd 中包含 etcd 服务的配置。

    networking
    Networking
    networking 字段包含集群的网络拓扑配置。
    kubernetesVersion
    string

    kubernetesVersion 设置控制面的目标版本。

    controlPlaneEndpoint
    string

    controlPlaneEndpoint 为控制面设置一个稳定的 IP 地址或 DNS 名称。 取值可以是一个合法的 IP 地址或者 RFC-1123 形式的 DNS 子域名,二者均可以带一个 可选的 TCP 端口号。 如果 controlPlaneEndpoint 未设置,则使用 advertiseAddress + bindPort。 如果设置了 controlPlaneEndpoint,但未指定 TCP 端口号,则使用 bindPort

    可能的用法有:

    • 在一个包含不止一个控制面实例的集群中,该字段应该设置为放置在控制面 实例之前的外部负载均衡器的地址。
    • 在带有强制性节点回收的环境中,controlPlaneEndpoint 可以用来 为控制面设置一个稳定的 DNS。
    apiServer
    APIServer

    apiServer 包含 API 服务器的一些额外配置。

    controllerManager
    ControlPlaneComponent

    controllerManager 中包含控制器管理器的额外配置。

    scheduler
    ControlPlaneComponent

    scheduler 包含调度器的额外配置。

    dns
    DNS

    dns 定义在集群中安装的 DNS 插件的选项。

    certificatesDir
    string

    certificatesDir 设置在何处存放或者查找所需证书。

    imageRepository
    string

    imageRepository 设置用来拉取镜像的容器仓库。 如果此字段为空,默认使用 k8s.gcr.io。 当 Kubernetes 用来执行 CI 构造时(Kubernetes 版本以 ci/ 开头), 将默认使用 gcr.io/k8s-staging-ci-images 来拉取控制面组件镜像, 而使用 k8s.gcr.io 来拉取所有其他镜像。

    featureGates
    map[string]bool

    featureGates 包含用户所启用的特性门控。

    clusterName
    string

    集群名称。

    InitConfiguration

    InitConfiguration 包含一组特定于 "kubeadm init" 的运行时元素。 这里的字段仅用于第一次运行 kubeadm init 命令。 之后,此结构中的字段信息不会再被上传到 kubeadm upgrade 所要使用的 kubeadm-config ConfigMap 中。 这些字段必须设置 "omitempty"

    字段描述
    apiVersion
    string
    kubeadm.k8s.io/v1beta3
    kind
    string
    InitConfiguration
    bootstrapTokens
    []BootstrapToken

    bootstrapTokenskubeadm init 执行时会被用到, 其中描述了一组要创建的启动引导令牌(Bootstrap Tokens)。 这里的信息不会被上传到 kubeadm 在集群中保存的 ConfigMap 中,部分原因是由于信息 本身比较敏感。

    nodeRegistration
    NodeRegistrationOptions

    nodeRegistration 中包含与向集群中注册新的控制面节点相关的字段。

    localAPIEndpoint
    APIEndpoint

    localAPIEndpoint 所代表的的是在此控制面节点上要部署的 API 服务器 的端点。在高可用(HA)配置中,此字段与 ClusterConfiguration.controlPlaneEndpoint 的取值不同:后者代表的是整个集群的全局端点,该端点上的请求会被负载均衡到每个 API 服务器。 此配置对象允许你定制本地 API 服务器所公布的、可访问的 IP/DNS 名称和端口。 默认情况下,kubeadm 会尝试自动检测默认接口上的 IP 并使用该地址。 不过,如果这种检测失败,你可以在此字段中直接设置所期望的值。

    certificateKey
    string

    certificateKey 用来设置一个秘钥,该秘钥将对 uploadcerts init 阶段上传到集群中某 Secret 内的秘钥和证书加密。

    skipPhases
    []string

    skipPhases 是命令执行过程中药略过的阶段(Phases)。 通过执行命令 kubeadm init --help 可以获得阶段的列表。 参数标志 "--skip-phases" 优先于此字段的设置。

    patches
    Patches

    patches 包含与 kubeadm init 阶段 kubeadm 所部署 的组件上要应用的补丁相关的信息。

    JoinConfiguration

    JoinConfiguration 包含描述特定节点的元素。

    字段描述
    apiVersion
    string
    kubeadm.k8s.io/v1beta3
    kind
    string
    JoinConfiguration
    nodeRegistration
    NodeRegistrationOptions

    nodeRegistration 包含与向集群注册控制面节点相关的字段。

    caCertPath
    string

    caCertPath 是指向 SSL 证书机构的路径,该证书包用来加密 节点与控制面之间的通信。默认值为 "/etc/kubernetes/pki/ca.crt"。

    discovery [必需]-->[必需]
    Discovery

    discovery 设置 TLS 引导过程中 kubelet 要使用的选项。

    controlPlane
    JoinControlPlane

    controlPlane 定义要在正被加入到集群中的节点上部署的额外 控制面实例。此字段为 null 时,不会再上面部署额外的控制面实例。

    skipPhases
    []string

    此字段包含在命令执行过程中要略过的阶段。通过 kubeadm join --help 命令可以查看阶段的列表。参数 --skip-phases 优先于此字段。

    patches
    Patches

    此字段包含 kubeadm join 阶段向 kubeadm 所部署的组件打补丁 的选项。

    APIEndpoint

    出现在:

    APIEndpoint 结构包含某节点上部署的 API 服务器的配置元素。

    字段描述
    advertiseAddress
    string

    advertiseAddress 设置 API 服务器要公布的 IP 地址。

    bindPort
    int32

    bindPort 设置 API 服务器要绑定到的安全端口。默认值为 6443。

    APIServer

    出现在:

    APIServer 包含集群中 API 服务器部署所必需的设置。

    字段描述
    ControlPlaneComponent [必需]-->[必需]
    ControlPlaneComponent
    ControlPlaneComponent 结构的字段被嵌入到此类型中) 无描述.
    certSANs
    []string

    certSANs 设置 API 服务器签署证书所用的额外主题替代名(Subject Alternative Name,SAN)。

    timeoutForControlPlane
    meta/v1.Duration

    timeoutForControlPlane 用来控制我们等待 API 服务器开始运行的超时时间。

    BootstrapTokenDiscovery

    出现在:

    BootstrapTokenDiscovery 用来设置基于引导令牌的服务发现选项。

    字段描述
    token [必需]-->[必需]
    string

    token 用来验证从控制面获得的集群信息。

    apiServerEndpoint
    string

    apiServerEndpoint

    为 API 服务器的 IP 地址或者域名,从该端点可以获得集群信息。

    caCertHashes
    []string

    caCertHashes 设置一组在基于令牌来发现服务时要验证的公钥指纹。 发现过程中获得的根 CA 必须与这里的数值之一匹配。 设置为空集合意味着禁用根 CA 指纹,因而可能是不安全的。 每个哈希值的形式为 "<type>:<value>",当前唯一支持的 type 为 "sha256"。 哈希值为主体公钥信息(Subject Public Key Info,SPKI)对象的 SHA-256 哈希值(十六进制编码),形式为 DER 编码的 ASN.1。 例如,这些哈希值可以使用 OpenSSL 来计算。

    unsafeSkipCAVerification
    bool

    unsafeSkipCAVerification 允许在使用基于令牌的服务发现时 不使用 caCertHashes 来执行 CA 验证。这会弱化 kubeadm 的安全性, 因为其他节点可以伪装成控制面。

    ControlPlaneComponent

    出现在:

    ControlPlaneComponent 中包含对集群中所有控制面组件都适用的设置。

    字段描述
    extraArgs
    map[string]string

    extraArgs 是要传递给控制面组件的一组额外的参数标志。 此映射中的每个键对应命令行上使用的标志名称,只是没有其引导连字符。

    extraVolumes
    []HostPathMount

    extraVolumes 是一组额外的主机卷,需要挂载到控制面组件中。

    DNS

    出现在:

    DNS 结构定义要在集群中使用的 DNS 插件。

    字段描述
    ImageMeta [必需]-->[必需]
    ImageMeta
    ImageMeta 的成员被内嵌到此类型中)。

    imageMeta 允许对 DNS 组件所使用的的镜像作定制。

    Discovery

    出现在:

    Discovery 设置 TLS 启动引导过程中 kubelet 要使用的配置选项。

    字段描述
    bootstrapToken
    BootstrapTokenDiscovery

    bootstrapToken 设置基于启动引导令牌的服务发现选项。 bootstrapTokenfile 是互斥的。

    file
    FileDiscovery

    用来设置一个文件或者 URL 路径,指向一个 kubeconfig 文件;该配置文件 中包含集群信息。 bootstrapTokenfile 是互斥的。

    tlsBootstrapToken
    string

    tlsBootstrapToken 是 TLS 启动引导过程中使用的令牌。 如果设置了 bootstrapToken,则此字段默认值为 .bootstrapToken.token,不过可以被重载。 如果设置了 file,此字段必须被设置,以防 kubeconfig 文件 中不包含其他身份认证信息。

    timeout
    meta/v1.Duration

    timeout 用来修改发现过程的超时时长。

    Etcd

    出现在:

    Etcd 包含用来描述 etcd 配置的元素。

    字段描述
    local
    LocalEtcd

    local 提供配置本地 etcd 实例的选项。localexternal 是互斥的。

    external
    ExternalEtcd

    external 描述如何连接到外部的 etcd 集群。 external 是互斥的。

    ExternalEtcd

    出现在:

    ExternalEtcd 描述外部 etcd 集群。 kubeadm 不清楚证书文件的存放位置,因此必须单独提供证书信息。

    字段描述
    endpoints [必需]-->[必需]
    []string

    endpoints 包含一组 etcd 成员的列表。

    caFile [必需]-->[必需]
    string

    caFile 是一个 SSL 证书机构(CA)文件,用来加密 etcd 通信。 如果使用 TLS 连接,此字段为必需字段。

    certFile [必需]
    string

    certFile 是一个 SSL 证书文件,用来加密 etcd 通信。 如果使用 TLS 连接,此字段为必需字段。

    keyFile [必需]
    string

    keyFile 是一个用来加密 etcd 通信的 SSL 秘钥文件。 此字段在使用 TLS 连接时为必填字段。

    FileDiscovery

    出现在:

    FileDiscovery 用来指定一个文件或者 URL 路径,指向一个 kubeconfig 文件;该配置文件 可用来加载集群信息。

    字段描述
    kubeConfigPath [必需]
    string

    kubeConfigPath 用来指定一个文件或者 URL 路径,指向一个 kubeconfig 文件; 该配置文件可用来加载集群信息。

    HostPathMount

    出现在:

    HostPathMount 包含从宿主节点挂载的卷的信息。

    字段描述
    name [必需]
    string

    name 为卷在 Pod 模板中的名称。

    hostPath [必需]
    string

    hostPath 是要在 Pod 中挂载的卷在宿主系统上的路径。

    mountPath [必需]
    string

    mountPathhostPath 在 Pod 内挂载的路径。

    readOnly
    bool

    readOnly 控制卷的读写访问模式。

    pathType
    core/v1.HostPathType

    pathTypehostPath 的类型。

    ImageMeta

    出现在:

    ImageMeta 用来配置来源不是 Kubernetes/kubernetes 发布过程的组件所使用的镜像。

    字段描述
    imageRepository
    string

    imageRepository 设置镜像拉取所用的容器仓库。 若未设置,则使用 ClusterConfiguration 中的 imageRepository

    imageTag
    string

    imageTag 允许用户设置镜像的标签。 如果设置了此字段,则 kubeadm 不再在集群升级时自动更改组件的版本。

    JoinControlPlane

    出现在:

    JoinControlPlane 包含在正在加入集群的节点上要部署的额外的控制面组件的 设置。

    字段描述
    localAPIEndpoint
    APIEndpoint

    localAPIEndpoint 代表的是将在此节点上部署的 API 服务器实例 的端点。

    certificateKey
    string

    certificateKey 是在添加新的控制面节点时用来解密所下载的 Secret 中的证书的秘钥。对应的加密秘钥在 InitConfiguration 结构中。

    LocalEtcd

    出现在:

    LocalEtcd 描述的是 kubeadm 要使用的本地 etcd 集群。

    字段描述
    ImageMeta [必需]
    ImageMeta
    ImageMeta 结构的字段被嵌入到此类型中。)

    ImageMeta 允许用户为 etcd 定制要使用的容器。

    dataDir [必需]
    string

    dataDir 是 etcd 用来存放数据的目录。 默认值为 "/var/lib/etcd"。

    extraArgs
    map[string]string

    extraArgs 是为 etcd 可执行文件提供的额外参数,用于在静态 Pod 中运行 etcd。映射中的每一个键对应命令行上的一个标志参数,只是去掉了 前置的连字符。

    serverCertSANs
    []string

    serverCertSANs 为 etcd 服务器的签名证书设置额外的 主体替代名(Subject Alternative Names,SAN)。

    peerCertSANs
    []string

    peerCertSANs 为 etcd 的对等端签名证书设置额外的 主体替代名(Subject Alternative Names,SAN)。

    Networking

    出现在:

    Networking 中包含描述集群网络配置的元素。

    字段描述
    serviceSubnet
    string

    serviceSubnet 是 Kubernetes 服务所使用的的子网。 默认值为 "10.96.0.0/12"。

    podSubnet
    string

    podSubnet 为 Pod 所使用的子网。

    dnsDomain
    string

    dnsDomain 是 Kubernetes 服务所使用的的 DNS 域名。 默认值为 "cluster.local"。

    NodeRegistrationOptions

    出现在:

    NodeRegistrationOptions 包含向集群中注册新的控制面或节点所需要的信息; 节点注册可能通过 "kubeadm init" 或 "kubeadm join" 完成。

    字段描述
    name
    string

    name 是 Node API 对象的 .metadata.name 字段值; 该 API 对象会在此 kubeadm initkubeadm join 操作期间创建。 在提交给 API 服务器的 kubelet 客户端证书中,此字段也用作其 CommonName。 如果未指定则默认为节点的主机名。

    criSocket
    string

    criSocket 用来读取容器运行时的信息。 此信息会被以注解的方式添加到 Node API 对象至上,用于后续用途。

    taints [必需]
    []core/v1.Taint

    tains 设定 Node API 对象被注册时要附带的污点。 若未设置此字段(即字段值为 null), 在 kubeadm init 期间,节点与控制面之间的通信。默认值为污点默认设置为 taints: ["node-role.kubernetes.io/master:""]。 如果你不希望为控制面节点设置污点,可以在 YAML 中将此字段设置为空的列表,即 taints: []。 此字段仅用在 Node 注册期间。

    kubeletExtraArgs
    map[string]string

    kubeletExtraArgs 用来向 kubelet 传递额外参数。 这里的参数会通过 kubeadm 在运行时写入的、由 kubelet 来读取的环境文件来 传递给 kubelet 命令行。 这里的设置会覆盖掉 'kubelet-config-1.X' ConfigMap 中包含的一般性的配置。 命令行标志在解析时优先级更高。 这里的设置值仅作用于 kubeadm 运行所在的节点。 映射中的每个键对应命令行中的一个标志参数,只是去掉了前置的连字符。

    ignorePreflightErrors
    []string

    ignorePreflightErrors 提供一组在当前节点被注册时可以 忽略掉的预检错误。

    imagePullPolicy
    core/v1.PullPolicy

    imagePullPolicy 设定 "kubeadm init" 和 "kubeadm join" 操作期间的镜像拉取策略。此字段的取值可以是 "Always"、"IfNotPresent" 或 "Never" 之一。 若此字段未设置,则 kubeadm 使用 "IfNotPresent" 作为其默认值,换言之, 当镜像在主机上不存在时才执行拉取操作。

    Patches

    出现在:

    Patches 包含要向 kubeadm 所部署的组件应用的补丁信息。

    字段描述
    directory
    string

    directory 是指向某目录的路径,该目录中包含名为 "target[suffix][+patchtype].extension" 的文件。 例如,"kube-apiserver0+merge.yaml" 或者 "etcd.json"。 "target" 可以是 "kube-apiserver"、"kube-controller-manager"、 "kube-scheduler"、"etcd" 之一。 "patchtype" 可以是 "strategic"、"merge" 或者 "json", 其取值对应 kubectl 所支持的补丁形式。 "patchtype" 的默认值是 "strategic"。 "extension" 必须是 "json" 或者 "yaml"。 "suffix" 是一个可选的字符串,用来确定按字母表顺序来应用时,哪个补丁最先被应用。

    BootstrapToken

    出现在:

    BootstrapToken 描述的是一个启动引导令牌,以 Secret 形式存储在集群中。

    字段描述
    token [必需]
    BootstrapTokenString

    token 用来在节点与控制面之间建立双向的信任关系。 在向集群中添加节点时使用。

    description
    string

    description 设置一个对人友好的消息,说明为什么此令牌 会存在以及其目标用途,这样其他管理员能够知道其目的。

    ttl
    meta/v1.Duration

    ttl 定义此令牌的声明周期。默认为 24hexpiresttl 是互斥的。

    expires
    meta/v1.Time

    expires 设置此令牌过期的时间戳。默认为在运行时基于 ttl 来决定。 expiresttl 是互斥的。

    usages
    []string

    usages 描述此令牌的可能使用方式。默认情况下,令牌可用于 建立双向的信任关系;不过这里可以改变默认用途。

    groups
    []string

    groups 设定此令牌被用于身份认证时对应的附加用户组。

    BootstrapTokenString

    出现在:

    BootstrapTokenString 形式为 abcdef.abcdef0123456789 的一个令牌, 用来从加入集群的节点角度验证 API 服务器的身份,或者 "kubeadm join" 在节点启动引导是作为一种身份认证方法。 此令牌的生命期是短暂的,并且应该如此。

    字段描述
    id [必需]
    string
    无描述
    secret [必需]
    string
    无描述

7 - Kubelet Configuration (v1beta1)

Resource Types

KubeletConfiguration

KubeletConfiguration contains the configuration for the Kubelet

FieldDescription
apiVersion
string
kubelet.config.k8s.io/v1beta1
kind
string
KubeletConfiguration
enableServer [Required]
bool
enableServer enables Kubelet's secured server. Note: Kubelet's insecure port is controlled by the readOnlyPort option. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: true
staticPodPath
string
staticPodPath is the path to the directory containing local (static) pods to run, or the path to a single static pod file. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that the set of static pods specified at the new path may be different than the ones the Kubelet initially started with, and this may disrupt your node. Default: ""
syncFrequency
meta/v1.Duration
syncFrequency is the max period between synchronizing running containers and config. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening this duration may have a negative performance impact, especially as the number of Pods on the node increases. Alternatively, increasing this duration will result in longer refresh times for ConfigMaps and Secrets. Default: "1m"
fileCheckFrequency
meta/v1.Duration
fileCheckFrequency is the duration between checking config files for new data Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the duration will cause the Kubelet to reload local Static Pod configurations more frequently, which may have a negative performance impact. Default: "20s"
httpCheckFrequency
meta/v1.Duration
httpCheckFrequency is the duration between checking http for new data Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the duration will cause the Kubelet to poll staticPodURL more frequently, which may have a negative performance impact. Default: "20s"
staticPodURL
string
staticPodURL is the URL for accessing static pods to run Dynamic Kubelet Config (beta): If dynamically updating this field, consider that the set of static pods specified at the new URL may be different than the ones the Kubelet initially started with, and this may disrupt your node. Default: ""
staticPodURLHeader
map[string][]string
staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt the ability to read the latest set of static pods from StaticPodURL. Default: nil
address
string
address is the IP address for the Kubelet to serve on (set to 0.0.0.0 for all interfaces). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "0.0.0.0"
port
int32
port is the port for the Kubelet to serve on. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: 10250
readOnlyPort
int32
readOnlyPort is the read-only port for the Kubelet to serve on with no authentication/authorization. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: 0 (disabled)
tlsCertFile
string
tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, if any, concatenated after server cert). If tlsCertFile and tlsPrivateKeyFile are not provided, a self-signed certificate and key are generated for the public address and saved to the directory passed to the Kubelet's --cert-dir flag. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: ""
tlsPrivateKeyFile
string
tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: ""
tlsCipherSuites
[]string
TLSCipherSuites is the list of allowed cipher suites for the server. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: nil
tlsMinVersion
string
TLSMinVersion is the minimum TLS version supported. Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: ""
rotateCertificates
bool
rotateCertificates enables client certificate rotation. The Kubelet will request a new certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may disrupt the Kubelet's ability to authenticate with the API server after the current certificate expires. Default: false
serverTLSBootstrap
bool
serverTLSBootstrap enables server certificate bootstrap. Instead of self signing a serving certificate, the Kubelet will request a certificate from the certificates.k8s.io API. This requires an approver to approve the certificate signing requests. The RotateKubeletServerCertificate feature must be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it will stop the renewal of Kubelet server certificates, which can disrupt components that interact with the Kubelet server in the long term, due to certificate expiration. Default: false
authentication
KubeletAuthentication
authentication specifies how requests to the Kubelet's server are authenticated Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Defaults: anonymous: enabled: false webhook: enabled: true cacheTTL: "2m"
authorization
KubeletAuthorization
authorization specifies how requests to the Kubelet's server are authorized Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Defaults: mode: Webhook webhook: cacheAuthorizedTTL: "5m" cacheUnauthorizedTTL: "30s"
registryPullQPS
int32
registryPullQPS is the limit of registry pulls per second. Set to 0 for no limit. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by image pulls. Default: 5
registryBurst
int32
registryBurst is the maximum size of bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registryPullQPS. Only used if registryPullQPS > 0. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by image pulls. Default: 10
eventRecordQPS
int32
eventRecordQPS is the maximum event creations per second. If 0, there is no limit enforced. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by event creations. Default: 5
eventBurst
int32
eventBurst is the maximum size of a burst of event creations, temporarily allows event creations to burst to this number, while still not exceeding eventRecordQPS. Only used if eventRecordQPS > 0. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic produced by event creations. Default: 10
enableDebuggingHandlers
bool
enableDebuggingHandlers enables server endpoints for log access and local running of containers and commands, including the exec, attach, logs, and portforward features. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may disrupt components that interact with the Kubelet server. Default: true
enableContentionProfiling
bool
enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that enabling it may carry a performance impact. Default: false
healthzPort
int32
healthzPort is the port of the localhost healthz endpoint (set to 0 to disable) Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that monitor Kubelet health. Default: 10248
healthzBindAddress
string
healthzBindAddress is the IP address for the healthz server to serve on Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that monitor Kubelet health. Default: "127.0.0.1"
oomScoreAdj
int32
oomScoreAdj is The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000]. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the stability of nodes under memory pressure. Default: -999
clusterDomain
string
clusterDomain is the DNS domain for this cluster. If set, kubelet will configure all containers to search this domain in addition to the host's search domains. Dynamic Kubelet Config (beta): Dynamically updating this field is not recommended, as it should be kept in sync with the rest of the cluster. Default: ""
clusterDNS
[]string
clusterDNS is a list of IP addresses for the cluster DNS server. If set, kubelet will configure all containers to use this for DNS resolution instead of the host's DNS servers. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes will only take effect on Pods created after the update. Draining the node is recommended before changing this field. Default: nil
streamingConnectionIdleTimeout
meta/v1.Duration
streamingConnectionIdleTimeout is the maximum time a streaming connection can be idle before the connection is automatically closed. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact components that rely on infrequent updates over streaming connections to the Kubelet server. Default: "4h"
nodeStatusUpdateFrequency
meta/v1.Duration
nodeStatusUpdateFrequency is the frequency that kubelet computes node status. If node lease feature is not enabled, it is also the frequency that kubelet posts node status to master. Note: When node lease feature is not enabled, be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact node scalability, and also that the node controller's nodeMonitorGracePeriod must be set to N∗NodeStatusUpdateFrequency, where N is the number of retries before the node controller marks the node unhealthy. Default: "10s"
nodeStatusReportFrequency
meta/v1.Duration
nodeStatusReportFrequency is the frequency that kubelet posts node status to master if node status does not change. Kubelet will ignore this frequency and post node status immediately if any change is detected. It is only used when node lease feature is enabled. nodeStatusReportFrequency's default value is 1m. But if nodeStatusUpdateFrequency is set explicitly, nodeStatusReportFrequency's default value will be set to nodeStatusUpdateFrequency for backward compatibility. Default: "1m"
nodeLeaseDurationSeconds
int32
nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease, when the NodeLease feature is enabled. This feature provides an indicator of node health by having the Kubelet create and periodically renew a lease, named after the node, in the kube-node-lease namespace. If the lease expires, the node can be considered unhealthy. The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal interval may be set based on the lease duration. Requires the NodeLease feature gate to be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that decreasing the duration may reduce tolerance for issues that temporarily prevent the Kubelet from renewing the lease (e.g. a short-lived network issue). Default: 40
imageMinimumGCAge
meta/v1.Duration
imageMinimumGCAge is the minimum age for an unused image before it is garbage collected. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: "2m"
imageGCHighThresholdPercent
int32
imageGCHighThresholdPercent is the percent of disk usage after which image garbage collection is always run. The percent is calculated as this field value out of 100. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: 85
imageGCLowThresholdPercent
int32
imageGCLowThresholdPercent is the percent of disk usage before which image garbage collection is never run. Lowest disk usage to garbage collect to. The percent is calculated as this field value out of 100. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay garbage collection, and may change the image overhead on the node. Default: 80
volumeStatsAggPeriod
meta/v1.Duration
How frequently to calculate and cache volume disk usage for all pods Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the period may carry a performance impact. Default: "1m"
kubeletCgroups
string
kubeletCgroups is the absolute name of cgroups to isolate the kubelet in Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: ""
systemCgroups
string
systemCgroups is absolute name of cgroups in which to place all non-kernel processes that are not already in a container. Empty for no container. Rolling back the flag requires a reboot. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: ""
cgroupRoot
string
cgroupRoot is the root cgroup to use for pods. This is handled by the container runtime on a best effort basis. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: ""
cgroupsPerQOS
bool
Enable QoS based Cgroup hierarchy: top level cgroups for QoS Classes And all Burstable and BestEffort pods are brought up under their specific top level QoS cgroup. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: true
cgroupDriver
string
driver that the kubelet uses to manipulate cgroups on the host (cgroupfs or systemd) Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "cgroupfs"
cpuManagerPolicy
string
CPUManagerPolicy is the name of the policy to use. Requires the CPUManager feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "none"
cpuManagerReconcilePeriod
meta/v1.Duration
CPU Manager reconciliation period. Requires the CPUManager feature gate to be enabled. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that shortening the period may carry a performance impact. Default: "10s"
topologyManagerPolicy
string
TopologyManagerPolicy is the name of the policy to use. Policies other than "none" require the TopologyManager feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: "none"
topologyManagerScope
string
TopologyManagerScope represents the scope of topology hint generation that topology manager requests and hint providers generate. "pod" scope requires the TopologyManager feature gate to be enabled. Default: "container"
qosReserved
map[string]string
qosReserved is a set of resource name to percentage pairs that specify the minimum percentage of a resource reserved for exclusive use by the guaranteed QoS tier. Currently supported resources: "memory" Requires the QOSReserved feature gate to be enabled. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: nil
runtimeRequestTimeout
meta/v1.Duration
runtimeRequestTimeout is the timeout for all runtime requests except long running requests - pull, logs, exec and attach. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may disrupt components that interact with the Kubelet server. Default: "2m"
hairpinMode
string
hairpinMode specifies how the Kubelet should configure the container bridge for hairpin packets. Setting this flag allows endpoints in a Service to loadbalance back to themselves if they should try to access their own Service. Values: "promiscuous-bridge": make the container bridge promiscuous. "hairpin-veth": set the hairpin flag on container veth interfaces. "none": do nothing. Generally, one must set --hairpin-mode=hairpin-veth to achieve hairpin NAT, because promiscuous-bridge assumes the existence of a container bridge named cbr0. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may require a node reboot, depending on the network plugin. Default: "promiscuous-bridge"
maxPods
int32
maxPods is the number of pods that can run on this Kubelet. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes may cause Pods to fail admission on Kubelet restart, and may change the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting future scheduling decisions. Increasing this value may also decrease performance, as more Pods can be packed into a single node. Default: 110
podCIDR
string
The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. Dynamic Kubelet Config (beta): This field should always be set to the empty default. It should only set for standalone Kubelets, which cannot use Dynamic Kubelet Config. Default: ""
podPidsLimit
int64
PodPidsLimit is the maximum number of pids in any pod. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may prevent container processes from forking after the change. Default: -1
resolvConf
string
ResolverConfig is the resolver configuration file used as the basis for the container DNS resolution configuration. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes will only take effect on Pods created after the update. Draining the node is recommended before changing this field. Default: "/etc/resolv.conf"
runOnce
bool
RunOnce causes the Kubelet to check the API server once for pods, run those in addition to the pods specified by static pod files, and exit. Default: false
cpuCFSQuota
bool
cpuCFSQuota enables CPU CFS quota enforcement for containers that specify CPU limits. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it may reduce node stability. Default: true
cpuCFSQuotaPeriod
meta/v1.Duration
CPUCFSQuotaPeriod is the CPU CFS quota period value, cpu.cfs_period_us. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that limits set for containers will result in different cpu.cfs_quota settings. This will trigger container restarts on the node being reconfigured. Default: "100ms"
nodeStatusMaxImages
int32
nodeStatusMaxImages caps the number of images reported in Node.Status.Images. Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that different values can be reported on node status. Default: 50
maxOpenFiles
int64
maxOpenFiles is Number of files that can be opened by Kubelet process. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the ability of the Kubelet to interact with the node's filesystem. Default: 1000000
contentType
string
contentType is contentType of requests sent to apiserver. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the ability for the Kubelet to communicate with the API server. If the Kubelet loses contact with the API server due to a change to this field, the change cannot be reverted via dynamic Kubelet config. Default: "application/vnd.kubernetes.protobuf"
kubeAPIQPS
int32
kubeAPIQPS is the QPS to use while talking with kubernetes apiserver Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic the Kubelet sends to the API server. Default: 5
kubeAPIBurst
int32
kubeAPIBurst is the burst to allow while talking with kubernetes apiserver Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact scalability by changing the amount of traffic the Kubelet sends to the API server. Default: 10
serializeImagePulls
bool
serializeImagePulls when enabled, tells the Kubelet to pull images one at a time. We recommend ∗not∗ changing the default value on nodes that run docker daemon with version < 1.9 or an Aufs storage backend. Issue #10959 has more details. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the performance of image pulls. Default: true
evictionHard
map[string]string
Map of signal names to quantities that defines hard eviction thresholds. For example: {"memory.available": "300Mi"}. To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions. Default: memory.available: "100Mi" nodefs.available: "10%" nodefs.inodesFree: "5%" imagefs.available: "15%"
evictionSoft
map[string]string
Map of signal names to quantities that defines soft eviction thresholds. For example: {"memory.available": "300Mi"}. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions, and may change the allocatable reported by the node. Default: nil
evictionSoftGracePeriod
map[string]string
Map of signal names to quantities that defines grace periods for each soft eviction signal. For example: {"memory.available": "30s"}. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger or delay Pod evictions. Default: nil
evictionPressureTransitionPeriod
meta/v1.Duration
Duration for which the kubelet has to wait before transitioning out of an eviction pressure condition. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may decrease the stability of the node when the node is overcommitted. Default: "5m"
evictionMaxPodGracePeriod
int32
Maximum allowed grace period (in seconds) to use when terminating pods in response to a soft eviction threshold being met. This value effectively caps the Pod's TerminationGracePeriodSeconds value during soft evictions. Note: Due to issue #64530, the behavior has a bug where this value currently just overrides the grace period during soft eviction, which can increase the grace period from what is set on the Pod. This bug will be fixed in a future release. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it decreases the amount of time Pods will have to gracefully clean up before being killed during a soft eviction. Default: 0
evictionMinimumReclaim
map[string]string
Map of signal names to quantities that defines minimum reclaims, which describe the minimum amount of a given resource the kubelet will reclaim when performing a pod eviction while that resource is under pressure. For example: {"imagefs.available": "2Gi"} Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may change how well eviction can manage resource pressure. Default: nil
podsPerCore
int32
podsPerCore is the maximum number of pods per core. Cannot exceed MaxPods. If 0, this field is ignored. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changes may cause Pods to fail admission on Kubelet restart, and may change the value reported in Node.Status.Capacity[v1.ResourcePods], thus affecting future scheduling decisions. Increasing this value may also decrease performance, as more Pods can be packed into a single node. Default: 0
enableControllerAttachDetach
bool
enableControllerAttachDetach enables the Attach/Detach controller to manage attachment/detachment of volumes scheduled to this node, and disables kubelet from executing any attach/detach operations Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changing which component is responsible for volume management on a live node may result in volumes refusing to detach if the node is not drained prior to the update, and if Pods are scheduled to the node before the volumes.kubernetes.io/controller-managed-attach-detach annotation is updated by the Kubelet. In general, it is safest to leave this value set the same as local config. Default: true
protectKernelDefaults
bool
protectKernelDefaults, if true, causes the Kubelet to error if kernel flags are not as it expects. Otherwise the Kubelet will attempt to modify kernel flags to match its expectation. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that enabling it may cause the Kubelet to crash-loop if the Kernel is not configured as Kubelet expects. Default: false
makeIPTablesUtilChains
bool
If true, Kubelet ensures a set of iptables rules are present on host. These rules will serve as utility rules for various components, e.g. KubeProxy. The rules will be created based on IPTablesMasqueradeBit and IPTablesDropBit. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that disabling it will prevent the Kubelet from healing locally misconfigured iptables rules. Default: true
iptablesMasqueradeBit
int32
iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT Values must be within the range [0, 31]. Must be different from other mark bits. Warning: Please match the value of the corresponding parameter in kube-proxy. TODO: clean up IPTablesMasqueradeBit in kube-proxy Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it needs to be coordinated with other components, like kube-proxy, and the update will only be effective if MakeIPTablesUtilChains is enabled. Default: 14
iptablesDropBit
int32
iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. Values must be within the range [0, 31]. Must be different from other mark bits. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it needs to be coordinated with other components, like kube-proxy, and the update will only be effective if MakeIPTablesUtilChains is enabled. Default: 15
featureGates
map[string]bool
featureGates is a map of feature names to bools that enable or disable alpha/experimental features. This field modifies piecemeal the built-in default values from "k8s.io/kubernetes/pkg/features/kube_features.go". Dynamic Kubelet Config (beta): If dynamically updating this field, consider the documentation for the features you are enabling or disabling. While we encourage feature developers to make it possible to dynamically enable and disable features, some changes may require node reboots, and some features may require careful coordination to retroactively disable. Default: nil
failSwapOn
bool
failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that setting it to true will cause the Kubelet to crash-loop if swap is enabled. Default: true
containerLogMaxSize
string
A quantity defines the maximum size of the container log file before it is rotated. For example: "5Mi" or "256Ki". Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may trigger log rotation. Default: "10Mi"
containerLogMaxFiles
int32
Maximum number of container log files that can be present for a container. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that lowering it may cause log files to be deleted. Default: 5
configMapAndSecretChangeDetectionStrategy
ResourceChangeDetectionStrategy
ConfigMapAndSecretChangeDetectionStrategy is a mode in which config map and secret managers are running. Default: "Watch"
systemReserved
map[string]string
systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for non-kubernetes components. Currently only cpu and memory are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may not be possible to increase the reserved resources, because this requires resizing cgroups. Always look for a NodeAllocatableEnforced event after updating this field to ensure that the update was successful. Default: nil
kubeReserved
map[string]string
A set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs that describe resources reserved for kubernetes system components. Currently cpu, memory and local storage for root file system are supported. See http://kubernetes.io/docs/user-guide/compute-resources for more detail. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may not be possible to increase the reserved resources, because this requires resizing cgroups. Always look for a NodeAllocatableEnforced event after updating this field to ensure that the update was successful. Default: nil
reservedSystemCPUs [Required]
string
This ReservedSystemCPUs option specifies the cpu list reserved for the host level system threads and kubernetes related threads. This provide a "static" CPU list rather than the "dynamic" list by system-reserved and kube-reserved. This option overwrites CPUs provided by system-reserved and kube-reserved.
showHiddenMetricsForVersion
string
The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is ., e.g.: '1.16'. The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, rather than being surprised when they are permanently removed in the release after that. Default: ""
systemReservedCgroup
string
This flag helps kubelet identify absolute name of top level cgroup used to enforce `SystemReserved` compute resource reservation for OS system daemons. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: ""
kubeReservedCgroup
string
This flag helps kubelet identify absolute name of top level cgroup used to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): This field should not be updated without a full node reboot. It is safest to keep this value the same as the local config. Default: ""
enforceNodeAllocatable
[]string
This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. This flag accepts a list of options. Acceptable options are `none`, `pods`, `system-reserved` & `kube-reserved`. If `none` is specified, no other options may be specified. Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) doc for more information. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that removing enforcements may reduce the stability of the node. Alternatively, adding enforcements may reduce the stability of components which were using more than the reserved amount of resources; for example, enforcing kube-reserved may cause Kubelets to OOM if it uses more than the reserved resources, and enforcing system-reserved may cause system daemons to OOM if they use more than the reserved resources. Default: ["pods"]
allowedUnsafeSysctls
[]string
A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in ∗). Unsafe sysctl groups are kernel.shm∗, kernel.msg∗, kernel.sem, fs.mqueue.∗, and net.∗. These sysctls are namespaced but not allowed by default. For example: "kernel.msg∗,net.ipv4.route.min_pmtu" Default: []
volumePluginDir
string
volumePluginDir is the full path of the directory in which to search for additional third party volume plugins. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that changing the volumePluginDir may disrupt workloads relying on third party volume plugins. Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/"
providerID
string
providerID, if set, sets the unique id of the instance that an external provider (i.e. cloudprovider) can use to identify a specific node. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the ability of the Kubelet to interact with cloud providers. Default: ""
kernelMemcgNotification
bool
kernelMemcgNotification, if set, the kubelet will integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling. Dynamic Kubelet Config (beta): If dynamically updating this field, consider that it may impact the way Kubelet interacts with the kernel. Default: false
logging [Required]
LoggingConfiguration
Logging specifies the options of logging. Refer [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information. Defaults: Format: text
enableSystemLogHandler
bool
enableSystemLogHandler enables system logs via web interface host:port/logs/ Default: true
shutdownGracePeriod
meta/v1.Duration
ShutdownGracePeriod specifies the total duration that the node should delay the shutdown and total grace period for pod termination during a node shutdown. Default: "30s"
shutdownGracePeriodCriticalPods
meta/v1.Duration
ShutdownGracePeriodCriticalPods specifies the duration used to terminate critical pods during a node shutdown. This should be less than ShutdownGracePeriod. For example, if ShutdownGracePeriod=30s, and ShutdownGracePeriodCriticalPods=10s, during a node shutdown the first 20 seconds would be reserved for gracefully terminating normal pods, and the last 10 seconds would be reserved for terminating critical pods. Default: "10s"

SerializedNodeConfigSource

SerializedNodeConfigSource allows us to serialize v1.NodeConfigSource. This type is used internally by the Kubelet for tracking checkpointed dynamic configs. It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet.

FieldDescription
apiVersion
string
kubelet.config.k8s.io/v1beta1
kind
string
SerializedNodeConfigSource
source
core/v1.NodeConfigSource
Source is the source that we are serializing

HairpinMode

(Alias of string)

HairpinMode denotes how the kubelet should configure networking to handle hairpin packets.

KubeletAnonymousAuthentication

Appears in:

FieldDescription
enabled
bool
enabled allows anonymous requests to the kubelet server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.

KubeletAuthentication

Appears in:

FieldDescription
x509
KubeletX509Authentication
x509 contains settings related to x509 client certificate authentication
webhook
KubeletWebhookAuthentication
webhook contains settings related to webhook bearer token authentication
anonymous
KubeletAnonymousAuthentication
anonymous contains settings related to anonymous authentication

KubeletAuthorization

Appears in:

FieldDescription
mode
KubeletAuthorizationMode
mode is the authorization mode to apply to requests to the kubelet server. Valid values are AlwaysAllow and Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization.
webhook
KubeletWebhookAuthorization
webhook contains settings related to Webhook authorization.

KubeletAuthorizationMode

(Alias of string)

Appears in:

KubeletWebhookAuthentication

Appears in:

FieldDescription
enabled
bool
enabled allows bearer token authentication backed by the tokenreviews.authentication.k8s.io API
cacheTTL
meta/v1.Duration
cacheTTL enables caching of authentication results

KubeletWebhookAuthorization

Appears in:

FieldDescription
cacheAuthorizedTTL
meta/v1.Duration
cacheAuthorizedTTL is the duration to cache 'authorized' responses from the webhook authorizer.
cacheUnauthorizedTTL
meta/v1.Duration
cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from the webhook authorizer.

KubeletX509Authentication

Appears in:

FieldDescription
clientCAFile
string
clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request presenting a client certificate signed by one of the authorities in the bundle is authenticated with a username corresponding to the CommonName, and groups corresponding to the Organization in the client certificate.

ResourceChangeDetectionStrategy

(Alias of string)

Appears in:

ResourceChangeDetectionStrategy denotes a mode in which internal managers (secret, configmap) are discovering object changes.

LoggingConfiguration

Appears in:

LoggingConfiguration contains logging options Refer Logs Options for more information.

FieldDescription
format [Required]
string
Format Flag specifies the structure of log messages. default value of format is `text`
sanitization [Required]
bool
[Experimental] When enabled prevents logging of fields tagged as sensitive (passwords, keys, tokens). Runtime log sanitization may introduce significant computation overhead and therefore should not be enabled in production.`)

8 - WebhookAdmission 配置 (v1)

此 API 的版本是 v1。

资源类型

WebhookAdmission

WebhookAdmission 为 Webhook 准入控制器提供配置信息。

字段描述
apiVersion
string
apiserver.config.k8s.io/v1
kind
string
WebhookAdmission
kubeConfigFile [必需]
string
字段 kubeConfigFile 包含指向 kubeconfig 文件的路径。

9 - 客户端身份认证(Client Authentication) (v1)

资源类型

ExecCredential

ExecCredential 由基于 exec 的插件使用,与 HTTP 传输组件沟通凭据信息。

字段描述
apiVersion
string
client.authentication.k8s.io/v1
kind
string
ExecCredential
spec [必需]
ExecCredentialSpec
字段 spec 包含由 HTTP 传输组件传递给插件的信息。
status
ExecCredentialStatus
字段 status 由插件填充,包含传输组件与 API 服务器连接时需要提供的凭据。

Cluster

出现在:

Cluster 中包含允许 exec 插件与 Kubernetes 集群进行通信身份认证时所需 的信息。

字段描述
server [必需]
string
字段 server 是 Kubernetes 集群的地址(https://hostname:port)。
tls-server-name
string
tls-server-name 是用来提供给服务器用作 SNI 解析的,客户端以此检查服务器的证书。 如此字段为空,则使用链接服务器时使用的主机名。
insecure-skip-tls-verify
bool
设置此字段之后,会令客户端跳过对服务器端证书的合法性检查。 这会使得你的 HTTPS 链接不再安全。
certificate-authority-data
[]byte
此字段包含 PEM 编码的证书机构(CA)证书。 如果为空,则使用系统的根证书。
proxy-url
string
此字段用来设置向集群发送所有请求时要使用的代理服务器。
config
k8s.io/apimachinery/pkg/runtime.RawExtension

在某些环境中,用户配置可能对很多集群而言都完全一样(即调用同一个 exec 插件), 只是针对不同集群会有一些细节上的差异,例如 audience。 此字段使得特定于集群的配置可以直接使用集群信息来设置。 不建议使用此字段来保存 Secret 数据,因为 exec 插件的主要优势之一是不需要在 kubeconfig 中保存 Secret 数据。

ExecCredentialSpec

出现在:

ExecCredentialSpec 保存传输组件所提供的特定于请求和运行时的信息。

字段描述
cluster
Cluster
此字段中包含的信息使得 exec 插件能够与要访问的 Kubernetes 集群通信。 注意,cluster 字段只有在 exec 驱动的配置中 provideClusterInfo (即:ExecConfig.ProvideClusterInfo)被设置为 true 时才不能为空。
interactive [必需]
bool
此字段用来标明标准输出信息是否已传递给 exec 插件。

ExecCredentialStatus

ExecCredentialStatus 中包含传输组件要使用的凭据。

字段 token 和 clientKeyData 都是敏感字段。此数据只能在 客户端与 exec 插件进程之间使用内存来传递。exec 插件本身至少 应通过文件访问许可来实施保护。

字段描述
expirationTimestamp
meta/v1.Time
给出所提供的凭据到期的时间。
token [必需]
string
客户端用做请求身份认证的持有者令牌。
clientCertificateData [必需]
string
PEM 编码的客户端 TLS 证书(如果有临时证书,也会包含)。
clientKeyData [必需]
string
与上述证书对应的、PEM 编码的私钥。