From c2d2fa6345fdcd2b2279c2ec4090d21fa97d7c4f Mon Sep 17 00:00:00 2001 From: zhenyus Date: Thu, 24 Jul 2025 16:51:35 +0800 Subject: [PATCH] fix: update Jenkins token in gitea webhook configuration Signed-off-by: zhenyus --- assets/gitea-webhook-ambassador.drawio | 171 +++++++++ assets/gitea-webhook-ambassador.png | Bin 0 -> 59499 bytes .../gitea-webhook-ambassador/configmap.yaml | 2 +- .../jenkins/jcasc.yaml | 122 +++++++ .../telepresence/telepresence-oss/.helmignore | 23 ++ .../telepresence/telepresence-oss/Chart.yaml | 9 + .../telepresence/telepresence-oss/README.md | 176 ++++++++++ .../telepresence-oss/templates/NOTES.txt | 18 + .../telepresence-oss/templates/_helpers.tpl | 220 ++++++++++++ .../templates/agentInjectorWebhook.yaml | 140 ++++++++ .../templates/certificate.yaml | 14 + .../templates/clientRbac/cluster-scope.yaml | 38 ++ .../templates/clientRbac/connect.yaml | 43 +++ .../templates/clientRbac/namespace-scope.yaml | 85 +++++ .../templates/deployment.yaml | 324 ++++++++++++++++++ .../telepresence-oss/templates/issuer.yaml | 8 + .../templates/pre-delete-hook.yaml | 76 ++++ .../telepresence-oss/templates/service.yaml | 56 +++ .../templates/tests/test-connection.yaml | 22 ++ .../templates/trafficManager-configmap.yaml | 20 ++ .../trafficManagerRbac/cluster-scope.yaml | 104 ++++++ .../trafficManagerRbac/namespace-scope.yaml | 216 ++++++++++++ .../trafficManagerRbac/service-account.yaml | 11 + .../trafficManagerRbac/webhook-secret.yaml | 34 ++ .../telepresence-oss/values.schema.json | 1 + .../telepresence/telepresence-oss/values.yaml | 186 ++++++++++ 26 files changed, 2118 insertions(+), 1 deletion(-) create mode 100644 assets/gitea-webhook-ambassador.drawio create mode 100644 assets/gitea-webhook-ambassador.png create mode 100644 cluster/manifests/freeleaps-devops-system/jenkins/jcasc.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/.helmignore create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/Chart.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/README.md create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/NOTES.txt create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/_helpers.tpl create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/agentInjectorWebhook.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/certificate.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/cluster-scope.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/connect.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/namespace-scope.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/deployment.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/issuer.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/pre-delete-hook.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/service.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/tests/test-connection.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManager-configmap.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/cluster-scope.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/namespace-scope.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/service-account.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/webhook-secret.yaml create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/values.schema.json create mode 100644 cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/values.yaml diff --git a/assets/gitea-webhook-ambassador.drawio b/assets/gitea-webhook-ambassador.drawio new file mode 100644 index 00000000..9dc79bef --- /dev/null +++ b/assets/gitea-webhook-ambassador.drawio @@ -0,0 +1,171 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/assets/gitea-webhook-ambassador.png b/assets/gitea-webhook-ambassador.png new file mode 100644 index 0000000000000000000000000000000000000000..44320d7a8b687cf0370cd1cd5214131f8229cefd GIT binary patch literal 59499 zcmeEv2|Sc*`#(~)$}TEmM46CXNW@TN8*38T#*$^ShpZjhNtWz1W#6(Tdkc}WW#3EL zx9lPO?-{1%Ebn{zo%jF#ey8{Ip3nI>GtYBB_i|m|Yrmd3{whir4v-!u#lyopAa@a_ ziibz2frm#xL%a`M=_{c=1O9_=r+PsOFSqIF1RkDBsJ+Z(d#jr!=9UONHh$@yPi*`$ zY&_@L_;}F&@=F_=8<^S}Sb;C*#%%mBHaTsxngRI zT^=(l9}oJ1nz_sFdc0t_=pC3km>VPPb|2okWRFBz+MD0_^+hA3wKc-X{#OGHY;BQF zzaD0SwA?-P?y5JyxqkH!`huE~f#vV7YMC3`o9&D}Be=Ug^yrHSb5k?y%Dg3pBvE;NxBEft(T-&*U`xnhzX@n)3+E_a7uEWMB`#*p78#QbZ z*1JdfSEl0=*s%UCb~T8cLWi*7ml}I1iz}qM!P9@B3ruTi>4B*&2F3U@-Xd2WQ{CWQTOHHQF5| zv>Tws%u_Hh1j79*t{GUGn_2@R8UfHCY{5N8gsr_f z5T5h9H>}K!jnM#*vPIaLyBHW^z<}n@4WzlXJ?6lIQfz`SaAjvr^aKd3_Sm_!E7`jb zgKN9MykYPit2=o6=coTePV6ql!_6ZiAiT5QuBPGw)JHSmhk5lQtAF2v3Yq|5dMwwG zCMI?OSC}RLoafkiFr5Detbe`(e(8S!C;V86_}2vbn+*St1RA3tFe3czv44+1^JAd( z&&h}-{ohoe1$P zAdx#t|2J&;J6qcwB>e^6e7Ckj{JW0Ff358wcxAhiiUS-KTcoiA2ygg=EP?YWWo+&U zKANIGo>WI*f;sTr!0HCLu=5u{OC4ctU~S~gfqe)-8Rxm*q0ScRU~LS5x#K`PnVH)o z)NUAH++QaU+<}>K{Pmru|G-tJC*5j2A7$XfMqSCk7MR zy@qwI{#PAp^ls1_`i(gMfR_EHS|z*;@W0`6^Xi=BL06qSr&fNdKn!y;t zzkr*+j}s`c3tJo^Mmkx8WC`(L&D`??tx{5UYV0D@lwpgWaqP5=H%^tW*`?~iKH|Jy+MKd+*Ic0AA) z7gvk^`vYb4s{htJrhvfCv2f%AR05IKrf5II{^v_y?i76gHGRq>vg_CHD%4%C_P>5C zy3&A^1029$6{;%Y#_s|1w{uH>t5Nx}O&x#cm;T>s)Zd4iAZ>gd-4*i(X=7D{jf1%@ z!U_cWc0X;380+C--I_nLeArmwZ<8YC-%ao11ZIDwIp*&aKVZW+T+7Fg(TRUS&Hk_w z{kK~_!CkeEqsV^J4D1f({sJ>_GO#?mxWx+Fj#u!*-1?El(HsT120r>vmb&5Jt@Zw= z%kyJpX@Qw*C*jZA?GaU%<`ZNQi&mi~h3; zF$Qygff+d7wgBI+P4j<+8ds=+K>-Be!3oS@2uI}`cHa^n=({*}`){9O;=-mf{?;j` zotXYtbU$xv3Nm^;Y6yFKb4*J3Z%g^zxRs0dr)VVP|9zYykFd5dw?=2(e*$XnsLHu}^k=W|{t>7C6W-DMeb2gW5of-nErtsH8ilrUj6A?^||=58LC}; z@QUmv;c$&6n!jk53)g634Jnqj|Eup~3jO8u|6h4g>VGAW*-^W{ZZqAX`;SQAUp1OP zGB;Mb&)eD>I0F=5Ieug3*IocJetZ_}T;E$kzG(_9ps+y1cIW+hk#T2I+`qWJCjV#w zer&XJ?K?Cm_)x{u}4!@BIGhjuQCi1pSV;Zyfmc{wWVPp8)oURdzuKD1auyzu7oq z1?X@7;u=;X;ou2t_i$cZ`&OIbL8nq}%?%yEZ((4^{n|caui`v?(iUln_<2Ll-&)T< z>QqHT5DlvTZR3g2CI8?z=dfDo`_KE~iV@~6_6G%bZtOmQ{t3bzZGSoN7z7WG8BY#& zUj3%tbS3#)tuE)WwHBptDMMFBW^2tyH4m&La|?1$hM(Dcsa(_IVTkC*+QOBS?`Q2f z50Fqe$?5kN69qj;o$t<9BZ}v_l9h#j{32~yhvSuxnYkv<{XfnZpdPBrUQeIOcKS%; zm{8*-$2U`cwySz^(Ye`mZf>i3_3PT#M_Q*Vs$HAKo5!4+D#vck*)?e&zr~D)Pb`T? zFhLo8srl0EC8zW3$%70yBSJR}}A^?jdObB^R;fY7c%){oHPG!T>VjkLEN)ju3 z_Qd#-pCWrAtE07dDof_^aeIY3U=$ucERx31Q^}Q7PpM9JScLIfnm)&Ty!ZXKd`dVQ z<254=^cZ5!`hDyqgz{!khpv1}ayJm$34vpRqE(#%_sQsX=mBgv03q zk`pDr#QjPVO-hRB^PUqDl)gj>D}D)a$>ue7-b$g}#=|0*4WQ(`mFkRl#!*SC`=6m7 zFS;<@PpHV6NNw*@!%p3dAr6HGmAxptG@5L9D0xy|$u#l3r_+pB=i@{2)E-CNRC@kq zqT4V1UPxX(4QBszRLp8@!|BOwO!;=y0>L+xS|%vt6wYF%mR6T*nTXzxVYG4PBZ@ut zy=tFrMTMxEC%%a8z2rYeQxP8$><69ra`+O4#hwb0kI%`F${71pd_M<;h077;A}qh$!&>f4u;)Ss_WvoEPocm516`KUDst& z%>Kzp?q*QgsQ)QA_%u}g@I_}Z9P}Tvzm?#fQe%gK3M|t8R&WXiX#g6kXwqUhIDfP< zFr4r1O{Io`)+2%GRF#3e6d2N)Q0T8K*L?U>2&EEIXh06``!jfZrr(p=-(s$e=HSJ% zX&P*0}zSfV2zza9Xb-y7u|(KsjQd%psW6Wwvze zQ+*gKnPJ}eTrf8Ta=65GWjZF&eSK--ooJR@UkS2#*rg*=Lz{tpr9AhVT6zDX-&oIa z#kYxPoeMhMkeV5eS7{iX))o*w`9{9|4qdt_HeJW*`Zr2BjE1V*v^Ol*GpNQirjagg z!=)Uh>tm&>Jo= zWyMDc1E>UwMcr1N`G}5b z>|pQPKIz5IR^!{z2d4$QuCmTLIi_jnC3_DqjJz2cjYBr^T|Rj94D;%sD{`fzqWdww z%7Wpm_KDOu>)3;jmPK6>-IuuB^(wovwZl7Prn2U1D?w*%EB-|CQ)IvK~X{9;;SH3Qc zc1Z%ORkWux75FuxxOAch78iPN7c`fz#@=+^T<$7#&4@FPJdqiFMz}{qW~Qw&l`+k< zDL%&J-b8g{VeMn*^@+5xp1c{UW{;WTF5{WrV(pWgy?L9xXXo|$96R0$4Ld*WGz)~X z>kVwoHYJFqt;*!|ByCM3H5{t?yf^=&?eb(tPvu+V+qB|uiW9os7>zPEofdCBU7ySv z`QUpj(WHP=yTDj)R103-!8bEk)cj!e7VR$zLo#`*HPp(V&Rr`@RZf-ff^m>z)Qc2E zrL=9Z{p3btsN>VQ^0{-)pPv&I(p+B6DHFddxJRNg*QB&!q2W|d1XH6V?~r*~z2deI z;?`o^P<#NR9nq811A`x|~SJ=~9W4Nf;Syc#Nude z74Eg5)-mD9oX@d=w=*p0LGnUYrtT@Gm!eVqRku58l7R2CKBNcy&~ zqGCUl>jBaY#p+E>_?y>nF6QfougYquSq})8tq3wXe+qjis8JMdNY1HH=Q7oqvnYDT z@kA37^J-;cP$Mvhi?6N+LapmMX9cF1-!Xk2sm-qPZ!cMA*Lg{+p^z%q7H!k@j)&k9 z{7LXZ_m0#|lzilRk7FN7-j1B}Z1~NlG;PFzeNOV8ZgU+QYJ=j9w6OzOajr?HGHHs5 zg2`M(RpDYc^3;k_0~msu0_?c5relT!pexG*#dj=~Rtgo9l$+0OSmp@o`HgYU9V~p) zK&`PbYvGIvh$At}RToGx({wHBd(d~EXUJRv_EBN3ZQaI*TbU<+gLYPMp>uii_F0tt zF?9~=9ni6~l&2d89@!VbuvE&psqO9C$CAg7?55M7j<8lc7CxI}UVtF$=ta60u^R28 zbLzLLt9V}A_n|<`+MX|U;M#GCzjk7Xmo9Q$H z_IbEOosw#%`aHdVzmEEiv~IIfm(xx%wEW|CeYeGH-&L(UrJNU{WAVRL!GEuf{G?bEuKm86`jH#-*&De@OpH zTAq31^h9-PssoHxEHMB^%g@yqfy|v4yxq9!yb0w;@q=n`IM`i1gbL_Oig7?@m8Ax79X$M@ zjgFyX9iv+eLW2_|$^|*%m>o}BAwVcz?f>VB~ydKe2u`|8A ztwW-okK5X2nw&c(Bmns2BD?fkJo+p$yQP%0%E{D8ME5<=I9cfsG{DdpNc~aAm5bTw z@f88HHsKG}y(^rpsOxXLE#%BL7do5jvz!vpb2MZNYD_z}8|U~#^1!j@r`L5ui{@O{ zJ!nZ9XC<92wxc;8LQw&fjDm%auBQf6rUvx9(m4ci>hrQd42rvT#$IsTC`y|xwb-VA zuw`^?Bl^~)T2ceul*V)O&RFOyUf0#Bl|E#i;4%?BWw5ezrq#_4y23v=(8`l1-fLkK zGvM*|ifnI4W_E^Z=Y6+it4)NC&TjFaI#4P9 zwp-1r9U@j+o<2A_*DSGp>q&G$&jcHCH3>B#Cu7yI|7oK=N9uNa=*!m(#k0+`0`#j@ zT1A0=8?XB4fOhaVF{Pws-TD%`eKYYS-z8 ^YARv03XA8ZcTd0Y1d1;`^vG#f8Ua zGUQg4j`g`0o{Dm2GH2|q*aV9Bsjh-@e58%({XrjK6`B-MS}(WJ7o-vOblJ~UI&V_U zT#6p>Q0O;jC=-k0=&~-EwSQP~F06F>x(NGJN`u{_9AOHLUaC*GFdiszjAV||M#~*K ze?IB1hp(3#=-yeWnhe;D7j?0{npY&*->T_9mOA+1taS3!nViBW_owy_$2@(@+9I2N zB>W_*A$qA)2;&|FDLy*|uWjVXAEFOAkU70RtCLZ&cecpSKbvpQ;HvnWFFrIu_@(+y?+*Sf*|n+ zf-K|A-6P8WH+q; zr;(}Ok3=$;FM`2QSkmU`+V(ZrCj@1w4lMCd*fCF10(^>=FK*H> zcXgP$%DN5Z+BWRdHf30K?AI-EN@sRFopi%~LTkz}G1#X8$ig|wwLFl?Sj z&%Id9_3Ny@F>hf8~9mhD6(4HdmMS$bIB58Xm*jA4* z^L0_BRO*yX!bW|#SFInHap9xGB3nH&Vu6 zvftO$aM#>Ht>v7p!0_|eQI~o8_zBp_WRkX1$&+m+SMb%D+ZCR9h&uB=9Lh>YK@19x z!6J=yLqA|7>h2k@+mMCRxfPAuTgMs2$$e9^`j8p*CUR%Z&hl?pQ-^I^-7`c2$Cqml$G~AIGiTxHghbnKFMnz0W0On2C4i)4F^%g;Dt1uDqWbn7VJr| zxvZ+ZffR5h;!AGs9%eEiS}2JaiUpHUD_8b65WFzqnTe5_=#ajWNf z#;wrwdjVKnmyH|kBy@k7;gs9Q>Mt|cjKxB6HtKb%rGdqS#xDra6* zl8k^|OvYnsU1Gh}{JQAYI!9;r_483`Z-|RtOL3gisYdo8(`|#3L(Z#{H0Y|+VH|em z_u}{k+7(W4d)l+NWGk7b)DIccsxrctT$nxak4$swm-6(>v3#$bDmQ)cQ#q z1G?a+nrm+}w>Z(sQ&8N>I*tlJGCeqlVI7{=7m~Y;RMnww1$VP)lPV}pbrpg#9IPGX zIw96{f7b??rCcwQ^ufacA2sRoZrc9Mp*+`;SNuo_Qs z=GHz*xxol$GaNHKyaNtqTLR-k*zEhnMplay(`S@)%8v5CD9t=SUZCRQIcXQ>2R-NN zTXuf;Br5mudN>{YZO&?+s*$86Fiul{5HZSY{NT~VYDR}2)Sn1%bXV#jCnSX~eL6T> zf3`qVlz_p27i@RDosK=s=N*Awb{ZtJW>S0F8u~ zLS*pso$|4~l8*AC?kC7VQhfC~2TDHgCdW}Moh}jsZu+xY#Dal}`uN9`9Oa)iWvMt6 zs6Zu$@0x&&W~|Le&K=Z%&4M$D@=A8f_gArtv7Ot#=R=jGTv<#Euhr>N;l++3U`<9! zNf>Ve?bzGpq6e!IU2FB&X67kRpN%7|zv6$Is$R+eWtv8T$`aGtO5uYZuBLlY0Z!Zx zq;?>NPYi>3T1NTBi}3nnN1nMQ?dBW#}9bsQ#qD$?#*`vCi(WHJ%p`x2f*GUWA@ z2?`MUxJFa*94AY0qgQ$H3>MXr zkL4GKc%~1B@u!pS016=GBs0(HIE1ye(xKAsx@*UM8 z*Irark3K*(yd;<4JfRd{&y9NVDp$AM_~o4g1?Fw33ZHMzxemp-ttPHkT;SHLI0;h3 z_tE)gAF@NneNU`9}@Fm5(rhn9#=VncKIm;SnGy_4Ot61fEq%tU!t5 zMIE4T&X(Fwyi@PLoNrjGzF)hHG^*2)-gIM6siZM#OBy8e0q(5*yc-2m2)r{WF85LAn+0e=$UL8zWj}m@A2^m zWkbgZyI1R~0@6`hT^wT2AhRd_2^sfJWSVsbyuR7<)aIjlJg?NH#B@~5Y0=1wwRDRl zh@52Te#+GKKm&QDa1biQy4PLD&Pl-jtZ#fio@isMTZ@u#Y4SqI(U{zahN)j^5Si)e zhA=8|*}YNHz6TrQw;r~63%rr>$QnoW@cWV<(}O_nZxmL=-OJ*GMNi%lPLY%ZTR1rK|m+^ScH!JFjPmVU($fwugJuaup(sM|e*I&O;=bcI!S7*^}UjY?` zrqulz`cxmKiZ$pV3d@IHM#QrNC<|Fbj9%)JtwD!2 zqjO>$$VTtVM6xjS#v4+l8de|;)T#j=)<-T)V0R&zYzI!Z!dex)h4Q;)#@G1OnQ|@D zFM3E~{OGG^dtI8&jaO}6_LhvKAZ1n?vFe>29Ua|Tg|67!C}h7-KV*55m5bo~(9Jem z+RmL~Adq)2VUi%hFWGBC>uwO+k1&0Bn9Oz#K_FKF;r&J`;*IXuh7+()ZIA^yN@oF~ zkB55;ZQnha7Fzk*-ygp<^hO!)Ma2F7^oVV+)32+Pg1_vV13ZF7;{76z=RRB6udoj= z5MRG0kZu_z+2h;m?d}LkHQUrsS-X;crzpF`TufH7b;vG6GQ$w@IYysL#72}*mc=uj zkJOQSr(T9WeJnM-t^T!=D8V7wxRRMC-NOz-mtfOVWsc(?ofHaGRo^PTZj{RBt1Jp8 zygwpnk7pxJyk7mv(bivI2vI7S<}PGZ~Vg}VDO?T&^Bxw_Iu4;pz@UEJo9<5FwNzO0#z&0E34&1#Y$xH{fkbjd( z3}^CQDq`L^wuo%lD=@ckO$n9@X0cW09l0KK+IIJV& zN50HL=A%i5PrQU4r&U375R=WrkdQ(If2ctFR{eg4tb@i6V1wN}hE^3k+FT!lp0{6AORA6@u)uo4lf3&=ugEV>Vv|n@?_`&NrcphYAvHJ2tkIUaYObw9)SJ}fNt$+ z50xX|$%{`+L)j7(azy5nbZ6+wSfgXp=qkB9#go@O8LrmabPZZ3mQQE#!_kGpXP3a< z^vZnXu`VAPrpZ)ZLcs4U)XX$ayX&L++Uh7FK5>l{$ZOCk8xrB30yb$Y?6ys~V+i%-+ zp^0h{edxEWp6ODOSVtQDG&2{0Ob@3A3uKNqtm{Nz_jS#Np+jNSbYW96#@3K$^enPn zHw?HUiVTS?famOshazR!DS+-U#mkledh)Y>9G=m`r<;Ke6yrX4!XbK(RZo6Dg`_bd zP<<^Lkj07ic$vTg14^TZml=aVED;9AGJQ}Lz!@t5IE1npk&*_rZ%6Lb^T}u}AigK{ z=6C9QodgmO`|#=(>z|I1g+=-e_?c7C`{1D(PIi~#?n)o5L|}J0Ve(#vsxMs~(7^z1 zw8Qw{p^HZ_0>(5j>~$qX$v@70I7~qgGIkB)+{w6O@F^tKNuJ3mX8EPRi#R$4nBxbn z!4W4s!UkXwBlt;Ih+&cXx)*9$ctioNTXiM(;=quA86^2U!(%lm;VB#U}SI6Uye1LP!p|0q=hrfx1Df)=Q6N!nfN{BHuLB_rK-wqK-l zu}N$M_}^-6$fqCnfhK@ovab|p(jF|CcH3Ba4Z13h+;^TImgy-n505|VY^%qh*xqDt=z0~_Q5cfbprVqa%Q$iqgwcjrE?ADi$ zYF?6ieXaVQ6jNy~G<1V7paRsagMZmyYY3yIH381_{jjoIYX#HY`O>pxQ@ImE4U|vB z2;eD<5>24xY8^Nh@5r^}F%2p^WcCY`oI?c+tK!2Xp!)P5hChFJ*)yb+bS{B}-sNpW zd#wU0MCXKPv^qZTY2yPt1cOjH1L8~)S+_k_~kzGD9-7q(6`Et2q zPP*iyV~tEPZq3-FgsD$M zHk2{ZIJ2hXa{fL7X<*P8?g@3_SZ(6SXUwPoF440K^{i@MwM~-n=Pwi<@V@xPB#2Yz z31{44yU*{RD?EEFA)C$n;?0}W)n{oX6kY}C%xbJENuJ>v+9W<}$xqLC9V z52RzpjjGy2C!8Hq-^TEpraGK1K-LD(F4nNn8iOe0v`&dNVqG~s$Ja%g*$|+VQtVJ0 zjxdU{@}#Gu2=0&`maTtWsHk4UBjtC+^cNah8BmL4RiKBDpc^ReC!iQkbm=aeXpe@NXU*SA3sJ=j4M1PU{78e7lZKa}zsl(?# zwr8ltM59mv8o(I=5w@8(~FG`K-F96(C_m~2HJyg<{WgVR)|qoJQV1z6@JAu z%gjJZx%QPfWR*yqqgv5T%fVPEyISonQ`20tm=%#Mtvo%R%{r6B`!T9)YBGf;3yupM zRK6hK4zTCmgHPNJqG_DuDVlD_<&&M@wF9MfdPSX<;g+3TyxShD|~CLxu#w8Gd~i}soodGJSNSo z3pg{e&h%zCy@WnQCiVDL_10QlhgHT!8>eC$r|o>F3Em;DYgK3C);|Uub?h-YbWHr! zx#sBwBS%_jncl#JgbO3vGXFm&dPm$Ui-w!j zMZb-Xs&#M?Maid~;n+_gM+v-)h5>ru0Alra%Uwwtl)QA`LkZB5hiTn&0WQV6BUeaw znkX>?{rrGphc($No>%wpE{)#jl?e8`v_E!WgIj1O@ng<0j|dno0aF6EjanA#l5rE&iZD=niHf2E=vfxO$R^?X_Xc=j1b`;F==n^P{+Pj60;D{E*4HC1c z1|>@8IKQuwFeVlqA7(GK>!$!5uyI@m4399vGa<#$?{1EiC0b2Hp9dp8|7OH9uTyGn z=R{tsI)9XpY7jfo15K)0*wCZEghkJ!fMmn=ese(4&n9a_59KLr!g)u0A+|Yww=Til zEg`v_2rF7|LbUt+8~+WRpiX9hZm=_ORI@_tAgI&&9-9rQ;%Y8Pd7c9KyCB+~f`dLK zvzpJ1UvKUzfvmdMPI2cg+DW~MRdzd`&#pV~wGU{P!;&9qaCHkz2@tNHF$j2+lEUDA z*@ufeT|T=`lb=7(gy?EM2>OJCB$X7UKLxayGef{fN)c)`9ARQ^p#;x| zNU8$zQ3!*Nm>>{`yk;P(O(79%0?@e!_IEG-4KF=z^ppbjFHdQMIT9r(IN-Sc;NuOn zouft*1PUxy2A;n(?%H?h!GbkMLrMYh`N7^ApW4vjp4|}LI8o@7e}I5uJP6Ry^dtu{ z?%J(jPXAYt^aLQkAqTdpTo!TQyQRa!4<&iq*qCusb*j*;74nLr*w2OsoRS~k+K<=u zP#^A2KusSw%4l&+W(0e3{CegH?n2M0(xI7Gt8QsKPIt3_q^YKkaA1ADesJnA`e>rZ zfdOSv2*B|%JtZ#^g3dN{NA+&oGy){xgIJ_&`5b_|?85f!K>n|@F?jeMBWm5-hm{1ssY z@M$#!_+@G%QZC(ZdZWtg&}tc3Y|#bD+&^!|$F11An z4b*KtPL*Gs=Aa~?@I%YOQTG~B+@bC4?*pK*`L>{8oYPK50-8Ino{V@C6_%kI$9)1E zg#++d?)jT;Vw{6{9VN(3NBKS_>&Sd8l}h>nxQUX?Nq~c4xC+$^Mxs8T+Vg6M`TnoS zOn_XFk=&3z4#hp;U9I)1Kj_*NFs>K z>1W-9qp)A{Uv%reUk5{037^7U<{;2t?e{qlgZ&}#WWe)d0Rag~t3~_HTPC|3*#s9S z?w?Kp8w^8Zx+X08S0_0Lp0_6sM}frPP4Ka1N{91T2|qO;JUb!!T^ewjNBzP1xJO8b z0pXxxKM1z13S#SfE`<6LxN=4ZmS@2bMIES5ReUPn?-&A<&Em6bKWkf=}@Rtv`;gTO`?Y{7SeC&=hGywjTxwRbUkx zo;@o)iu?Soy-$aLH-XN9`RCmv58yKJ{SkoMp|etM;NodOotqPM(7m{5frE=d0ZD;? zx(@(#Nov*FcT4m;O8zDAK^Z~>wE%et&>H9QV!9~q23$Z0@{am)01(_^@R91i1PCl~ z=&K7Ro$!Vr0MS}O0>po?mi|}V?**v2&iauMkWvPalEZ~D?pGQ-4j`8j=rGA-0&qM~ zy2aQ>><;|VKK$Dc(ZDqpKzr&zM@(^3k<2Dw${ls))dbQT_IK`i<4^~}o($QO^pu20 zD4?(UGLe@a@r{q;dr$cQBw|khlhwDjKB&vam!#CFU3BsY9j{P8$Mf#JUQ8rlEG4%L zjyZuz17082;uav>t(m(3g1zI{55Tc$e%^q|G}dp0K_&)MSO3RjU?6k|2H^!9Y&^(2 zArNO*gtA~I9^Z}(?ii?pnGGi)vp%3L3lq-S{*SX*wW0LUiw_UCqb?8>6@Sly>Z220 zdnB2rsQjQtVdN`iK||gSx+4KvOw}6a9xtSbJSM?sdZ(Da*Y+U!gyc~f!CfpAlC)e4 zJR>!pCo|peuJF;lgSg!atYO(5{p(>Y`h;7?@7k@yZrQmUg=_;>WKKiwX#6aDjK1jOKZWXcF?yZW&shOPTdG$-4=aQ5>8cpYJY75U2 z>6N9#$#+y91CV=JX~iMX@PttOT($MXrEZ$ceLLcJF$Qn5*soIAgUfJi#pv+rZTF`x z@aqE`_^5zG)~sr^$Sh#bM@c3OPX&Gyq$XlCcJU#Vl^Vy{md$o+R z)jhCC>!&4LKC(Sg$#r90RuN2bQXRW+;Gj;frUNaOe@MIzJ`HqDIZnvxUib;+rmW>E zw+-Xf*@0qCbg3KtrqZ`OT0+)xca>ZD^gy|mX3mvJ*V%ldI^)IB#kElu>7qULmjFxQ1toCuGXkk3?4iBJI>50ON zd(Izwbcp-v-QBmyPObEj>fCDi7|fTk{iINSdYWE*`}K*Ww}YDL0nX^|0)Ofgqlhe; zj{Jt@pc}T0f?dWVab?+hl`gRl9y;87??se~G;CMe+%`S87{eJ@Yn*x2ZMkFN^GkAN zE4>0^Ig^K!NkMlP;;Pr;7D}7ltP{mgX=c}tJXp3{({x@`D}k?5-fREX0pkmf+gpit-B)ONUQa ze_ar;TN`hEsArnha_z_|+uN17U8}c6)o11t8HOg-oQ*DSmJgD5=3PtDH3Xds!6xV0 zGluBvI?>V*^dZHkE4%&VA|crZ65M>_y$w=^+MNMwNn74iUO%zwDz!VR1h+OeoYHTv?IliTd<`w0RGgnlGwDg=2qMLQZ zGOv`J)TRm@_G?FqWIJmC zHA;>Z-CA2P@05poT-cE5MHX#@f_88n{rn9R<+JmIZ62>kNpt&7;GB)y2ew^?kKU zaKZiRXWmtp$3Sz_he_oMC$+vGMT%KvVwBFCg{i})^;7CFJQ6hAsIt6Y=Hfys(k{|z zGd^M{?;TQo{wQ0*WOdslM;D}2S4SclDY7%}$uC}PQbM1n(jath>FO$z{wqC`{pOt` z*$YyY*1EUORLy=l0Iwy=ldJT(J_FuHm@J0`9QovEWFtfCG_ON@J-2+etl#H#11wT| z(R#7KYI@?5w!^W4gkHWCXeDRgh*JMZXL=ZdOTh)oOjs7+nyz}TNs~}Gp1Pot;0+A<6Asz?iqbU%!j z^6FCZyT%+;I-h2M`7xCIk@NfDY=bM_h(YRf*Gos*lSNShn%QOm0^Y9`Xy1LD7SvFv zZZuw$s{%Q&r>fmEi3& zMXjI`r;XMDr-gT_jk6Lf0qsw?zP;gbCuHI*y{pO0R@?1#+ep8!mnheYN?PS=nOnR) z2m7Zrh85!oEG*Npy#T_2aWP8e<z7gcIKH3R2r8|kpVxAV zZ}DlbTJOj+iLqHZNOOhAPNLnzLN-XrtH?>f&Z&xrtcXjm;->t|s;I=gW!o;=dTL`! zrYm#7M}(D}-anqwA38NteWKUdiqa>Z6nKy7lX(t~#j$%kXf*=XjjXrf8wxJU0y;Ud z#X3vpG9{1|^RkZ0+|cI!tUW`UrjNH`yUyQ9H>4(R)rf@A77Cpx-@Z6P7|}q~S&?UV zQ=H(oFaRcEN+ao^DdowF$J%@sLErSy(}MYTLjmS0X=aG-(NhqGZ4&Y~H58QrDK|-y4rr7at3Z05we!{A=qLEPG>| zqh>(sUhSCb#at*7?Ikl^@@ ziFYX?v_eZpe9G$kdE1Qd&}gW4JFoPZrb#KZqWWf6mI^_UMC+L_D!}AfzsL4wkI=G9 zu99|9Ej{aO_tE~DK}rpR{f?RO1o*&-bnUsn73*xxbnezoQ7(thRMOENBR#0ulSeW4 zGGjv4^Go`K+8!^h*@LRu^u|56r4e>^+aXaBHgkKjyQ zJ^LUFLT_GyM)70*ttOVrVE5NGQAwx8j zj7JyDmGDvuMa1TsIh_~hw*%@`=Yo^HDa&rgi@M zW#00^l|{`Pot=v=6$2bxSMEmnTtBjpG3|V^1PCnFjl^7DCoXl-A$tl&?!{H6A7P`n z`2=3`j>>aW^woz{e|=NUS-q@N9mxgBZZmAWwAbwcC_=ATO7C;q0-!Wyy4I*!3hKtG zQxOxd$VZJ5#YbzsD{qvGyy9H3P95gkG+p|fLcmBpeo1}p0%XAzvH)JKXbqWCuz{R? z#2VtwU}qmp|2h^*xgp`urdnCLTuOhYeEZR0=3@^SLB`-aS=hP$6!D2X+5o7$6hDW@ z?3lZf`_`C;-qv{N*2Tg35T|;Jyh{IweOlkZB2fdUwbguL_Ps1_ zG01E8O-C_6x98e2(vrm$GWfFQ>Rb^{z-7!QmeMiR-C!*io8aS-Y&uK57RZ;sq>+w=b^%LY!mF1&ZrR~;g z^Oe`&9s6)Z>bSsV*Vv46uE14myun*OY|dbkCc0Uo{nafh-H^_qYnnm4t14u+B~2}` zUOj`#fGjk>PBau$x4nZP;TluijzgcWyW~J@vgMo=n_GGH2aEW*ng=AA=LXG?x01)Y zS6Q8ADpDQV7uP8?wj^O&dl;Zr{i-h34}I;;Gxi*9QU8(-$uwJzBNo~dtvf}<7Od*D zXZ=28Vd9F9Ee|093&nI}qfwO~lu67tvsNj2g^MdMe2)8$_;CULVrim!P~c5eqKpwV zD8Azypq4*ROfe z#g-GfrbN`f-nn-B*w^G+!_-Oj`%d~EWNg?+Guw3fiJ-1O)cLl(tCw2g9pB2%h>bfv zORGiMb3kn@yyb7M2U3zIbQr%580d$`8Y_5u#B=YyvsW3p?dpqlMWw)g}E=^x9${wS;ViU&QUh@vw3M#=hDK-*6t&rl} zLRe_MG`V=h%sIp>C+FcDw`#sP#^_>qh4FI7VoJ@KQT0`Kl_zOW#Oi{NRFm5gh&+beyh@<~X%+;8iVkUEdpX;s6airHZwGUNI)!Ff=rCkbnB^!JG#% zTSjvS5kq#4v;E+;-f5Wt#qy5DfkpxaI{%n`sjI2lr)y>yh@WgaGo0XV&17)5O2dzx z0%2Q(Kh#6ChkH$V(wEeH-6(({6c%z$H+=Gkf*%-3)Vfw^?IRxC%VgHG=eVmC z*8o?N8HQvq&%q|@- zOwTMo=gn|;z^0CoOh}MeSABx@21nr`g5p^s#{&z5bp^n?YlzdP7~)o&V<@{ZUnj9O zZ%LXgmU{&R!)M_s-7FFT0#c4{p2L{#|@%J-^O;XigtGD_-mixfz57=O`$_W z)GbrY0bM&q=Zp2_lRKF+l~O^A(udR<5Slt3dqa04fDhJR9XA0R`Z_9Hn;onIUY38u zWHTgGe!6Y?kd-xhv|%dsi0&H&UX}dOUW>eht_v{r2ek)b$(@_ea@F9e0Zic~Dmig- zs>i#V8V(j-bGJy99~7@kG&GB{ifG9nfQsb?T`Eo#RrD{Y5>b9sW^XS3hX$Rx!p!k+9^$E@^9O+0j`>YX@ zxf#RUO_pRwSLoj)Dw&36O}pL!@9n!a+oX}3_j!Ez;LG2tA+aK=wBq*M`lU0(_f#i6 z-E4@)%2Rk~>s+Jbdy|LMu2u}LHkPciYv2b9W~nuVWYXt66(4-n47OE}Tsgpk%;Fa7 zcr)m2)d?c6_G6CQ3~l9CzZDt+C3Ci}v<-OlZ{3rt?cxwxZ_Pd^7Fpf2lvJTB+Fx)r zbZn-=J+sF^CImLSbj&rUvVsv3*y&}q&KGiD zzi2s@@cICGf58+86a%4GqAFcO-I`DK`kR7H%nJ3GT)+E7Y~U))N0qhVs$HXCPe{&+ z$ZW{@+>2AWBu1BMtZWTaPxo~3j6E&)>k$i@;8o=BxVqgA^bZL;=!n+QdihdEu;EVE z^rxa+f|7K;2YG2I#}2EAgfn-fu!->TSjic1wEx%MTSi6wMgPKpAf?ivAT3?e2olm# zf;317(k0RjBGM%cDP6;m(hVvhCEY1Kq@+kbXH@j}{O|MTd2`pgYh7PC%zV%HoPGA$ z`Pusv1{bqX7`q(}BYQ-d+GQ$t*q&H{xOt&${W4iy7xZ=)fg49(V4ZWy1`m-sp8C4- z(U0*-9E&ssxcu>&Zt0y6Y8-fmtONO<7;yET%2`qB?eZLxr4{#_lD6p7~y5S;y&2WDaP~4H%Wg|BJb$MK(P78kU{8p?Ri4` zc{*jWeyq+9Z;)6In3`mBTnfY-&I}Tpk;eR+uWY#2Le+%`F*BW5&Ae2A5^kg83DqMa z=xvdP=_)7R0`)Cbs#T7jVq#qZ9n;x>-(!R6?kRH48=10bHc~@*43Af`R7bpM5c6m> zpr28f_MqCgE_~2H9(w1u;GnVqMm3GIC9bu+)B)8tR zsMGA#)9hK%?9EWIr4L@2EZMRkjbcC`NEFprX{&eb~N}5WZnPhcOFEN=XS~^0}bqWht^U6!>?DfH6}9n zix3;9NfdUVC!QoEs*yy0hF5;sPI76BX3q=HjbwuP+k$TtX&Ih|=!QS2$zAO|pm@{mpPc=eUr3!U^Wtn!u2&G^R2Fn!kYi8_l+YfBgML zNMHM7jgaC*VETKKf&`=mM#PXMfxt@>SRVs}HnW|=3f!WqE3f25(X?(okJ6Q)gM{)K z{P<4Xk9185wL66TBxHdtHeeBX^x90!xt@0KVXaQ;07P*HFW^ned9~X$Oi85b%}6sA z@}*jGse^u@>*=V*?ugSc_8;QzBaryEI=SckqYLGA-wRE1 z&)jq{-c}QE0lAkihnmo0LJpm&bS(}aUXn?|eJiSp@U2s(9>n}xZ@8KSN4_U6@uGqly88V=QdUQ5dsxDb|0ggS6QM9g5!x`SEDzCGqPeJ z5t7|tnD~7jBE{ws{N=MI-<_I1pCKqU>N}e6x2!@UZ37BbJ)2?)k^91=)OLHQgVoSg z=90o1!aGif1ZRqeY@a<3W%N-|<|fj;Sm`oFu_KAz3H?(4MdMCy;IrE(eE&F( zE2tfTQg6a}T8Nw}7oy)`dL_6{Xwp%FI>k7fn?>+cKz2e7z_WkBu%;j>WIj|hkx@lY zqwfYjN~c7jOjX#O5a^T}=ppP?{SV%Q^ZgG8nz!Gf>;uVE*Oe$qm_PJgP!{J^s@qQqqen+=G>DPe zyW;$A4cEwOObjc8zxYM|+CqF%(H@+odB;XqU=TJo>^v73{Nfiiv!DTKHAVEE;_ft zn-K2Qg6}28qWKMDdK%K?Len#~nFQNb`&0w*lg?DvP zpTl*teuILqA+*%W@hu#RWlzDSWkgTal--JKsqgNf1N4CCS(FZ&t8Cti{pKGTpDmwW zB4u()FXvNa_bE1w#;=!vQz~!j4kw+|EtQEdC_Y5UpYv^? zupRUTeX%ezOJyg96loVt1`Zh%gohDOMadfm^R~%Ui)#R}R|<0GnQ{-CZgk>P3{ty= z)?MxQ{m_=fuSe}C*L7T$IK{iL{T8yCiJ^| z>){DXREK|zrU?INXK=Ad~l?ZbvIW7Iy6D)O*X;UBXRFo7+VCEuvkewZ!n zf;(~rC!wOn?aD0kstLW&0lmSvO;M^9TVvCzT4Q(GtnXJf0+dyN>}`J}95^S`LGg;^ zyD;9=L9G+@6r1vzN8gaHX3NfJ#aM_ir>_yF(K3n4PMAu9;(pQ8t%uni#(j{hq_S(M z7;9+P(Kpo-D=+1o9xaS#LY;CdkCs_tdSXR`+XObDG9Zmj!4a|j7QE0_;3?MCfjz`% z1uqoF8i~kl)(9t%$&s4BHmW3&1j*dUK?ttWQJ`+b6~Z3*1|HlVuKjb+sf1DTS(&E- z&EO@6k04wUbl>G;m_+In>#&%Zp$)_^&f$7pK+u`J>XyNwP z{jrfy`3u<-tIj|qB*_>1k_rPwgW(A%xBnDo{f{@M)1o*yIGnJS9BNmXt7tcuYq-%E zaWJ1^(`4F3HM7z%rzWI@I$U+)p+LXLdf)K9p{@|y()C!Q ztAie)A5}8qa8ONwpr;mV2TGLdx>NBVR#^)Y8~Jz)DyL0AmH4aU@6Q{{atA02RL}t9 zA{TUKsGpn1&q%bZ#K0VGf#CD^Z;ws8q^&~w#_Ai8OxhHIR<*s1uq4M>SJ`#2|2;P` zJ5-p+Vjrj#_xQ05@kht$Dl_TsI!OVPPwv>mE?)15TNrQAuz!G|M*nh3QsE~&I3aV$ zvq|%(^{qE8Z^R}(hlinv=WzPLa4cuNd8B)Sf1fV^68Zm$k8@0U-5rBf4&7u-P4*dp zc~vGYB%sHspkegfD>VTU#5YsbGol3>#Rdq>ij0n0ZcH^V<^3anu|M#xH&S9!5KtY{ z3DVRrK)cdco8z1hd@elci=Q>Ps(?^kstI(hqf6~4LrkTzmf9$RiwjkRn-S)SuNae` z6@z$}jMUOEUS<*wy+)<%2aY?M?A^gIF?E%IYEaYi>JQk_kQGJn_E--gk!l>fo*;*O z+wkLZ_0eKIt5D{?AdJwih~mI~c<4kHN!bPQw_=Ms?YL`kz2C4X~MO9JY}#}|(#oJMyzLcchy znAzHHi_c)avowg;y6mX;;%)tKk(lR;ZW`&xHg0iYI z?{oLsZ*R$#;&g4J3ySNQlS81|4*%(zz(R(-sDz-ulX4u2C@1G}*HcnKY8;=$1l|BFb7CtGz zA%q&BWs*Z^lZrC6 z>6t%)CIq9lTobI!scX9@AI9tjy>t%e`7ceY+{fksBsE@WyT&*v$B4Obf|=n->N9#8 z68Z3XB#c-9t)rH7r)}}C%k!GG9Awyry;;CGadg4OGeB%p5zIdPJLH=bJ3}>O59$FB+_;YwVf7_TZ~mJWP?xR(;bG$P_GTrwROyI-181 zuz?7`CHy03W-*u8m`{oDK8#6xQ?%Z(4cY@*L8Z<~D+@q+>*(sWW!e;eCep!fM@vSk z_$>o82Y24(S_M__tAV+skN?^#1k!yPF#_0N{4CA$>fpeNOOedCzg{uV;Fl?7;$%ia zo9#K*2U9I*0iH2-&vOxt>JUIDaRBjsQ8gRFZdrg52WxsX{P#C z?f&x&9m*`K3qfjF>y9xc+YW6t&*>5x;+V*~?-ehObC9k}Pv z7)qLqW^Gpo&sDJQJiULOhdmgZf$+QhIWfLRQTPjv{pvU1hl^1PwZ_nw%ZfM{8~pB2 zqH&7}wiY4AoNnG8>fJNiQ-{V4ddAo)HNBLCEJ+v=B0bEO`S?}pmsW4#MzM2nULIg$ z1M-lYf$kaki4~?$Gs{pQq5Ar0q5`C@RiFtJ7h!$iybe%s#>%TnzbJB_51AN3K6UL` z^DUqWLEK`K6@`*GIx^%7a3&w%{cH&GB!7V$1ge1LSW|Cw-=Y|N{xfv)m&F8-<3P0l zROHV`z86W9-WavS)xlpnB$x8oIG4ktZf0)degU{i@n`>U-F%?vi?Ht$eoBBq1K+)^ zn&L{J6FlwSL0;Ws-!HxXr$oybcb;1KufEhH0FtaY_-X1B0HOQ2bn|lK)t02}fQ5)b zVh~f`v4M>x2Iw>d+8lCczc~RW#F$z8onPzgzv-7o7;VSH7$RjtCbk%x4#0lclV1Mn z7uVtvUb%AhuJ)nV3zEF{MF&qmd@24~-SKW5-W3*Lo;u}EUwZKUMR<^P^C0{ZbPuzA z>;=etEl?#u1&l{V)ck|wvJGg{`Z)Nf@;am~tJ$$6EOF4;22@~+<$QUH@-SQe4^$t+ zQC93!$bc|fw|G-*x3@Dh*mk#^7~-WQsTBICtdm04Z^ z^iO<7gpvx*1>5%Ib;MdI!9p*NX>yXj zM=5nqjU&8H!@DS;g5*+8(z~_p476R_pecJKdEx%v(q0_{Rl@f|=YH{eLnguztM#JE zUQ1$f-&q21@+E}aVQr^sk#N7Uexawj=!=88j?3s_I>N*fXKW$!!S$7Zkhx5+_Rwrn zIrehT@KlFQOyMs>nP1$V;_yw27SPIfZ+Lg?DNK*i6)zmwsc(QH`n5ET0LY1bD6vUo zL7ACGNP@WxlY3)EZ$;MI`B}m6qfyd~X0&^=B2@~lgek=N+DtNMhlITT0C?Ud2)*Hb zzOQ|Qm!{b0yO9Uk+WRWA1O?1s7iY7diO#VKEarBMTTot!NnNWq7sOG9r!~%8Z8Br> zKf5Fq+}aIrRJbvYL9t4k!CdPzZV(G-)SclI%p1|B^Lg<)Wdj!K|V8wiwRCoY@av+j*2E5*d=18ML>P)#X{USSpl%bQJcfzz8Uv2d$ zha%ST<&Rw_RjgKrW_1t&Fx1Ho4yD#uCj#na2hEGiq-Kf?Q(O#$<0H@%lAjBZ%Wmbh zY>rCF6^7k|LEx_Z7e;&7@l&2RDDUN^TT^7?9f0py4 zmkJlrn4zfY%5SIJ=!hgz!8I(@q8-Yz11y=131tY<=dh$P$4{>(FmOD~&DeittW! z#pbsb+k+EcodRKD6WzScVPkpSuLkIx*5y9s!e1ed^U;{E7R{bn%);Nl+NL$7lOI0j zFDnD8D_@NNEJp#%f#H|u3j2lcj;*Y$De9|^_-YZNZ)fh1o-*@xbW||h zSq)or5`8E_=QQm%Z=sGNcq?{CkvL6wfkPWi;}|pc=D`=n+w|96WpO^c#TK9*MNz!N zvlqR$)lwoQ#Oz45#rS=kqU@w1Yqa9ea*(zb^+w&9eoH<1*rZ2PIDqmJ$mFxyi6>c3}IwI(zg$*5uAY(In{vft z5kBDL7J%8Tp5;jQf_Mb*9v5Wpe*ZHBNQ847RU(E!=BQM)Kn&65NqICFp`*I|dx)@U z5rpS|t7M_UjtuNC=Ki!L zg3YBZDR;_=)6UO3tG*Z<#pCk=mwXRF5ImBH+2`LSI4W<$sb@mj$Vud;U2gEKEFjjx z+3`cUY9K-GMAq;+_C^bBFMGx)3pv|E<5^&wqiy5J!nQYRux%Y)M}1~!+k}gjwl?4=|}cckTz2% zlC(608dxZ|Lyd@7m!NV(aLpSr9vllvNB}Z#zrJgzIt&$dkkzry-L>|?S zBq^Yx9ZUmu2iPaDzqEK%pFs(RAqWMxMJflaP}@jCfF1mW;K@U3uq2|>n~k@4#!3uC za}f7bSf}Uv%vIZ^H5^S^y#hJ+t7|fjJ`1r~4eU$QnQTc53n$f7Gp&>D0r0a7h0mG2 zcBSRW0n6#miOeZmUHfG;txT@HU3CnbZq*APpY{B_+(eFC#bt65`FeX=K+R&P(PYP; zlpAEsz(-H%y#V#eS-)AhsSH3<30!-T%4D0{Raj+&Xm5Z(A-}HTTTdzb916JibJ!kO zqTD^SgMN`&lcM-NNGDI48O_H4U~u>%I^IOS{Iy1+t=RRcHh@f0Ku-vnq_AH90WPZO zx*i5DK!^sutqHk_2i1C@$K*(6V4!0?)=vj#9(y}lCp7&16bmx`8ONAHz4|I;HBd^g zx%5?NCl)jjQ$!Ezj_2r`9h|c3vxznZtqvwy2Jfy$hSnEgZZYbqNG+CezclG8g|bGI>=bjzaFSr-G!~?g*2J z8STe6U>Rb!5CZNK4Uj6rFL^d(2y;}X{GSl1AJo+CubjV}+thJ9j=J@6TF@zse%mI? z=0krkDW}czIB2HL$6g&yo6i($wPQ^94(kG~t3YSNgP6BL>j7PPOsFgLQ?`h~G(1=8 z)AG<0QDLI*m5OzV9Bx*=oaY^@^&g>5p?kHw%qo%WvmYH+NEi~C>Y(WeV?!}gA)6V@ z>i_U`a9mAZeFhFI2I*aRw}iCkxl#gRHgEMCfr~r zMGMohKz`xTb|ZZr z*2mSC3TAet_X=f)O8uP1>O}S$t(A&rk-OBnie6d zDZK^m0m>!k8(m(4-W|#D;R~j)al6&?m-76ThW8WN4g0m=#rc_+W6tR)!HE~S9g`qW ztojXR3cJzhYR1n7;;R)|Jd@Fh>#9;}`7!zL#xzXX3L~I{g(>teHF(Y|Q9aeCT3@gB z?1X#)Rm(r#qr_jyK=sqi_aIj;32FmDk%#nt6km#38_X(a?F849Dt~{nm**{=eB29* z=@kJk^)rlCKPx=N>H6u-8J`Np&B;pn2ue{Ay$bCBVwV}h`rctZRjD!Rvaz@z`wu#j z00x|?@I?^J)n++bhN80t7G#W_X>k0BL`&6V9$lO&et*5zB$cj?$=BPq<{NO39i2V2 z8{I3d=bD5G_UoTje{F2C73en&tp8w4wfZ27TwQM%Zdc-HRgyTo;|1~`&7#2E?KU1u z*#NQdMMS*GyXSn#S$~XpmTMDY`|}_D_rO&wy}B})isYU` z{NFy#Ge|7~h^q^>C%)qJ>V(;oz5&;{I;Vm)NB$u=&s_43nifyJKGBw%(bvwYbB2|C z(XQ$~=iz&}B#O*DE$8(4&T0&*QWH~sMCU#b09&bg>ew_jdj0!8Rs32x`AwsiV-ky3 z^=mn!D-WI<>2qZIbnB)m<#jo+!PY9LZ(bKC`H^z88!5RI`m0VnF6b-<*dFz~ZL1rN z0`cOYjBoyzqUEv!+G#$hfEd%oh(piqbCyH&W$#i4k!H|ojd-J`)rqx?B8t73N`Uh) zRoOHfgp3exnaQgvi_wpb2iCcj>A>Tbj51D>#olCHMb^9+AtcFN(u2)5V=}P$df8UW z_D$m9#@Le$>rlRxNGa9T&F18dDcy9d_AquXFVH7(lkRhM^ZC}-ans>u#eAulSq zL>{vT(q(g{t+D)*&jJx8hsVF>s>%W8njTbwnCm42p4-cX0ZKf)-f~UQqL`)C%k$f8 zvJ{va%x~=luQhSBapRpcjgJ*sNm0hVT=~J&Kfa4hsgN9Er-#9+L-iHy$F{rb#|z=2 z&e91f_L<8GOjCl2P;>rz?M#yi;x+f1DKyz8q9E2X1ea?>DbPC3_F9`{x_m6DrZvzM z>fOXZVDkP zC;~8~1q_K*&e4}9dr!?ngUq^x6OeB+V9E3BgxEnM~hxvZJFNL9vO_=bsxYoMQMy zsTd~*d`pcRK|c|zKKB8GWJtb|b1^f4dKi*%P(o$hrbn80-jHLDyTQshK;?%B)|u4m znng-M=J28^oA*%GQexQN9abw{8%(nT2S%^+*~Ez8J4O()3knfSG<*%^3af7fMyau- zyXNBt0*^k4YRWSpN%40&w{9p+-9i-E(C zsnHM0EsR;u{oc&|wn~53qsI;44P1zAP!M8p>WF`btjr5JQnK9THbpGLH^y6^PdBN@C=W2OVdi`mno5*CSy_NQ4 z-b3#*S3coa@TW13Cvj-*Pb$)?os;{l@|?XWy$)2|z6FqY&Yb7T^Q(Zcc@&~^m+1TH zb?U8KMw{w0r}uw@LXY77a};L@fmONhlbY*U#_L}z=rb4Hxu3w#s;Esr9ekc0bf#-n zO-b^+pr#sI)rS<1)vmZ!c)s@Kx7UtLuyOdn6X8R(DlvoT+h&6409Teol5FE52IWe( zB5gi$Q!gwlFwoCiF^*sL{YYY|ZXGL5f_xl`qg=jlTB}Xp`7sltNjbCq&d7Ic3Vn6YglOC1VRMeioVY@;90_ysfhG7k(;< z7Xu8ip$1|5nHSe>D1UyDS;`2cNcurcXNTR=z|RM4x}k@h?L?tLn2(F`L6TK5UO82Mu+LZ$Xep#JMZ|KG>qka3mwH#~ z)0B#=ve5B4O$&#&8J)*W?x}0`N8FN&$9)%@ePtde@*IskPmr8kh*Z8k3t*o?(GVr2 zbq~YJTiL2j!8Dy*AJH^Ou~~-ADkmFO~xf!{>rij!M z^4Tf7W?_~o;zyhO=geKxe~Km9WrZr|sHTqkbQ*eV+(%(Q%dg*3ln4lPq^{Mlw>uqD z@ER%%dU!eM!=1H zKbPb4#<*-sH*0eRda#2V_!7pH4&IC8#*aGP>&vQZCB7@_>S3j4j0IKjJyN+tgbre{ zzsz;<%v}jVyYtr#QpCMvFZgG;>~zAK=*Dj47Y7>(<{tU>EBX0=`_`608?vE~rUP=j z+qX!ig9i9#KoxD%@j?%rV4Z!;)Z@E`NwHT7Twbq1Wr=#G1iEl*cILtC%DOYzmt=4i zj&$gPPIpy_W^8X}N3FkbatL{h`t^5$t`%sKGuvZ9%#$Kpk1SQo?Rf_GMPJ(vfN0H<2eWZvud^k1tOxOL$?Ky#p%6i zv|vU0aIa?r4!uN1TOM!OvTHKs=4`SeDBUPVG9VtC^IJtu;Y{gV$dfWAYIi}^KY(7` zxfV`2=(bN6l z3fVlITE6j2BpJ>JLUl5tRs)*D5CS>ASh)H=X0hh&Ov4m$z#Uh!4Bj6fmmN?bNPRC1xrRxx_a<#Oq2e(+c#OGQPu8 zMaSr0T|LU1>)VBDP6<)5rvlwm5K(d3dpg3|8=!R2ML_S-=WUFsYr^}ZigTZ)QnWyf zK)d4UnCDCM!pVFdq4$ihQm)yJ7L-ciHs->YR)X(JsWNVI^( zdfU2+9)>B^S{aEb-?p0!1*?t@?(x^B7ZBP|44#KDtGm!}R=#xE;Iz1Kl!Wzz< zU4FVQ1T*9=q+2zTEi#vSt_saXucrBU*I~ycqU6~Z{3>UphY@b28(r9Ty>z+c9P)&1 z7ppryn{X1JIq&Gs6F-!zboW+k?$MReuyLqLf1YcaG*hveZ+4`1#|CHaxSc;&sBXD3 z094wu>90qK9NnT-=T@KA+nR>w0BvgFkb86e#BgPHA*4|6g&5y%a_Z-OC{r!m?SEk& z5TP@<0kn?`M1_+uQ4qWBmU>>phU3WYGD7wlp_ZAYdGWb)O(k%~u2@ z?DYE>|L_fzCeZX__p`*G2Ahc`ifW#^Xz zhYS3-vwnGi1mnKFNmq)`66-7}B*(hs!5Qy7Ov-XziAan19(^mZ18E3PL?$FK&{g&n zfe`*Ek@V4!!w;gBQ9(PYVnjU`S_|UTTJVxzaq0>jA1{ess(B%V)%uWURfZQT6^Yt4 zsS_E0RAnxhH(S@<95OHg(1{$(p9}Cn;-Js!@P~L78*pCW3kh~(`NDX%U0o#cD(Rvsz+b#>ifn%oefX+FJUf6`W{7nc4_rL z&QmLon5y~QrPCe#ESlGH436?_R8MXnMk4ufp-sP!(~hU{ST@y!K3xjd*3N5)AZAb4 z82$8SnQ#73#n$E^Obm`PghG%Z2PYa9MLEQ(c~DgC?EhoBw^-Tadra}iYwqN1&(y|> z0x-L6S~jw#C)e)y4Whka&e4>;#He7IU#XaxWcPYu>m0x=FPcAE`luu;AauK~^8WMM zo3385x@5w%%5}cVIR{v9N}oX8%;@Nk9^Qoc2(ikAa=)x`9y)yO50udK4n zP~}K)VX^wu=d}IBzR5$*R`mzbwG%`z*7Izg&(|Bl0_y(f0>mMMEZIJ&lSD5aCT(rv zMY#Cu#UVLqYF6XvV*{V0TxN6oAMo#sjVE~M#;g(P?sx-y1+BnZ0WVAuhcvFGQEkV9_RhE z=()eX3^vJ(lhyN2ugJciF#g^KWCSq>MNzf@F>R`=mF~lcWv5bOY7{?_N!Ro1bq+LrA&jX|Z+hrBo|$|o$XxeO%K7Vt`9+y) zW3QcNcd9;RrJ9^5CgHvNTj(-%t_oAR>EG6{kWo-EaH+(6k&scavEEbS`4Hgw5aNmI zma^3oP>H2m_*wV`E9b!X$nO6ArJoH7j#TRmp8Z3bi#IrkKX0;9so6XK83r+46xtvw z}{Bt7Mv}^MRy)aB1V`3O!pP*-$GHrO89={6 zx?@qr37>wL$P#y(U18kYLJ@Vbuf1~<=QNe|4@~9ZG41lpp=-q!&@7K_V zBj8JQ&6ZtET&OrW1X78P@BTj7k`BInR7)O)YeBl1eR6rdI?NqcFu+*cEB>SEPit9OF~t&0Iu=}g?~r>=G1w|_^EJ42 z3N82ievERp&#l|kS5pu}1B=26$qxPhnm8|(HTX9RO5p4-&wq3*#~X+^VE{l>SfjOQ z<;OexuBThoGG3m0oeaj{{&s>NT&gD03dwj>$_+pe9^=EQuHJ&=7o;PONGb_~rhmjB zllES@Em+=HY#+RQMc&%?FR9otmXwz>L)k;XbwC}Ufcy@)p67P2&f{_kMDW~ozn6az zRI8Drk-`gvRO!5SK(sq+NAz^F+M(%~a8~>*P=>q{ejcP*yuL`e;(y;3B$WC9W`oOx`w&dTCEjK-G^>sfSo(lve~1BS4u^ zreoXC9`(0m2w?q*r?EPbJpkZ<%uK z-&U^Uj!#c3$nT?H%29WwxXj)Gy@8I`V&2B>(y3{`&E&(tWqbsLIzB8N=ifuQ7&q>~ zvY&i^@N&LIBXUpXK1YG9IKE1!S>K{M`IM!Kgrp3lrc3^6tJr7~=Z9lSBo3` zI*DldB_?jd6EH+ta^pX_SOFxrMQvTXv~SBGU~KuUVcdUHH3fg^jU5yNI#U&_D6hEc z-wTJCsMPYyZQT`pTUx+W{XUXM{AI-d3N3vxXxRzr+CQ1qpx}*=-$EQH}ztDCJ z`TJyx9FUtV%PucbP%ZIrVZ%?E&hP!(wfA6Y0#-6KV(CU;x7ylIC1^|W0Yk}+lgD0d8;EFS z$eEx`$-979QfQnFCa|%9c>eG41V=EJOuarpIcIVZF5m}297%l?^1sXt1@_$2N6{-= znaU>m4^Hu@fDL%--wq}K<22D$ZHrhOVkw`uh^hfTYrA1OUabJp3^PLxO)9B6R2<^A zyeR_?(l5j44>KDAIb~9(QmG4$DqBhffmSW}yiC{skJqsPR}v9g%(7#tuRzLyJOg_F zYJI@If&-GlrAKV3)$*$x1(gh!!DmRk82aCn#0=~MHRWu#dPcQG&9C057=Qr(5o)>r z=Mezt63Q@y#a%HUfKYqCm+ChPc;lv~)?Zc{LW#Ky4)Vg=?M^+-aJ%{$G7247v0U-j z*IooLRt$3&6f4&IY-&Hpf{tf`j;ne3xExVXzhcxRTVJXPtoG=coYL}&gNHY@TTEW| zy*S(i(j`yBT`rx+&myBsRJs++Lo{~O{+wFO&=uJw=5sQRmt;m)|3ZX}ub31HyFU?; zRf!%EC~NOILdAH2c<4jWv6$qve;C-s?xti<(7bU0Xp>-sQSn*Wc~c9~(a#4VhXE7`VLJhAIqi1y<%Nn6ybqB@JKC9RR<7@!{0V~Vk#;_(Q@a4v-&VVtDx_Kt z)O83z$+Ort{amR5Hiy}y*`%~M#6lcsWj|hGts|3{;Y{6Rb;>ynNo#n1I;gn;%*_ON z3^WUaI@hz)fW^&Fx>?_uA`YpZ^A@^Nu?vBsXU`E90fB$Kn@kc)7~y30Vmv;qM<~u@ zhe1ud3VMVAn)?_|#D5eX$hH~-prERwS^zz&E;feOCC;&qkB@7ulcDEtk=fQzBhq)} zCmsiD13CK1Ki&*{ZWo78DDyrxR7A`s_}dQ6LK^Kt$!KfqeN5c(M~246#@xL}HEWrn z3o_t}*)`K`V19%F<0Il|ZPsu(ksf|JL)Pr6nqZplxx$?myx%A4Go`5QqS5Knw4ZW( zkO!<5dTE#BP!OOmyh8>bkJmrB)cy|aI?|n{Q(MoA{j^BRvw3v;wf>A6@Rx<0c>T$B zyXulYkyGnw$00>C%q8u6lqdax3!s?Z9#mD>_A|6J6nRfHY2#FU(25kAgGU(V;^2{3D9}>U}cTX-Bok>iFd%#KgMLvHZD`i~__aD}; zix38x9Nlv1AzlH!m_dahlit{8hi+guoY3y3i8Z2>zhQ1B!n?%B^SO=ZW3Z!q_#Vkm z3hgQMoo(jetC#~bmrglLAr7h9g%B2+nU{Lb6D9+CneUp?>^{As`u-u(%X&db?*WzU zw~tEv)(;;3+%yvO*=ohMzdKEwq4YlfRs-TX(jB$)ud%Ca-S@p~XAs7*BW-F`=LLM{r(SPyFOlXm z&TgmY1FD@DKol^l%%5|2&t5JZZ^<(o$+P@BEH;F*jKHCbl7O6jRr_JeT3tP44IyM) zN-k~KG|gKUg-f$}v>giL83bcd48rQ$A-nUYjmTOl00~;M$b% z6{AH7q*=(|HvS0-a&=^Vru`Vo)%|WHCGIl&gQHn&_QuC2-g_|vn{gElRrQ2?1|A)0 z4t(7TknN`Y<_A4bI-d9`C8Z=zZhb9w+iCnEeR(vj`oyNUVHzGDNBxx}qYJky;!(Py zpSA>q=Y+?2`CHKO7EdUMslX35AqToW%`&YVQ%ju8D5!NPG2)QNI7z+oM%zuN+W-mG zR7ynCgAa2|%X>#Lo)iyN(5X+UK0oddrARw&Wmxc-JJo*=&fV@%+J)m(@02ZYwCvjB z&m21%b)j5vzv{&u=51cJ$BWxd8)G-!_Uhf48XothJQlIY?b4TkJUnIi!P{7n_$di^ zQJc$k^Ju_j_Zvl3l5Vwoe`h#9NLG}oF$FjJgYBf918ooy_vLKHs&~!O!sh|z~HxqTETX|uh+rd zb&FE6bw{ez1aCK*o3h^1U`kCIsERt|^`^xUFMe44(o#&?*^)L+Pxp>wZ`qldC#DjA z`W+mRy(-F!?}0Mhs)N18Np!zD#SZsv3mFLoFkA4+y9D=V^DYR5bF*E-+4nm;G#4JiUM{-DCtxD;I2P&1$xapGrDZMedxj0Q>%fp# zgM|fB&b(~$Xv*%-@eqwFwwSRxL%7YO+|T3ASrZylLAbFoWFi&GkM;f&s5l6{@)F%n z%YS#fPTqH~SIZ?%O6Su%ivA?qg*^wY!JD(TIIyka4@%rzO@~Ex;c*8FCu{TDYAZaD z8jr+8G~ZySN@M~n98?A z>NZBqyp*?;I#Shyx_w3u+HA%Vx;Q*&+-JonBq6_Sh+EzCrh1*cM7;@xPyd!Jw|YCJ z+En9_^IXN6NF*z{l_y;J$7QeDZYHf*IuWqwSRg#NP_AJVzTo_cw3y@^r2gb_>S(jc zMZK~~V$vjV1i1Xpz*Qzb(|SiSlv?#=-SbLm7cmrE^}v~3n!EW^RmjbG<=CNP(3xq| z;2@FN?X88ohFlU+;%uvIw_k@@lzXn6Ny)7lIx#~T5U7js2X|?rX*lygaKJg8P=*dh z7H9yMM>#<(DRIv)$Td6r$z`YXV&7A^_q!)9aD`h>2h*4&;oc`teh_%qbvr-RHMrP| zUp$?=yl9OyrvQ|n`iiXRjq9GOn3z`m?i3OS&-Ed@JfKdyP#tFxbHTt(kOv+aNpcEC zVO~q!TjmWl&_ri6f3jW9w z(fyIY51<^Q(IJ8ns$5T@QqBRNyUO4^SJvMjS1<74du0<@n+}@(IPilachZ|zKM)fI zcCq)fP;+(YQ^`Ay;5uCJnYlZ6=&wt44VZ=3uT$>56o*h(l81t(O3bqk)qKR5@L z^NBrMrh0}Po=HC@iaKy5V64eXf8FaFz-7I2+w;q3O!c?J&aD5dzjpv)eejOTAdLWK zsn|yh7-|Stwai*j@oJs-OM&%o_?;Su;r|li{}KYhdG||OR$4k7YQCYJ+43~h(&9t) pTW})Q<;{`)^5yUUv@oMy;HV!@QM&JJ)gpm^kEN6(i^UCJ|36&qk^}$% literal 0 HcmV?d00001 diff --git a/cluster/manifests/freeleaps-devops-system/gitea-webhook-ambassador/configmap.yaml b/cluster/manifests/freeleaps-devops-system/gitea-webhook-ambassador/configmap.yaml index 46ab3787..3c4a7777 100644 --- a/cluster/manifests/freeleaps-devops-system/gitea-webhook-ambassador/configmap.yaml +++ b/cluster/manifests/freeleaps-devops-system/gitea-webhook-ambassador/configmap.yaml @@ -16,7 +16,7 @@ data: jenkins: url: "http://jenkins.freeleaps-devops-system.svc.freeleaps.cluster:8080" username: "admin" - token: "115127e693f1bc6b7194f58ff6d6283bd0" + token: "11c25b2a96454a14a49b748db47dd587a9" timeout: 30 gitea: diff --git a/cluster/manifests/freeleaps-devops-system/jenkins/jcasc.yaml b/cluster/manifests/freeleaps-devops-system/jenkins/jcasc.yaml new file mode 100644 index 00000000..ea35d6d9 --- /dev/null +++ b/cluster/manifests/freeleaps-devops-system/jenkins/jcasc.yaml @@ -0,0 +1,122 @@ +apiVersion: v1 +data: + jcasc-default-config.yaml: |- + jenkins: + authorizationStrategy: + loggedInUsersCanDoAnything: + allowAnonymousRead: false + securityRealm: + local: + allowsSignup: false + enableCaptcha: false + users: + - id: "admin" + name: "Jenkins Admin" + password: "r6Y@QTb*7BQN@hDGsN" + disableRememberMe: false + mode: NORMAL + numExecutors: 5 + labelString: "" + projectNamingStrategy: "standard" + markupFormatter: + plainText + clouds: + - kubernetes: + containerCapStr: "10" + defaultsProviderTemplate: "" + connectTimeout: "5" + readTimeout: "15" + jenkinsUrl: "http://jenkins.freeleaps-devops-system.svc.freeleaps.cluster:8080" + name: "kubernetes" + namespace: "freeleaps-devops-system" + podLabels: + - key: "jenkins/jenkins-agent" + value: "true" + serverUrl: "https://kubernetes.default" + skipTlsVerify: false + templates: + - containers: + - args: "^{computer.jnlpmac} ^{computer.name}" + envVars: + - envVar: + key: "JENKINS_URL" + value: "http://jenkins.freeleaps-devops-system.svc.freeleaps.cluster:8080/" + image: "jenkins/inbound-agent:3273.v4cfe589b_fd83-1" + name: "jnlp" + resourceLimitCpu: 512m + resourceLimitMemory: 512Mi + resourceRequestCpu: 50m + resourceRequestMemory: 64Mi + workingDir: "/home/jenkins/agent" + id: 6a_919e0c82_7f68_0d_e4_e_51614_2a_fc + label: "jenkins-agent" + name: "default" + namespace: "freeleaps-devops-system" + nodeUsageMode: "NORMAL" + podRetention: never + serviceAccount: "default" + slaveConnectTimeout: 100 + slaveConnectTimeoutStr: "100" + yamlMergeStrategy: override + crumbIssuer: + standard: + excludeClientIPFromCrumb: true + globalNodeProperties: [] + credentials: + system: + domainCredentials: + - credentials: + - azure: + azureEnvironmentName: "Azure" + clientId: "7f115646-6a0a-445f-9976-b3832dd77a43" + clientSecret: "Cia8Q~T-r-r5MftqCAJDOCmFckeMOKuo6xPvRcZT" + description: "Freeleaps Jenkins System Principal" + id: "freeleaps-jenkins-system-azure-principal" + subscriptionId: "0a280068-dec4-4bf0-9f04-65b64f412b50" + tenant: "cf151ee8-5c2c-4fe7-a1c4-809ba43c9f24" + scope: "SYSTEM" + - azureStorageAccount: + blobEndpointURL: "https://freeleaps.blob.core.windows.net/" + id: "freeleaps-azure-storage-account" + scope: "GLOBAL" + storageAccountName: "freeleaps" + storageKey: "ma7vlPvKrJkEU/oDCEF3CbCIZD31INoDykmxcChbzhGnh1laTjlFLTrUatnhuwoy/Csx9/UpkEce+AStZoO+/A==" + security: + apiToken: + creationOfLegacyTokenEnabled: false + tokenGenerationOnCreationEnabled: false + usageStatisticsEnabled: true + scriptApproval: + forceSandbox: true + unclassified: + location: + adminAddress: "address not configured yet " + url: "https://jenkins.mathmast.com/" + azureKeyVault: + keyVaultUrl: "https://freeleaps-secrets.vault.azure.net" + credentialID: "freeleaps-jenkins-system-azure-principal" + globalItemStorage: + storage: + azure: + containerName: "freeleaps-devops-caches" + credentialsId: "freeleaps-azure-storage-account" + globalLibraries: + libraries: + - defaultVersion: "master" + name: "first-class-pipeline" + retriever: + legacySCM: + clone: true + libraryPath: "first-class-pipeline/" + scm: + scmGit: + branches: + - name: "master" + buildChooser: "default" + userRemoteConfigs: + - credentialsId: "freeleaps-ops-git-credentials" + url: "https://gitea.freeleaps.mathmast.com/freeleaps/freeleaps-ops.git" +kind: ConfigMap +metadata: + name: jenkins-jcasc-config + namespace: freeleaps-devops-system diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/.helmignore b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/Chart.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/Chart.yaml new file mode 100644 index 00000000..50fcf8e2 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/Chart.yaml @@ -0,0 +1,9 @@ +annotations: + artifacthub.io/license: Apache-2.0 +apiVersion: v2 +appVersion: 2.23.4-rc.0 +description: A chart for deploying the server-side components of Telepresence +icon: https://raw.githubusercontent.com/telepresenceio/telepresence.io/master/src/assets/images/telepresence-edgy.svg +name: telepresence-oss +type: application +version: 2.23.4-rc.0 diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/README.md b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/README.md new file mode 100644 index 00000000..537992d5 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/README.md @@ -0,0 +1,176 @@ +# Telepresence + +[Telepresence](https://telepresence.io/) is a tool +that allows for local development of microservices running in a remote +Kubernetes cluster. + +This chart manages the server-side components of Telepresence so that an +operations team can give limited access to the cluster for developers to work on +their services. + +## Install + +The telepresence binary embeds the helm chart, so the easiest way to install is: + +```sh +$ telepresence helm install [--set x=y | --values ] +``` + +## Configuration + +The following tables lists the configurable parameters of the Telepresence chart and their default values. + +| Parameter | Description | Default | +|------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------| +| affinity | Define the `Node` Affinity and Anti-Affinity for the Traffic Manager. | `{}` | +| agent.appProtocolStrategy | The strategy to use when determining the application protocol to use for intercepts | `http2Probe` | +| agent.image.name | The name of the injected agent image | `""` | +| agent.image.pullPolicy | Pull policy in the webhook for the traffic agent image | `IfNotPresent` | +| agent.image.tag | The tag for the injected agent image | `""` (Defined in `appVersion` Chart.yaml) | +| agent.image.registry | The registry for the injected agent image | `ghcr.io/telepresenceio` | +| agent.initResources | The resources for the injected init container | | +| agent.logLevel | The logging level for the traffic-agent | defaults to logLevel | +| agent.mountPolicies | The policies for the agents. Key is either volume name or path prefix starting with '/' | `/tmp`: Local | +| agent.resources | The resources for the injected agent container | | +| agent.securityContext | The security context to use for the injected agent container | defaults to the securityContext of the first container of the app | +| agent.initSecurityContext | The security context to use for the injected init container | `{} +` +| agent.initContainer.enabled | Whether to enable/disable injection of the initContainer | true +| agentInjector.certificate.accessMethod | Method used by the agent injector to access the certificate (watch or mount). | `watch` | +| agentInjector.certificate.certmanager.commonName | The common name of the generated Certmanager certificate. | `agent-injector` | +| agentInjector.certificate.certmanager.duration | The certificate validity duration. (optional value) | `2160h0m0s` | +| agentInjector.certificate.certmanager.issuerRef.kind | The Issuer kind to use to generate the self signed certificate. (Issuer of ClusterIssuer) | `Issuer` | +| agentInjector.certificate.certmanager.issuerRef.name | The Issuer name to use to generate the self signed certificate. | `telepresence` | +| agentInjector.certificate.method | Method used when generating the certificate used for mutating webhook (helm, supplied, or certmanager). | `helm` | +| agentInjector.certificate.regenerate | Whether the certificate used for the mutating webhook should be regenerated. | `false` | +| agentInjector.enabled | Enable/Disable the agent-injector and its webhook. | `true` | +| agentInjector.name | Name to use with objects associated with the agent-injector. | `agent-injector` | +| agentInjector.injectPolicy | Determines when an agent is injected, possible values are `OnDemand` and `WhenEnabled` | `OnDemand` | +| agentInjector.secret.name | The name of the secret the agent-injector webhook uses for authorization with the kubernetes api will expose. | `mutator-webhook-tls` | +| agentInjector.service.type | Type of service for the agent-injector. | `ClusterIP` | +| agentInjector.webhook.admissionReviewVersions: | List of supported admissionReviewVersions. | `["v1"]` | +| agentInjector.webhook.failurePolicy: | Action to take on unexpected failure or timeout of webhook. | `Ignore` | +| agentInjector.webhook.name | The name of the agent-injector webhook | `agent-injector-webhook` | +| ~~agentInjector.webhook.namespaceSelector~~: | The namespaceSelector used by the agent-injector webhook when the traffic-manager is not namespaced. Deprecated, use top level `namespaces` or `namespaceSelector` | {} | +| agentInjector.webhook.port: | Port for the service that provides the admission webhook | `443` | +| agentInjector.webhook.reinvocationPolicy: | Specify if the webhook may be called again after the initial webhook call. Possible values are `Never` and `IfNeeded`. | `IfNeeded` | +| agentInjector.webhook.servicePath: | Path to the service that provides the admission webhook | `/traffic-agent` | +| agentInjector.webhook.sideEffects: | Any side effects the admission webhook makes outside of AdmissionReview. | `None` | +| agentInjector.webhook.timeoutSeconds: | Timeout of the admission webhook | `5` | +| apiPort | The port used by the Traffic Manager gRPC API | 8081 | +| client.connectionTTL | Deprecated: using grpc.connectionTTL | `24h` | +| client.dns.excludeSuffixes | Suffixes for which the client DNS resolver will always fail (or fallback in case of the overriding resolver) | `[".com", ".io", ".net", ".org", ".ru"]` | +| client.dns.includeSuffixes | Suffixes for which the client DNS resolver will always attempt to do a lookup. Includes have higher priority than excludes. | `[]` | +| client.routing.allowConflictingSubnets | Allow the specified subnets to be routed even if they conflict with other routes on the local machine. | `[]` | +| client.routing.alsoProxySubnets | The virtual network interface of connected clients will also proxy these subnets | `[]` | +| client.routing.neverProxySubnets | The virtual network interface of connected clients never proxy these subnets | `[]` | +| clientRbac.create | Create RBAC resources for non-admin users with this release. | `false` | +| ~~clientRbac.namespaced~~ | Restrict the users to specific namespaces. Deprecated and no longer used. | `false` | +| clientRbac.namespaces | The namespaces to give users access to. | Traffic Manager's namespaces (unless dynamic) | +| clientRbac.subjects | The user accounts to tie the created roles to. | `{}` | +| grpc.connectionTTL | The time that the traffic-manager will retain a client connection without any sign of life from the workstation | `24h` | +| grpc.maxReceiveSize | Max size of a gRCP message | `4Mi` | +| hooks.busybox.image | The name of the image to use for busybox. | `busybox` | +| hooks.busybox.imagePullSecrets | The `Secret` storing any credentials needed to access the image in a private registry. | `[]` | +| hooks.busybox.registry | The registry to download the image from. | `docker.io` | +| hooks.busybox.tag | Override the version of busybox to be installed. | `latest` | +| hooks.curl.registry | The repository to download the image from. | `docker.io` | +| hooks.curl.image | The name of the image to use for curl. | `curlimages/curl` | +| hooks.curl.imagePullSecrets | The `Secret` storing any credentials needed to access the image in a private registry. | `[]` | +| hooks.curl.pullPolicy | Pull policy used when pulling the curl image. | `IfNotPresent` | +| hooks.curl.tag | Override the version of busybox to be installed. | `latest` | +| hooks.podSecurityContext | The Kubernetes SecurityContext for the chart hooks `Pod` | `{}` | +| image.registry | The repository to download the image from. Set `TELEPRESENCE_REGISTRY=image.registry` locally if changing this value. | `ghcr.io/telepresenceio` | +| hooks.resources | Define resource requests and limits for the chart hooks | `{}` | +| hooks.securityContext | The Kubernetes SecurityContext for the chart hooks `Container` | securityContext | +| image.imagePullSecrets | The `Secret` storing any credentials needed to access the image in a private registry. | `[]` | +| image.name | The name of the image to use for the traffic-manager | `tel2` | +| image.pullPolicy | How the `Pod` will attempt to pull the image. | `IfNotPresent` | +| image.tag | Override the version of the Traffic Manager to be installed. | `""` (Defined in `appVersion` Chart.yaml) | +| livenessProbe | Define livenessProbe for the Traffic Manger. | `{}` | +| logLevel | Define the logging level of the Traffic Manager | `debug` | +| managerRbac.create | Create RBAC resources for traffic-manager with this release. | `true` | +| ~~managerRbac.namespaced~~ | Whether the traffic manager should be restricted to specific namespaces. Deprecated and no longer used. | `false` | +| ~~managerRbac.namespaces~~ | Which namespaces the traffic manager should be restricted to. Deprecated, use top level `namespaces` or `namespaceSelector` | `[]` | +| maxNamespaceSpecificWatchers | Threshold controlling when the traffic-manager switches from using watchers for each managed namespace to using cluster-wide watchers. | `10` | +| namespaces | Declares a fixed set of managed namespaces. Mutually exclusive to `namespaceSelector` | `[]` | +| namespaceSelector | Declares the managed namespace using `matchLabels` and `matchExpressions`. Mutually exclusive to `namespaces` | `{}` | +| nodeSelector | Define which `Node`s you want to the Traffic Manager to be deployed to. | `{}` | +| podAnnotations | Annotations for the Traffic Manager `Pod` | `{}` | +| podLabels | Labels for the Traffic Manager `Pod` | `{}` | +| podCIDRs | Verbatim list of CIDRs that the cluster uses for pods. Only valid together with `podCIDRStrategy: environment` | `[]` | +| podCIDRStrategy | Define the strategy that the traffic-manager uses to discover what CIDRs the cluster uses for pods | `auto` | +| podSecurityContext | The Kubernetes SecurityContext for the `Pod` | `{}` | +| priorityClassName | Name of the existing priority class to be used | `""` | +| rbac.only | Only create the RBAC resources and omit the traffic-manger. | `false` | +| readinessProbe | Define readinessProbe for the Traffic Manger. | `{}` | +| resources | Define resource requests and limits for the Traffic Manger. | `{}` | +| schedulerName | Specify a scheduler for Traffic Manager `Pod` and hooks `Pod`. | | +| securityContext | The Kubernetes SecurityContext for the `Deployment` | `{"readOnlyRootFilesystem": true, "runAsNonRoot": true, "runAsUser": 1000}` | +| service.type | The type of `Service` for the Traffic Manager. | `ClusterIP` | +| telepresenceAPI.port | The port on agent's localhost where the Telepresence API server can be found | | +| timeouts.agentArrival | The time that the traffic-manager will wait for the traffic-agent to arrive | `30s` | +| tolerations | Define tolerations for the Traffic Manager to ignore `Node` taints. | `[]` | +| workloads.argoRollouts.enabled | Enable/Disable the argo-rollouts integration. | `false` | +| workloads.deployments.enabled | Enable/Disable the support for Deployments. | `true` | +| workloads.replicaSets.enabled | Enable/Disable the support for ReplicaSets. | `true` | +| workloads.statefulSets.enabled | Enable/Disable the support for StatefulSets. | `true` | + +### RBAC + +Telepresence requires a cluster for installation but restricted RBAC roles can +be used to give users access to create intercepts if they are not cluster +admins. + +The chart gives you the ability to create these RBAC roles for your users and +give access to the entire cluster or restrict to certain namespaces. + +You can also create a separate release for managing RBAC by setting +`Values.rbac.only: true`. + +### Namespace-scoped traffic manager + +Telepresence's Helm chart supports installing a Traffic Manager at the namespace scope. +You might want to do this if you have multiple namespaces, say representing multiple different environments, and would like their Traffic Managers to be isolated from one another. +To do this, set `managerRbac.namespaced=true` and `managerRbac.namespaces={a,b,c}` to manage namespaces `a`, `b` and `c`. + +**NOTE** Do not install namespace-scoped traffic managers and a cluster-scoped traffic manager in the same cluster! + +#### Namespace collision detection + +The Telepresence Helm chart will try to prevent namespace-scoped Traffic Managers from managing the same namespaces. +It will do this by creating a ConfigMap, called `traffic-manager-claim`, in each namespace that a given install manages. + +So, for example, suppose you install one Traffic Manager to manage namespaces `a` and `b`, as: + +```bash +$ telepresence helm install --namespace a --set 'managerRbac.namespaced=true' --set 'managerRbac.namespaces={a,b}' +``` + +You might then attempt to install another Traffic Manager to manage namespaces `b` and `c`: + +```bash +$ telepresence helm install --namespace c --set 'managerRbac.namespaced=true' --set 'managerRbac.namespaces={b,c}' +``` + +This would fail with an error: + +``` +Error: rendered manifests contain a resource that already exists. Unable to continue with install: ConfigMap "traffic-manager-claim" in namespace "b" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "c": current value is "a" +``` + +To fix this error, fix the overlap either by removing `b` from the first install, or from the second. + +#### Pod CIDRs + +The traffic manager is responsible for keeping track of what CIDRs the cluster uses for the pods. The Telepresence client uses this +information to configure the network so that it provides access to the pods. In some cases, the traffic-manager will not be able to retrieve +this information, or will do it in a way that is inefficient. To remedy this, the strategy that the traffic manager uses can be configured +using the `podCIDRStrategy`. + +| Value | Meaning | +| -------------- | ------------------------------------------------------------------------------------------------------------------------- | +| `auto` | First try `nodePodCIDRs` and if that fails, try `coverPodIPs` | +| `coverPodIPs` | Obtain all IPs from the `podIP` and `podIPs` of all `Pod` resource statuses and calculate the CIDRs needed to cover them. | +| `environment` | Pick the CIDRs from the traffic manager's `POD_CIDRS` environment variable. Use `podCIDRs` to set that variable. | +| `nodePodCIDRs` | Obtain the CIDRs from the`podCIDR` and `podCIDRs` of all `Node` resource specifications. | diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/NOTES.txt b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/NOTES.txt new file mode 100644 index 00000000..e35ed267 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/NOTES.txt @@ -0,0 +1,18 @@ +-------------------------------------------------------------------------------- +Congratulations! + + +You have successfully installed the Traffic Manager component of Telepresence! +Now your users will be able to `telepresence connect` to this Cluster and create +intercepts for their services! + +-------------------------------------------------------------------------------- +Next Steps +-------------------------------------------------------------------------------- + +- Take a look at our RBAC documentation for setting up the minimal required RBAC +roles for your users at https://www.telepresence.io/docs/reference/rbac + +- Ensure that you are keeping up to date with Telepresence releases +https://github.com/telepresenceio/telepresence/releases so that your Traffic +Manager is the same version as the telepresence client your users are running! diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/_helpers.tpl b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/_helpers.tpl new file mode 100644 index 00000000..7af63227 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/_helpers.tpl @@ -0,0 +1,220 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "telepresence.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Traffic Manager deployment/service name - as of v2.20.3, must be "traffic-manager" to align with code base. +*/}} +{{- define "traffic-manager.name" -}} +{{- $name := default "traffic-manager" }} +{{- print $name }} +{{- end -}} + +{{- /* +Traffic Manager Namespace +*/}} +{{- define "traffic-manager.namespace" -}} +{{- if .Values.isCI }} +{{- print "ambassador" }} +{{- else }} +{{- printf "%s" .Release.Namespace }} +{{- end }} +{{- end -}} + +{{- /* +traffic-manager.namespace-list extracts the list of namespace names from the namespaces variable. +For backward compatibility, it will also consider names from the deprecated managerRbac.namespaces. +It's an error if namespaces and managerRbac.namespaces both have values. +*/}} +{{- define "private.namespace-list" }} + {{- $names := .Values.namespaces }} + {{- if .Values.managerRbac.namespaces }} + {{- if $names }} + {{- fail "namespaces and managerRbac.namespaces are mutually exclusive" }} + {{- end }} + {{- $names = .Values.managerRbac.namespaces }} + {{- end }} + {{- range $names }} + {{- if not (regexMatch `^[a-z0-9]([a-z0-9-]*[a-z0-9])?$` .) }} + {{- fail (printf "namespace %q is not a valid RFC 1123 namespace name" .) }} + {{- end }} + {{- else }} + {{ $names = list }} + {{- end }} + {{- toJson (uniq ($names)) }} +{{- end }} + +{{- define "private.namespaceSelector" }} + {{- $labels := list }} + {{- $matches := list }} + {{- with .Values.namespaceSelector }} + {{- with .matchLabels }} + {{- $labels = . }} + {{- end }} + {{- with .matchExpressions }} + {{- $matches = . }} + {{- end }} + {{- end }} + {{- with fromJsonArray (include "private.namespace-list" $) }} + {{- if (or $labels $matches) }}{{ fail "namespaces and namespaceSelector are mutually exclusive" }}{{ end }} + {{- $matches = append $matches (dict "key" "kubernetes.io/metadata.name" "operator" "In" "values" .) }} + {{- end }} + {{- $selector := dict }} + {{- with $labels }} + {{- $selector = set $selector "matchLabels" . }} + {{- end }} + {{- with $matches }} + {{- $selector = set $selector "matchExpressions" . }} + {{- end }} + {{- toJson $selector }} +{{- end }} + +{{- /* +traffic-manager.namespaceSelector extracts the selector to use when selecting namespaces. + +This selector will either include the namespaceSelector variable or include namespaces returned by the +private.namespace-list definition. It will fail if both of them have values. + +The selector will default to the deprecated agentInjector.webhook.namespaceSelector when neither the namespaceSelector +nor the private.namespace-list definition has any value. + +A selector can be dynamic or static. This in turn controls if telepresence is "cluster-wide" or "namespaced". A dynamic +selector requires cluster-wide access for the traffic-manager, and only a static selector can serve as base when +installing Role/RoleBinding pairs. + +A selector is considered static if it meets the following conditions: +- The selector must have exactly one element in the `matchLabels` or the `matchExpression` + list (if the element is in the `matchLabels` list, it is normalized into "key in [value]"). +- The element must meet the following criteria: + The `key` of the match expression must be "kubernetes.io/metadata.name". + The `operator` of the match expression must be "In" (case sensitive). + The `values` list of the match expression must contain at least one value. +*/}} +{{- define "traffic-manager.namespaceSelector" }} + {{- $selector := mustFromJson (include "private.namespaceSelector" $) }} + {{- $legacy := false }} + {{- if not $selector }} + {{- with .Values.agentInjector.webhook.namespaceSelector }} + {{- $legacy = true }} + {{- $selector = . }} + {{- end }} + {{- end }} + {{- if not (or $legacy (fromJsonArray (include "traffic-manager.namespaces" $))) }} + {{- /*Ensure that his dynamic selector rejects "kube-system" and "kube-node-lease" */}} + {{- $mes := $selector.matchExpressions }} + {{- if not $mes }} + {{- $mes = list }} + {{- end }} + {{- $selector = set $selector "matchExpressions" (append $mes + (dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list "kube-system" "kube-node-lease"))) + }} + {{- end }} + {{- toJson $selector }} +{{- end }} + +{{- /* +traffic-manager.namespaced will yield the string "true" if the traffic-manager.namespaceSelector that is static. +*/}} +{{- define "traffic-manager.namespaced" }} + {{- if fromJsonArray (include "traffic-manager.namespaces" $) }} + {{- true }} + {{- end }} +{{- end }} + +{{- /* +traffic-manager.namespaces will return a list of namespaces, provided that the traffic-manager.namespaceSelector is static. +*/}} +{{- define "traffic-manager.namespaces" }} + {{- $namespaces := list }} + {{- with mustFromJson (include "private.namespaceSelector" $) }} + {{- if and .matchExpressions (eq (len .matchExpressions) 1) (not .matchLabels) }} + {{- with index .matchExpressions 0}} + {{- if (and (eq .operator "In") (eq .key "kubernetes.io/metadata.name")) }} + {{- $namespaces = .values }} + {{- end }} + {{- end }} + {{- end }} + {{- if and .matchLabels (eq (len .matchLabels) 1) (not .matchExpressions) }} + {{- with get .matchLabels "kubernetes.io/metadata.name" }} + {{- $namespaces = list . }} + {{- end }} + {{- end }} + {{- end }} + {{- toJson $namespaces }} +{{- end }} + +{{- /* +Create chart name and version as used by the chart label. +*/}} +{{- define "telepresence.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- /* +Common labels +*/}} +{{- define "telepresence.labels" -}} +{{ include "telepresence.selectorLabels" $ }} +helm.sh/chart: {{ include "telepresence.chart" $ }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- /* This value is intentionally undocumented -- it's used by the telepresence binary to determine ownership of the release */}} +{{- if .Values.createdBy }} +app.kubernetes.io/created-by: {{ .Values.createdBy }} +{{- else }} +app.kubernetes.io/created-by: {{ .Release.Service }} +{{- end }} +{{- end }} + +{{- /* +Selector labels +*/}} +{{- define "telepresence.selectorLabels" -}} +app: traffic-manager +telepresence: manager +{{- end }} + +{{- /* +Client RBAC name suffix +*/}} +{{- define "telepresence.clientRbacName" -}} +{{ printf "%s-%s" (include "telepresence.name" $) (include "traffic-manager.namespace" $) }} +{{- end -}} + +{{- /* +RBAC rules required to create an intercept in a namespace; excludes any rules that are always cluster wide. +*/}} +{{- define "telepresence.clientRbacInterceptRules" -}} +{{- /* Mandatory. Controls namespace access command completion experience */}} +- apiGroups: [""] + resources: ["pods"] + verbs: ["get","list"] {{- /* "list" is only necessary if the client should be able to gather the pod logs */}} +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] +{{- /* All traffic will be routed via the traffic-manager unless a portforward can be created directly to a pod */}} +- apiGroups: [""] + resources: ["pods/portforward"] + verbs: ["create"] +{{- if and .Values.clientRbac .Values.clientRbac.ruleExtras }} +{{ template "clientRbac-ruleExtras" . }} +{{- end }} +{{- end }} + +{{/* +Kubernetes version +*/}} +{{- define "kube.version.major" }} +{{- $version := regexFind "^[0-9]+" .Capabilities.KubeVersion.Major -}} +{{- printf "%s" $version -}} +{{- end -}} + +{{- define "kube.version.minor" }} +{{- $version := regexFind "^[0-9]+" .Capabilities.KubeVersion.Minor -}} +{{- printf "%s" $version -}} +{{- end -}} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/agentInjectorWebhook.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/agentInjectorWebhook.yaml new file mode 100644 index 00000000..192fd415 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/agentInjectorWebhook.yaml @@ -0,0 +1,140 @@ +{{- if and (not (and .Values.rbac .Values.rbac.only)) .Values.agentInjector.enabled }} +{{- $namespaceSelector := mustFromJson (include "traffic-manager.namespaceSelector" $) }} +{{- /* +Perform a check that the new namespaceSelector doesn't select namespaces that are +already managed by some other traffic-manager. +*/}} +{{- $namespaces := (lookup "v1" "Namespace" "" "").items }} +{{- $configs := dict }} +{{- $cmName := include "traffic-manager.name" $ }} +{{- $cmNs := include "traffic-manager.namespace" $}} +{{- /* Find all existing traffic-manager configmaps and their namespaceSelectors */}} +{{- range $namespaces }} + {{- $ns := .metadata.name }} + {{- $cm := lookup "v1" "ConfigMap" $ns $cmName }} + {{- with $cm }} + {{- with fromYaml (get .data "namespace-selector.yaml" ) }} + {{- $configs = set $configs $ns . }} + {{- end }} + {{- end }} +{{- end }} +{{- /* No use testing if the added selector is the only one */}} +{{- if $configs }} + {{- $configs = set $configs $cmNs $namespaceSelector }} + {{- /* Validate that no selector overlaps with another */}} + {{- $allManagedNamespaces := dict }} + {{- range $configNs, $config := $configs }} + {{- $rqs := $config.matchExpressions }} + {{- /* Normalise the selector, i.e. turn each matchLabel into a machRequirement */}} + {{- range $key, $value := $config.matchLabels }} + {{- $rqs = append $rqs (dict "key" $key "operator" "In" "values" (list $value))}} + {{- end }} + {{- /* Figure out what namespaces this selector selects, and for each one, assert that it's not selected already */}} + {{- range $namespaces }} + {{- $ns := .metadata.name }} + {{- $labels := .metadata.labels }} + {{- $isMatch := true }} + {{- range $rqs }} + {{- $rqMatch := false }} + {{- $val := get $labels .key }} + {{- if eq .operator "In" }} + {{- $rqMatch = has $val .values }} + {{- else if eq .operator "NotIn" }} + {{- $rqMatch = not (has $val .values) }} + {{- else if eq .operator "Exists" }} + {{- $rqMatch = not (eq $val "") }} + {{- else if eq .operator "DoesNotExist" }} + {{- $rqMatch = eq $val "" }} + {{- else }} + {{- fail printf "unsupported labelSelectorOperator %s" .operator}} + {{- end }} + {{- if not $rqMatch }} + {{- $isMatch = false }} + {{- break }} + {{- end }} + {{- end }} + {{- if $isMatch }} + {{- $conflictingConfig := get $allManagedNamespaces $ns }} + {{- if $conflictingConfig }} + {{- if eq $conflictingConfig $cmNs }} + {{- $conflictingConfig = $configNs }} + {{- end }} + {{- fail (printf "traffic-manager in namespace %s already manages namespace %s" $conflictingConfig $ns) }} + {{- end }} + {{- $allManagedNamespaces = set $allManagedNamespaces $ns $configNs }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- $altNames := list ( printf "agent-injector.%s" (include "traffic-manager.namespace" $)) ( printf "agent-injector.%s.svc" (include "traffic-manager.namespace" $)) -}} +{{- $genCA := genCA "agent-injector-ca" 365 -}} +{{- $genCert := genSignedCert "agent-injector" nil $altNames 365 $genCA -}} +{{- $secretData := (lookup "v1" "Secret" (include "traffic-manager.namespace" $) .Values.agentInjector.secret.name).data -}} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: +{{- if eq .Values.agentInjector.certificate.method "certmanager" }} + annotations: + cert-manager.io/inject-ca-from: {{ include "traffic-manager.namespace" $}}/{{ .Values.agentInjector.secret.name }} +{{- end }} + name: {{ .Values.agentInjector.webhook.name }}-{{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +webhooks: +{{- with .Values.agentInjector.webhook.admissionReviewVersions }} +- admissionReviewVersions: + {{- toYaml . | nindent 2 }} +{{- end }} + clientConfig: +{{- if not (eq .Values.agentInjector.certificate.method "certmanager") }} +{{- if and ($secretData) (or (not .Values.agentInjector.certificate.regenerate) (eq .Values.agentInjector.certificate.method "supplied") )}} + caBundle: {{ or (get $secretData "ca.crt") (get $secretData "ca.pem") }} +{{- else }} + caBundle: {{ $genCA.Cert | b64enc }} +{{- end }} +{{- end }} + service: + name: {{ .Values.agentInjector.name }} + namespace: {{ include "traffic-manager.namespace" $ }} + path: {{ .Values.agentInjector.webhook.servicePath }} + port: {{ .Values.agentInjector.webhook.port }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - DELETE + resources: + - pods + scope: '*' + failurePolicy: {{ .Values.agentInjector.webhook.failurePolicy }} + reinvocationPolicy: {{ .Values.agentInjector.webhook.reinvocationPolicy }} + name: agent-injector-{{ include "traffic-manager.namespace" $ }}.telepresence.io + sideEffects: {{ .Values.agentInjector.webhook.sideEffects }} + timeoutSeconds: {{ .Values.agentInjector.webhook.timeoutSeconds }} + namespaceSelector: +{{- toYaml $namespaceSelector | nindent 4 }} +{{- if not (or (eq .Values.agentInjector.certificate.method "certmanager") (eq .Values.agentInjector.certificate.method "supplied")) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.agentInjector.secret.name }} + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +data: +{{- if and ($secretData) (not .Values.agentInjector.certificate.regenerate) }} + ca.crt: {{ or (get $secretData "ca.crt") (get $secretData "ca.pem") }} + tls.crt: {{ or (get $secretData "tls.crt") (get $secretData "crt.pem") }} + tls.key: {{ or (get $secretData "tls.key") (get $secretData "key.pem") }} +{{- else }} + ca.crt: {{ $genCA.Cert | b64enc }} + tls.crt: {{ $genCert.Cert | b64enc }} + tls.key: {{ $genCert.Key | b64enc }} +{{- end }} +{{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/certificate.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/certificate.yaml new file mode 100644 index 00000000..42d7a302 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/certificate.yaml @@ -0,0 +1,14 @@ +{{- if and (eq .Values.agentInjector.certificate.method "certmanager") .Values.agentInjector.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .Values.agentInjector.secret.name }} +spec: + secretName: {{ .Values.agentInjector.secret.name }} + dnsNames: + - {{ (printf "%s.%s" .Values.agentInjector.name .Release.Namespace ) }} + - {{ (printf "%s.%s.svc" .Values.agentInjector.name .Release.Namespace ) }} + {{- with .Values.agentInjector.certificate.certmanager }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/cluster-scope.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/cluster-scope.yaml new file mode 100644 index 00000000..7297a275 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/cluster-scope.yaml @@ -0,0 +1,38 @@ +{{- /* +These are the cluster-wide rbac roles + bindings that will be used by users +who want to use telepresence once its components have been set +up in the cluster. +*/}} +{{- with .Values.clientRbac }} +{{- if (and .create (not (or .namespaces (include "traffic-manager.namespaced" $)))) }} +{{- $roleName := include "telepresence.clientRbacName" $ }} + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $roleName }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +{{- include "telepresence.clientRbacInterceptRules" $ }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $roleName }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +subjects: +{{ toYaml .subjects }} +roleRef: + kind: ClusterRole + name: {{ $roleName }} + apiGroup: rbac.authorization.k8s.io + +{{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/connect.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/connect.yaml new file mode 100644 index 00000000..7a106795 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/connect.yaml @@ -0,0 +1,43 @@ +{{- with .Values.clientRbac }} +{{- if .create }} +{{- /* +Client must have the following RBAC in the traffic-manager.namespace to establish +a port-forward to the traffic-manager pod. +*/}} +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traffic-manager-connect + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["services"] + resourceNames: + - {{ include "traffic-manager.name" $ }} + verbs: ["get"] + - apiGroups: [""] + resources: ["pods/portforward"] + verbs: ["create"] +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: traffic-manager-connect + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +subjects: +{{ toYaml .subjects }} +roleRef: + apiGroup: rbac.authorization.k8s.io + name: traffic-manager-connect + kind: Role + +{{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/namespace-scope.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/namespace-scope.yaml new file mode 100644 index 00000000..dde2c38e --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/clientRbac/namespace-scope.yaml @@ -0,0 +1,85 @@ +{{- /* +These are the namespace-scoped rbac roles + bindings that will be used by users +who want to use telepresence once its components have been set +up in the cluster. +*/}} +{{- with .Values.clientRbac }} +{{- if .create }} +{{- $subjects := .subjects }} +{{- if (not $subjects) }} + {{- /* fail comes out really ugly if we just do fail "the message here" */}} + {{- $msg := "You must set clientRbac.subjects to a list of valid rbac subjects. See the kubernetes docs for more: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-subjects" }} + {{- fail $msg }} +{{- end }} +{{- $namespaces := .namespaces }} +{{- if not $namespaces }} + {{ $namespaces = fromJsonArray (include "traffic-manager.namespaces" $) }} +{{- end }} +{{- $name := include "telepresence.clientRbacName" $ }} +{{- $labels := include "telepresence.labels" $ | nindent 4 }} +{{- range $namespaces }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $name }} + namespace: {{ . }} + labels: + {{- $labels }} +rules: +{{ include "telepresence.clientRbacInterceptRules" $ }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + namespace: {{ . }} + labels: + {{- $labels }} +subjects: +{{- toYaml $subjects | nindent 0}} +roleRef: + kind: Role + name: {{ $name }} + apiGroup: rbac.authorization.k8s.io + +{{- end }} + +{{- $managerNamespace := include "traffic-manager.namespace" $ }} +{{- if and $namespaces (not (has $managerNamespace $namespaces)) }} +{{- /* +This is required only if the client should be permitted to gather the traffic-manager logs, and it +is only required when the traffic-manager isn't managing its own namespace. +*/}} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: traffic-manager-logs + namespace: {{ $managerNamespace }} + labels: + {{- $labels }} +rules: + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: traffic-manager-logs + namespace: {{ $managerNamespace }} + labels: + {{- $labels }} +subjects: +{{ toYaml $subjects }} +roleRef: + kind: Role + name: traffic-manager-logs + apiGroup: rbac.authorization.k8s.io + +{{- end }} +{{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/deployment.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/deployment.yaml new file mode 100644 index 00000000..81c8cdf6 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/deployment.yaml @@ -0,0 +1,324 @@ +{{- with .Values }} +{{- if not (and .rbac .rbac.only) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "traffic-manager.name" $ }} + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +spec: + replicas: {{ .replicaCount }} + selector: + matchLabels: + {{- include "telepresence.selectorLabels" $ | nindent 6 }} + template: + metadata: + {{- with .podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "telepresence.selectorLabels" $ | nindent 8 }} + {{- with .podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .image.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + {{- if .hostNetwork }} + hostNetwork: true + {{- end }} + containers: + - name: {{ include "traffic-manager.name" $ }} + securityContext: + {{- toYaml .securityContext | nindent 12 }} + {{- with .image }} + image: "{{ .registry }}/{{ .name }}:{{ .tag | default $.Chart.AppVersion }}" + imagePullPolicy: {{ .pullPolicy }} + {{- end }} + env: + - name: LOG_LEVEL + value: {{ .logLevel }} + {{- with .image }} + - name: REGISTRY + value: "{{ .registry }}" + {{- end }} + - name: SERVER_PORT + value: {{ .apiPort | quote }} + - name: POD_CIDR_STRATEGY + value: {{ .podCIDRStrategy }} + {{- with .podCIDRs }} + - name: POD_CIDRS + value: "{{ join " " . }}" + {{- end }} + {{- if .agentInjector.enabled }} + - name: MUTATOR_WEBHOOK_PORT + value: {{ .agentInjector.webhook.port | quote }} + - name: AGENT_INJECTOR_SECRET + {{- if eq .agentInjector.certificate.accessMethod "mount" }} + value: /var/run/secrets/tls + {{- else }} + value: {{ .agentInjector.secret.name }} + {{- end }} + {{- end }} + {{- with .telepresenceAPI }} + {{- if .port }} + - name: AGENT_REST_API_PORT + value: {{ .port | quote }} + {{- end }} + {{- end }} + {{- with .grpc }} + {{- if .maxReceiveSize }} + - name: GRPC_MAX_RECEIVE_SIZE + value: {{ .maxReceiveSize }} + {{- if and .connectionTTL (not $.Values.client.connectionTTL) }} + - name: CLIENT_CONNECTION_TTL + value: {{ .connectionTTL }} + {{- end }} + {{- end }} + {{- end }} + {{- if .workloads }} + {{- with .workloads }} + - name: ENABLED_WORKLOAD_KINDS + value: >- + {{- if or (not .deployments) .deployments.enabled }} + Deployment + {{- end }} + {{- if or (not .statefulSets) .statefulSets.enabled }} + StatefulSet + {{- end }} + {{- if or (not .replicaSets) .replicaSets.enabled }} + ReplicaSet + {{- end }} + {{- if and .argoRollouts .argoRollouts.enabled }} + Rollout + {{- end }} + {{- end }} + {{- else }} + - name: ENABLED_WORKLOAD_KINDS + value: Deployment StatefulSet ReplicaSet + {{- end }} + {{- if .agentInjector.enabled }} + {{- /* + Traffic agent injector configuration + */}} + - name: AGENT_ARRIVAL_TIMEOUT + value: {{ quote (default "30s" .timeouts.agentArrival) }} + {{- with .agentInjector }} + - name: AGENT_INJECT_POLICY + value: {{ .injectPolicy }} + - name: AGENT_INJECTOR_NAME + value: {{ .name | quote }} + {{- end }} + {{- /* + Traffic agent configuration + */}} + {{- with .agent }} + {{- if .logLevel }} + - name: AGENT_LOG_LEVEL + value: {{ .logLevel }} + {{- end }} + {{- if .port }} + - name: AGENT_PORT + value: {{ .port | quote }} + {{- end }} + {{- if .appProtocolStrategy }} + - name: AGENT_APP_PROTO_STRATEGY + value: {{ .appProtocolStrategy }} + {{- end }} + {{- if .resources }} + - name: AGENT_RESOURCES + value: '{{ toJson .resources }}' + {{- end }} + {{- if .initResources }} + - name: AGENT_INIT_RESOURCES + value: '{{ toJson .initResources }}' + {{- end }} + {{- if .mountPolicies }} + - name: AGENT_MOUNT_POLICIES + value: '{{ toJson .mountPolicies }}' + {{- end }} + {{- with .initContainer }} + - name: AGENT_INIT_CONTAINER_ENABLED + value: {{ .enabled | quote }} + {{- end }} + {{- with .image }} + {{- if .name }} + - name: AGENT_IMAGE_NAME + value: {{ .name }} + {{- end }} + {{- if .tag }} + - name: AGENT_IMAGE_TAG + value: {{ .tag }} + {{- end }} + {{- if .registry }} + - name: AGENT_REGISTRY + value: {{ .registry }} + {{- end }} + {{- with .pullSecrets }} + - name: AGENT_IMAGE_PULL_SECRETS + value: '{{ toJson . }}' + {{- end }} + - name: AGENT_IMAGE_PULL_POLICY + value: {{ .pullPolicy }} + {{- end }} + {{- /* must check against nil. An empty security context is a valid override */}} + {{- if not (eq .securityContext nil) }} + - name: AGENT_SECURITY_CONTEXT + value: '{{ toJson .securityContext }}' + {{- end }} + {{- /* must check against nil. An empty security context is a valid override */}} + {{- if not (eq .initSecurityContext nil) }} + - name: AGENT_INIT_SECURITY_CONTEXT + value: '{{ toJson .initSecurityContext }}' + {{- end }} + {{- end }} + {{- with fromJsonArray (include "traffic-manager.namespaces" $) }} + {{- /* + This environment variable is not used, it's here to force a redeploy of the traffic manager when the list + changes, because it updates roles and rolebindings and potentially also changes from roles to clusterroles or + vice versa. + */}} + - name: NOT_USED_NSS + value: {{ toJson . | quote }} + {{- end }} + {{- end }} + {{- if .prometheus.port }} # 0 is false + - name: PROMETHEUS_PORT + value: "{{ .prometheus.port }}" + {{- end }} + - name: MAX_NAMESPACE_SPECIFIC_WATCHERS + value: {{.maxNamespaceSpecificWatchers | quote }} + - name: MANAGER_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- /* + Client configuration + */}} + {{- with .client }} + {{- if .connectionTTL }} + - name: CLIENT_CONNECTION_TTL + value: {{ .connectionTTL }} + {{- end }} + {{- with .routing }} + {{- if .alsoProxySubnets }} + - name: CLIENT_ROUTING_ALSO_PROXY_SUBNETS + value: "{{ join " " .alsoProxySubnets }}" + {{- end }} + {{- if .neverProxySubnets }} + - name: CLIENT_ROUTING_NEVER_PROXY_SUBNETS + value: "{{ join " " .neverProxySubnets }}" + {{- end }} + {{- if .allowConflictingSubnets }} + - name: CLIENT_ROUTING_ALLOW_CONFLICTING_SUBNETS + value: "{{ join " " .allowConflictingSubnets }}" + {{- end }} + {{- end }} + {{- with .dns }} + {{- with .excludeSuffixes }} + - name: CLIENT_DNS_EXCLUDE_SUFFIXES + value: "{{ join " " . }}" + {{- end }} + {{- with .includeSuffixes }} + - name: CLIENT_DNS_INCLUDE_SUFFIXES + value: "{{ join " " . }}" + {{- end }} + {{- end }} + {{- end }} + {{- with .compatibility }} + {{- if .version }} + - name: COMPATIBILITY_VERSION + value: {{ .version }} + {{- end }} + {{- end }} + {{- if and .trafficManager .trafficManager.envTemplate }} + {{- template "traffic-manager-env" . }} + {{- end }} + ports: + - name: api + containerPort: {{ .apiPort }} + - name: https + containerPort: {{ .agentInjector.webhook.port }} + {{- if .prometheus.port }} # 0 is false + - name: prometheus + containerPort: {{ .prometheus.port }} + {{- end }} + {{- with .livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if eq .agentInjector.certificate.accessMethod "mount" }} + volumeMounts: + {{- if .agentInjector.enabled }} + - name: tls + mountPath: /var/run/secrets/tls + readOnly: true + {{- end }} + {{- if and .trafficManager .trafficManager.mountsTemplate }} + {{- template "traffic-manager-mounts" . }} + {{- end }} + {{- else }} + {{- if and .trafficManager .trafficManager.mountsTemplate }} + volumeMounts: + {{- template "traffic-manager-mounts" . }} + {{- end }} + {{- end }} + {{- with .schedulerName }} + schedulerName: {{ . }} + {{- end }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + {{- if eq .agentInjector.certificate.accessMethod "mount" }} + volumes: + {{- if .agentInjector.enabled }} + - name: tls + secret: + defaultMode: 420 + secretName: {{ .agentInjector.secret.name }} + {{- end }} + {{- if and .trafficManager .trafficManager.volsTemplate }} + {{- template "traffic-manager-vols" . }} + {{- end }} + {{- else }} + {{- if and .trafficManager .trafficManager.volsTemplate }} + volumes: + {{- template "traffic-manager-vols" . }} + {{- end }} + {{- end }} + serviceAccount: traffic-manager + serviceAccountName: traffic-manager +{{- end }} +{{- end }} \ No newline at end of file diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/issuer.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/issuer.yaml new file mode 100644 index 00000000..3c8c1f0f --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/issuer.yaml @@ -0,0 +1,8 @@ +{{- if and (eq .Values.agentInjector.certificate.method "certmanager") .Values.agentInjector.enabled }} +apiVersion: cert-manager.io/v1 +kind: {{ .Values.agentInjector.certificate.certmanager.issuerRef.kind }} +metadata: + name: {{ .Values.agentInjector.certificate.certmanager.issuerRef.name }} +spec: + selfSigned: {} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/pre-delete-hook.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/pre-delete-hook.yaml new file mode 100644 index 00000000..bc83cf6d --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/pre-delete-hook.yaml @@ -0,0 +1,76 @@ +{{- if and (not (and .Values.rbac .Values.rbac.only)) .Values.agentInjector.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: uninstall-agents + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + annotations: + {{- /* This is what defines this resource as a hook. Without this line, the job is considered part of the release. */}} + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + backoffLimit: 1 + template: + metadata: + name: uninstall-agents + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + spec: + securityContext: + {{- toYaml .Values.hooks.podSecurityContext | nindent 8 }} + restartPolicy: Never + {{- with .Values.hooks.curl.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: uninstall-agents + securityContext: + {{- if .Values.hooks.securityContext }} + {{- toYaml .Values.hooks.securityContext | nindent 12 }} + {{- else }} + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + image: "{{ .Values.hooks.curl.registry }}/{{ .Values.hooks.curl.image }}:{{ .Values.hooks.curl.tag }}" + imagePullPolicy: {{ .Values.hooks.curl.pullPolicy }} + volumeMounts: + - name: secret-volume + mountPath: /secret + env: + - name: CURL_CA_BUNDLE + value: /secret/ca.crt + resources: + {{- toYaml .Values.hooks.resources | nindent 12 }} + command: + - sh + - -c + args: + - 'curl --fail --connect-timeout 5 --max-time 60 --request DELETE https://{{ .Values.agentInjector.name }}.{{ include "traffic-manager.namespace" $ }}:{{ .Values.agentInjector.webhook.port }}/uninstall || exit 0' + volumes: + - name: secret-volume + secret: + secretName: {{ .Values.agentInjector.secret.name }} + {{- with .Values.schedulerName }} + schedulerName: {{ . }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/service.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/service.yaml new file mode 100644 index 00000000..f5811561 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/service.yaml @@ -0,0 +1,56 @@ +{{- with .Values }} +{{- if not (and .rbac .rbac.only) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "traffic-manager.name" $ }} + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +spec: + type: {{ .service.type }} + clusterIP: None + ports: + - name: api + port: {{ .apiPort }} + targetPort: api + selector: + {{- include "telepresence.selectorLabels" $ | nindent 4 }} +{{- if .agentInjector.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ .agentInjector.name }} + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +spec: + type: {{ .service.type }} + ports: + - name: https + port: {{ .agentInjector.webhook.port }} + targetPort: https + selector: + {{- include "telepresence.selectorLabels" $ | nindent 4 }} +{{- end }} +{{- if .prometheus.port }} # 0 is false +--- +apiVersion: v1 +kind: Service +metadata: + name: telepresence-prometheus + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + name: telepresence-prometheus +spec: + type: {{ .service.type }} + ports: + - name: telepresence-prometheus + port: 80 + targetPort: prometheus + selector: + {{- include "telepresence.selectorLabels" $ | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/tests/test-connection.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/tests/test-connection.yaml new file mode 100644 index 00000000..0375e75d --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/tests/test-connection.yaml @@ -0,0 +1,22 @@ +{{- if not (and .Values.rbac .Values.rbac.only) }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "traffic-manager.name" $ }}-test-connection" + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + {{- with .Values.hooks.busybox.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 2 }} + {{- end }} + containers: + - name: wget + image: "{{ .Values.hooks.busybox.registry }}/{{ .Values.hooks.busybox.image }}:{{ .Values.hooks.busybox.tag }}" + command: ['wget'] + args: ['{{ include "traffic-manager.name" $ }}:8081'] + restartPolicy: Never +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManager-configmap.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManager-configmap.yaml new file mode 100644 index 00000000..029b3e33 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManager-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "traffic-manager.name" $ }} + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +data: +{{- if .Values.client }} + client.yaml: | + {{- toYaml .Values.client | nindent 4 }} +{{- end }} +{{- with .Values.intercept }} +{{- if .environment }} + agent-env.yaml: | + {{- toYaml .environment | nindent 4 }} +{{- end }} +{{- end }} + namespace-selector.yaml: | + {{- toYaml (mustFromJson (include "traffic-manager.namespaceSelector" $)) | nindent 4 }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/cluster-scope.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/cluster-scope.yaml new file mode 100644 index 00000000..b3c8bcf0 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/cluster-scope.yaml @@ -0,0 +1,104 @@ +{{- with .Values }} +{{- if and .managerRbac.create (not (include "traffic-manager.namespaced" $)) }} +{{- /* +This file contains all cluster-scoped permissions that the traffic manager needs. +This will be larger if namespaced: false, or smaller if it is true +This will also likely expand over time as we move more things from the clients +domain into the traffic-manager. But the good news there is that it will +require less permissions in clientRbac.yaml +*/}} +{{- $roleName := (printf "traffic-manager-%s" (include "traffic-manager.namespace" $)) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $roleName }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - update {{/* Only needed for upgrade of older versions */}} +- apiGroups: + - "" + resources: + - nodes + - services + - namespaces + - pods + verbs: + - list + - get + - watch +{{- if .agentInjector.enabled }} +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +{{- end }} +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get +- apiGroups: + - "apps" + resources: + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +{{- if .agentInjector.enabled }} + - patch +{{- end }} +{{- if .workloads.argoRollouts.enabled }} +- apiGroups: + - "argoproj.io" + resources: + - rollouts + verbs: + - get + - list + - watch +{{- if .agentInjector.enabled }} + - patch +{{- end }} +{{- end }} +- apiGroups: + - "events.k8s.io" + resources: + - events + verbs: + - get + - watch +- apiGroups: + - "networking.k8s.io" + resources: + - servicecidrs + verbs: + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $roleName }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $roleName }} +subjects: +- kind: ServiceAccount + name: traffic-manager + namespace: {{ include "traffic-manager.namespace" $ }} +{{- end }} +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/namespace-scope.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/namespace-scope.yaml new file mode 100644 index 00000000..52a160db --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/namespace-scope.yaml @@ -0,0 +1,216 @@ +{{- if .Values.managerRbac.create }} +{{- /* +This file contains the various namespace-scoped roles + bindings that the traffic-manager needs. +This will likely expand over time as we move more things from the clients +domain into the traffic-manager. But the good news there is that it will +require less permissions in clientRbac.yaml +*/}} +{{- $managerNamespace := include "traffic-manager.namespace" $}} +{{- $namespaces := fromJsonArray (include "traffic-manager.namespaces" $)}} +{{- if $namespaces }} +{{- $interceptEnabled := .Values.agentInjector.enabled}} +{{- $argoRolloutsEnabled := .Values.workloads.argoRollouts.enabled}} +{{- $allNamespaces := uniq (append $namespaces $managerNamespace)}} + +{{- range $allNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: traffic-manager + namespace: {{ . }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - update {{/* Only needed for upgrade of older versions */}} +- apiGroups: + - "" + resources: + - services + - pods + verbs: + - list + - get + - watch +{{- if $interceptEnabled }} +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +{{- end }} +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - list + - get + - watch + resourceNames: +{{- if eq . $managerNamespace }} + - {{ include "traffic-manager.name" $ }} +{{- end }} +- apiGroups: + - "apps" + resources: + - deployments + - replicasets + - statefulsets + verbs: + - get + - list + - watch +{{- if $interceptEnabled }} + - patch +{{- end }} +{{- if $argoRolloutsEnabled }} +- apiGroups: + - "argoproj.io" + resources: + - rollouts + verbs: + - get + - list + - watch +{{- if $interceptEnabled }} + - patch +{{- end }} +{{- end }} +- apiGroups: + - "events.k8s.io" + resources: + - events + verbs: + - get + - watch +{{- if eq . $managerNamespace }} +{{- /* Must be able to get the manager namespace in order to get the install-id */}} +- apiGroups: + - "" + resources: + - namespaces + resourceNames: + - {{ . }} + verbs: + - get +{{- if and (eq (int $.Capabilities.KubeVersion.Major) 1) (lt (int $.Capabilities.KubeVersion.Minor) 33) }} +{{- /* +Must be able to make an unsuccessful attempt to create a dummy service in order to receive +the error message containing correct service CIDR +*/}} +- apiGroups: + - "" + resources: + - services + verbs: + - create +{{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: traffic-manager + namespace: {{ . }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: traffic-manager +subjects: +- kind: ServiceAccount + name: traffic-manager + namespace: {{ $managerNamespace }} +{{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: traffic-manager-cluster-wide-{{ $managerNamespace }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +rules: + - apiGroups: + - "networking.k8s.io" + resources: + - servicecidrs + verbs: + - list + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: traffic-manager-cluster-wide-{{ $managerNamespace }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: traffic-manager-cluster-wide-{{ $managerNamespace }} +subjects: + - kind: ServiceAccount + name: traffic-manager + namespace: {{ $managerNamespace }} +{{- else }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ $managerNamespace }} + name: traffic-manager + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - services + verbs: + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + resourceNames: + - {{ include "traffic-manager.name" $ }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: traffic-manager + namespace: {{ $managerNamespace }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: traffic-manager +subjects: +- kind: ServiceAccount + name: traffic-manager + namespace: {{ $managerNamespace }} +{{- end }} + +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/service-account.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/service-account.yaml new file mode 100644 index 00000000..3ec71b20 --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/service-account.yaml @@ -0,0 +1,11 @@ +{{- if .Values.managerRbac.create }} +{{- /* This file contains the serviceAccount used for the traffic-manager deployment. */}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: traffic-manager + namespace: {{ include "traffic-manager.namespace" $ }} + labels: + {{- include "telepresence.labels" $ | nindent 4 }} + +{{- end }} diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/webhook-secret.yaml b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/webhook-secret.yaml new file mode 100644 index 00000000..0ef53d6a --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/templates/trafficManagerRbac/webhook-secret.yaml @@ -0,0 +1,34 @@ +{{- if and (not (eq .Values.agentInjector.certificate.accessMethod "mount")) .Values.agentInjector.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ include "traffic-manager.namespace" $ }} + name: agent-injector-webhook-secret + labels: {{- include "telepresence.labels" $ | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - secrets + resourceNames: [ {{ .Values.agentInjector.secret.name }} ] + verbs: + - get + - list + - watch + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: agent-injector-webhook-secret + namespace: {{ include "traffic-manager.namespace" $ }} + labels: {{- include "telepresence.labels" $ | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: agent-injector-webhook-secret +subjects: + - kind: ServiceAccount + name: traffic-manager + namespace: {{ include "traffic-manager.namespace" $ }} +{{- end }} \ No newline at end of file diff --git a/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/values.schema.json b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/values.schema.json new file mode 100644 index 00000000..bc74b6db --- /dev/null +++ b/cluster/manifests/freeleaps-infra-system/telepresence/telepresence-oss/values.schema.json @@ -0,0 +1 @@ +{"description":"Values Schema for the Telepresence OSS Helm Chart","title":"Telepresence Values","definitions":{"io.k8s.api.resource.v1beta1.DeviceClassSpec":{"description":"DeviceClassSpec is used in a [DeviceClass] to define what can be allocated and how to configure it.","properties":{"config":{"description":"Config defines configuration parameters that apply to each device that is claimed via this class. Some classses may potentially be satisfied by multiple drivers, so each instance of a vendor configuration applies to exactly one driver.\n\nThey are passed to the driver, but are not considered while allocating the claim.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClassConfiguration"},"type":"array","x-kubernetes-list-type":"atomic"},"selectors":{"description":"Each selector must be satisfied by a device which is claimed via this class.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceSelector"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.api.storagemigration.v1alpha1.StorageVersionMigrationSpec":{"description":"Spec of the storage version migration.","properties":{"continueToken":{"description":"The token used in the list options to get the next chunk of objects to migrate. When the .status.conditions indicates the migration is \"Running\", users can use this token to check the progress of the migration.","type":"string"},"resource":{"$ref":"#/definitions/io.k8s.api.storagemigration.v1alpha1.GroupVersionResource","description":"The resource that is being migrated. The migrator sends requests to the endpoint serving the resource. Immutable."}},"required":["resource"],"type":"object"},"io.k8s.kube-aggregator.pkg.apis.apiregistration.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","properties":{"name":{"description":"Name is the name of the service","type":"string"},"namespace":{"description":"Namespace is the namespace of the service","type":"string"},"port":{"description":"If specified, the port on the service that hosting webhook. Default to 443 for backward compatibility. `port` should be a valid port number (1-65535, inclusive).","format":"int32","type":"integer"}},"type":"object"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyStatus":{"description":"ValidatingAdmissionPolicyStatus represents the status of an admission validation policy.","properties":{"conditions":{"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","description":"The conditions represent the latest available observations of a policy's current state.","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"type":"array"},"observedGeneration":{"format":"int64","type":"integer","description":"The generation observed by the controller."},"typeChecking":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.TypeChecking","description":"The results of type checking for each expression. Presence of this field indicates the completion of the type checking."}},"type":"object"},"io.k8s.api.admissionregistration.v1alpha1.MatchResources":{"description":"MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","properties":{"excludeResourceRules":{"items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations"},"type":"array","x-kubernetes-list-type":"atomic","description":"ExcludeResourceRules describes what operations on what resources/subresources the policy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, the admission policy does not consider requests to apps/v1beta1 or extensions/v1beta1 API groups.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, the admission policy **does** consider requests made to apps/v1beta1 or extensions/v1beta1 API groups. The API server translates the request to a matched resource API if necessary.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything."},"objectSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"ObjectSelector decides whether to run the policy based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the policy's expression (CEL), and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything."},"resourceRules":{"x-kubernetes-list-type":"atomic","description":"ResourceRules describes what operations on what resources/subresources the admission policy matches. The policy cares about an operation if it matches _any_ Rule.","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1alpha1.NamedRuleWithOperations"},"type":"array"}},"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.ConfigMapProjection":{"description":"Adapts a ConfigMap into a projected volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"type":"array","x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"}},"type":"object"},"io.k8s.api.core.v1.HostPathVolumeSource":{"type":"object","description":"Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.","properties":{"path":{"type":"string","description":"path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath"},"type":{"description":"type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath","type":"string"}},"required":["path"]},"io.k8s.api.core.v1.LimitRangeSpec":{"properties":{"limits":{"description":"Limits is the list of LimitRangeItem objects that are enforced.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.LimitRangeItem"},"type":"array","x-kubernetes-list-type":"atomic"}},"required":["limits"],"type":"object","description":"LimitRangeSpec defines a min/max usage limit for resources that match on kind."},"io.k8s.api.networking.v1beta1.ServiceCIDR":{"description":"ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.","properties":{"spec":{"$ref":"#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRSpec","description":"spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"status":{"$ref":"#/definitions/io.k8s.api.networking.v1beta1.ServiceCIDRStatus","description":"status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ServiceCIDR"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"ServiceCIDR","version":"v1beta1"}]},"io.k8s.api.resource.v1beta1.CELDeviceSelector":{"description":"CELDeviceSelector contains a CEL expression for selecting a device.","properties":{"expression":{"description":"Expression is a CEL expression which evaluates a single device. It must evaluate to true when the device under consideration satisfies the desired criteria, and false when it does not. Any other result is an error and causes allocation of devices to abort.\n\nThe expression's input is an object named \"device\", which carries the following properties:\n - driver (string): the name of the driver which defines this device.\n - attributes (map[string]object): the device's attributes, grouped by prefix\n (e.g. device.attributes[\"dra.example.com\"] evaluates to an object with all\n of the attributes which were prefixed by \"dra.example.com\".\n - capacity (map[string]object): the device's capacities, grouped by prefix.\n\nExample: Consider a device with driver=\"dra.example.com\", which exposes two attributes named \"model\" and \"ext.example.com/family\" and which exposes one capacity named \"modules\". This input to this expression would have the following fields:\n\n device.driver\n device.attributes[\"dra.example.com\"].model\n device.attributes[\"ext.example.com\"].family\n device.capacity[\"dra.example.com\"].modules\n\nThe device.driver field can be used to check for a specific driver, either as a high-level precondition (i.e. you only want to consider devices from this driver) or as part of a multi-clause expression that is meant to consider devices from different drivers.\n\nThe value type of each attribute is defined by the device definition, and users who write these expressions must consult the documentation for their specific drivers. The value type of each capacity is Quantity.\n\nIf an unknown prefix is used as a lookup in either device.attributes or device.capacity, an empty map will be returned. Any reference to an unknown field will cause an evaluation error and allocation to abort.\n\nA robust expression should check for the existence of attributes before referencing them.\n\nFor ease of use, the cel.bind() function is enabled, and can be used to simplify expressions that access multiple attributes with the same domain. For example:\n\n cel.bind(dra, device.attributes[\"dra.example.com\"], dra.someBool && dra.anotherBool)\n\nThe length of the expression must be smaller or equal to 10 Ki. The cost of evaluating it is also limited based on the estimated number of logical steps.","type":"string"}},"required":["expression"],"type":"object"},"io.k8s.api.core.v1.ContainerStateWaiting":{"description":"ContainerStateWaiting is a waiting state of a container.","properties":{"reason":{"description":"(brief) reason the container is not yet running.","type":"string"},"message":{"description":"Message regarding why the container is not yet running.","type":"string"}},"type":"object"},"io.k8s.api.networking.v1beta1.IPAddressList":{"type":"object","x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"IPAddressList","version":"v1beta1"}],"description":"IPAddressList contains a list of IPAddress.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"items":{"items":{"$ref":"#/definitions/io.k8s.api.networking.v1beta1.IPAddress"},"type":"array","description":"items is the list of IPAddresses."},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["IPAddressList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"required":["items"]},"io.k8s.api.resource.v1alpha3.ResourceSliceList":{"description":"ResourceSliceList is a collection of ResourceSlices.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource ResourceSlices.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.ResourceSlice"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ResourceSliceList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSliceList","version":"v1alpha3"}]},"io.k8s.api.resource.v1beta2.DeviceSelector":{"description":"DeviceSelector must have exactly one field set.","properties":{"cel":{"$ref":"#/definitions/io.k8s.api.resource.v1beta2.CELDeviceSelector","description":"CEL contains a CEL expression for selecting a device."}},"type":"object"},"io.k8s.api.storage.v1alpha1.VolumeAttributesClassList":{"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of VolumeAttributesClass objects.","items":{"$ref":"#/definitions/io.k8s.api.storage.v1alpha1.VolumeAttributesClass"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["VolumeAttributesClassList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"VolumeAttributesClassList","version":"v1alpha1"}],"description":"VolumeAttributesClassList is a collection of VolumeAttributesClass objects."},"io.k8s.apimachinery.pkg.apis.meta.v1.APIResource":{"type":"object","description":"APIResource specifies the name of a resource and whether it is namespaced.","properties":{"namespaced":{"description":"namespaced indicates if a resource is namespaced or not.","type":"boolean"},"version":{"description":"version is the preferred version of the resource. Empty implies the version of the containing resource list For subresources, this may have a different value, for example: v1 (while inside a v1beta1 version of the core resource's group)\".","type":"string"},"kind":{"description":"kind is the kind for the resource (e.g. 'Foo' is the kind for a resource 'foo')","type":"string"},"name":{"description":"name is the plural name of the resource.","type":"string"},"shortNames":{"type":"array","x-kubernetes-list-type":"atomic","description":"shortNames is a list of suggested short names of the resource.","items":{"type":"string"}},"singularName":{"type":"string","description":"singularName is the singular name of the resource. This allows clients to handle plural and singular opaquely. The singularName is more correct for reporting status on a single item and both singular and plural are allowed from the kubectl CLI interface."},"storageVersionHash":{"description":"The hash value of the storage version, the version this resource is converted to when written to the data store. Value must be treated as opaque by clients. Only equality comparison on the value is valid. This is an alpha feature and may change or be removed in the future. The field is populated by the apiserver only if the StorageVersionHash feature gate is enabled. This field will remain optional even if it graduates.","type":"string"},"verbs":{"description":"verbs is a list of supported kube verbs (this includes get, list, watch, create, update, patch, delete, deletecollection, and proxy)","items":{"type":"string"},"type":"array"},"categories":{"description":"categories is a list of the grouped resources this resource belongs to (e.g. 'all')","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"group":{"description":"group is the preferred group of the resource. Empty implies the group of the containing resource list. For subresources, this may have a different value, for example: Scale\".","type":"string"}},"required":["name","singularName","namespaced","kind","verbs"]},"io.k8s.api.core.v1.ContainerState":{"description":"ContainerState holds a possible state of container. Only one of its members may be specified. If none of them is specified, the default one is ContainerStateWaiting.","properties":{"running":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateRunning","description":"Details about a running container"},"terminated":{"description":"Details about a terminated container","$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateTerminated"},"waiting":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStateWaiting","description":"Details about a waiting container"}},"type":"object"},"io.k8s.api.admissionregistration.v1beta1.Variable":{"properties":{"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"},"expression":{"type":"string","description":"Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation."}},"required":["name","expression"],"type":"object","x-kubernetes-map-type":"atomic","description":"Variable is the definition of a variable that is used for composition. A variable is defined as a named expression."},"io.k8s.api.scheduling.v1.PriorityClassList":{"x-kubernetes-group-version-kind":[{"kind":"PriorityClassList","version":"v1","group":"scheduling.k8s.io"}],"description":"PriorityClassList is a collection of priority classes.","properties":{"kind":{"enum":["PriorityClassList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of PriorityClasses","items":{"$ref":"#/definitions/io.k8s.api.scheduling.v1.PriorityClass"},"type":"array"}},"required":["items"],"type":"object"},"io.k8s.api.authentication.v1.TokenReviewStatus":{"description":"TokenReviewStatus is the result of the token authentication request.","properties":{"audiences":{"description":"Audiences are audience identifiers chosen by the authenticator that are compatible with both the TokenReview and token. An identifier is any identifier in the intersection of the TokenReviewSpec audiences and the token's audiences. A client of the TokenReview API that sets the spec.audiences field should validate that a compatible audience identifier is returned in the status.audiences field to ensure that the TokenReview server is audience aware. If a TokenReview returns an empty status.audience field where status.authenticated is \"true\", the token is valid against the audience of the Kubernetes API server.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"authenticated":{"type":"boolean","description":"Authenticated indicates that the token was associated with a known user."},"error":{"description":"Error indicates that the token couldn't be checked","type":"string"},"user":{"$ref":"#/definitions/io.k8s.api.authentication.v1.UserInfo","description":"User is the UserInfo associated with the provided token."}},"type":"object"},"io.k8s.api.authorization.v1.NonResourceRule":{"type":"object","description":"NonResourceRule holds information that describes a rule for the non-resource","properties":{"nonResourceURLs":{"items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic","description":"NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path. \"*\" means all."},"verbs":{"description":"Verb is a list of kubernetes non-resource API verbs, like: get, post, put, delete, patch, head, options. \"*\" means all.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}},"required":["verbs"]},"io.k8s.api.resource.v1alpha3.DeviceSubRequest":{"type":"object","description":"DeviceSubRequest describes a request for device provided in the claim.spec.devices.requests[].firstAvailable array. Each is typically a request for a single resource like a device, but can also ask for several identical devices.\n\nDeviceSubRequest is similar to Request, but doesn't expose the AdminAccess or FirstAvailable fields, as those can only be set on the top-level request. AdminAccess is not supported for requests with a prioritized list, and recursive FirstAvailable fields are not supported.","properties":{"deviceClassName":{"description":"DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this subrequest.\n\nA class is required. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.","type":"string"},"name":{"description":"Name can be used to reference this subrequest in the list of constraints or the list of configurations for the claim. References must use the format
/.\n\nMust be a DNS label.","type":"string"},"selectors":{"items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector"},"type":"array","x-kubernetes-list-type":"atomic","description":"Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered."},"tolerations":{"items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceToleration"},"type":"array","x-kubernetes-list-type":"atomic","description":"If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate."},"allocationMode":{"description":"AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.","type":"string"},"count":{"description":"Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.","format":"int64","type":"integer"}},"required":["name","deviceClassName"]},"io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta":{"description":"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.","properties":{"uid":{"description":"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids","type":"string"},"name":{"type":"string","description":"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names"},"deletionTimestamp":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. This field is set by the server when a graceful deletion is requested by the user, and is not directly settable by a client. The resource is expected to be deleted (no longer visible from resource lists, and not reachable by name) after the time in this field, once the finalizers list is empty. As long as the finalizers list contains items, deletion is blocked. Once the deletionTimestamp is set, this value may not be unset or be set further into the future, although it may be shortened or the resource may be deleted prior to this time. For example, a user may request that a pod is deleted in 30 seconds. The Kubelet will react by sending a graceful termination signal to the containers in the pod. After that 30 seconds, the Kubelet will send a hard termination signal (SIGKILL) to the container and after cleanup, remove the pod from the API. In the presence of network partitions, this object may still exist after this timestamp, until an administrator or automated process can determine the resource is fully terminated. If not set, graceful deletion of the object has not been requested.\n\nPopulated by the system when a graceful deletion is requested. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"generation":{"description":"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.","format":"int64","type":"integer"},"selfLink":{"description":"Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.","type":"string"},"deletionGracePeriodSeconds":{"format":"int64","type":"integer","description":"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."},"generateName":{"description":"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will return a 409.\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency","type":"string"},"namespace":{"description":"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces","type":"string"},"ownerReferences":{"type":"array","x-kubernetes-list-map-keys":["uid"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"uid","x-kubernetes-patch-strategy":"merge","description":"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.OwnerReference"}},"resourceVersion":{"description":"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency","type":"string"},"annotations":{"additionalProperties":{"type":"string"},"description":"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations","type":"object"},"creationTimestamp":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC.\n\nPopulated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"finalizers":{"x-kubernetes-patch-strategy":"merge","description":"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"labels":{"additionalProperties":{"type":"string"},"description":"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels","type":"object"},"managedFields":{"items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry"},"type":"array","x-kubernetes-list-type":"atomic","description":"ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object."}},"type":"object"},"io.k8s.api.apps.v1.StatefulSetUpdateStrategy":{"type":"object","description":"StatefulSetUpdateStrategy indicates the strategy that the StatefulSet controller will use to perform updates. It includes any additional parameters necessary to perform the update for the indicated strategy.","properties":{"rollingUpdate":{"$ref":"#/definitions/io.k8s.api.apps.v1.RollingUpdateStatefulSetStrategy","description":"RollingUpdate is used to communicate parameters when Type is RollingUpdateStatefulSetStrategyType."},"type":{"type":"string","description":"Type indicates the type of the StatefulSetUpdateStrategy. Default is RollingUpdate."}}},"io.k8s.api.core.v1.CSIVolumeSource":{"required":["driver"],"type":"object","description":"Represents a source location of a volume to mount, managed by an external CSI driver","properties":{"volumeAttributes":{"additionalProperties":{"type":"string"},"description":"volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.","type":"object"},"driver":{"description":"driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.","type":"string"},"fsType":{"description":"fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.","type":"string"},"nodePublishSecretRef":{"$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference","description":"nodePublishSecretRef is a reference to the secret object containing sensitive information to pass to the CSI driver to complete the CSI NodePublishVolume and NodeUnpublishVolume calls. This field is optional, and may be empty if no secret is required. If the secret object contains more than one secret, all secret references are passed."},"readOnly":{"type":"boolean","description":"readOnly specifies a read-only configuration for the volume. Defaults to false (read/write)."}}},"io.k8s.api.core.v1.VolumeNodeAffinity":{"description":"VolumeNodeAffinity defines constraints that limit what nodes this volume can be accessed from.","properties":{"required":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector","description":"required specifies hard node constraints that must be met."}},"type":"object"},"io.k8s.api.networking.v1.IngressClassList":{"properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of IngressClasses.","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClass"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["IngressClassList"]}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"networking.k8s.io","kind":"IngressClassList"}],"description":"IngressClassList is a collection of IngressClasses."},"io.k8s.api.storage.v1.StorageClassList":{"type":"object","x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"StorageClassList","version":"v1"}],"description":"StorageClassList is a collection of storage classes.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of StorageClasses","items":{"$ref":"#/definitions/io.k8s.api.storage.v1.StorageClass"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["StorageClassList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"required":["items"]},"io.k8s.api.admissionregistration.v1beta1.ParamRef":{"description":"ParamRef describes how to locate the params to be used as input to expressions of rules applied by a policy binding.","properties":{"name":{"description":"name is the name of the resource being referenced.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset.\n\nA single parameter used for all admission requests can be configured by setting the `name` field, leaving `selector` blank, and setting namespace if `paramKind` is namespace-scoped.","type":"string"},"namespace":{"description":"namespace is the namespace of the referenced resource. Allows limiting the search for params to a specific namespace. Applies to both `name` and `selector` fields.\n\nA per-namespace parameter may be used by specifying a namespace-scoped `paramKind` in the policy and leaving this field empty.\n\n- If `paramKind` is cluster-scoped, this field MUST be unset. Setting this field results in a configuration error.\n\n- If `paramKind` is namespace-scoped, the namespace of the object being evaluated for admission will be used when this field is left unset. Take care that if this is left empty the binding must not match any cluster-scoped resources, which will result in an error.","type":"string"},"parameterNotFoundAction":{"type":"string","description":"`parameterNotFoundAction` controls the behavior of the binding when the resource exists, and name or selector is valid, but there are no parameters matched by the binding. If the value is set to `Allow`, then no matched parameters will be treated as successful validation by the binding. If set to `Deny`, then no matched parameters will be subject to the `failurePolicy` of the policy.\n\nAllowed values are `Allow` or `Deny`\n\nRequired"},"selector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"selector can be used to match multiple param objects based on their labels. Supply selector: {} to match all resources of the ParamKind.\n\nIf multiple params are found, they are all evaluated with the policy expressions and the results are ANDed together.\n\nOne of `name` or `selector` must be set, but `name` and `selector` are mutually exclusive properties. If one is set, the other must be unset."}},"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.EndpointSubset":{"description":"EndpointSubset is a group of addresses with a common set of ports. The expanded set of endpoints is the Cartesian product of Addresses x Ports. For example, given:\n\n\t{\n\t Addresses: [{\"ip\": \"10.10.1.1\"}, {\"ip\": \"10.10.2.2\"}],\n\t Ports: [{\"name\": \"a\", \"port\": 8675}, {\"name\": \"b\", \"port\": 309}]\n\t}\n\nThe resulting set of endpoints can be viewed as:\n\n\ta: [ 10.10.1.1:8675, 10.10.2.2:8675 ],\n\tb: [ 10.10.1.1:309, 10.10.2.2:309 ]\n\nDeprecated: This API is deprecated in v1.33+.","properties":{"ports":{"x-kubernetes-list-type":"atomic","description":"Port numbers available on the related IP addresses.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointPort"},"type":"array"},"addresses":{"items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointAddress"},"type":"array","x-kubernetes-list-type":"atomic","description":"IP addresses which offer the related ports that are marked as ready. These endpoints should be considered safe for load balancers and clients to utilize."},"notReadyAddresses":{"type":"array","x-kubernetes-list-type":"atomic","description":"IP addresses which offer the related ports but are not currently marked as ready because they have not yet finished starting, have recently failed a readiness check, or have recently failed a liveness check.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.EndpointAddress"}}},"type":"object"},"io.k8s.api.policy.v1.PodDisruptionBudget":{"description":"PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["PodDisruptionBudget"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetSpec","description":"Specification of the desired behavior of the PodDisruptionBudget."},"status":{"$ref":"#/definitions/io.k8s.api.policy.v1.PodDisruptionBudgetStatus","description":"Most recently observed status of the PodDisruptionBudget."}},"type":"object","x-kubernetes-group-version-kind":[{"kind":"PodDisruptionBudget","version":"v1","group":"policy"}]},"io.k8s.api.resource.v1beta1.DeviceAllocationConfiguration":{"description":"DeviceAllocationConfiguration gets embedded in an AllocationResult.","properties":{"opaque":{"description":"Opaque provides driver-specific configuration parameters.","$ref":"#/definitions/io.k8s.api.resource.v1beta1.OpaqueDeviceConfiguration"},"requests":{"description":"Requests lists the names of requests where the configuration applies. If empty, its applies to all requests.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format
[/]. If just the main request is given, the configuration applies to all subrequests.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"source":{"description":"Source records whether the configuration comes from a class and thus is not something that a normal user would have been able to set or from a claim.","type":"string"}},"required":["source"],"type":"object"},"io.k8s.api.admissionregistration.v1.ExpressionWarning":{"type":"object","description":"ExpressionWarning is a warning information that targets a specific expression.","properties":{"fieldRef":{"description":"The path to the field that refers the expression. For example, the reference to the expression of the first item of validations is \"spec.validations[0].expression\"","type":"string"},"warning":{"description":"The content of type checking information in a human-readable form. Each line of the warning contains the type that the expression is checked against, followed by the type check error from the compiler.","type":"string"}},"required":["fieldRef","warning"]},"io.k8s.api.apps.v1.ReplicaSetStatus":{"description":"ReplicaSetStatus represents the current status of a ReplicaSet.","properties":{"availableReplicas":{"type":"integer","description":"The number of available non-terminating pods (ready for at least minReadySeconds) for this replica set.","format":"int32"},"conditions":{"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge","description":"Represents the latest available observations of a replica set's current state.","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetCondition"}},"fullyLabeledReplicas":{"format":"int32","type":"integer","description":"The number of non-terminating pods that have labels matching the labels of the pod template of the replicaset."},"observedGeneration":{"description":"ObservedGeneration reflects the generation of the most recently observed ReplicaSet.","format":"int64","type":"integer"},"readyReplicas":{"description":"The number of non-terminating pods targeted by this ReplicaSet with a Ready Condition.","format":"int32","type":"integer"},"replicas":{"format":"int32","type":"integer","description":"Replicas is the most recently observed number of non-terminating pods. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset"},"terminatingReplicas":{"description":"The number of terminating pods for this replica set. Terminating pods have a non-null .metadata.deletionTimestamp and have not yet reached the Failed or Succeeded .status.phase.\n\nThis is an alpha field. Enable DeploymentReplicaSetTerminatingReplicas to be able to use this field.","format":"int32","type":"integer"}},"required":["replicas"],"type":"object"},"io.k8s.api.autoscaling.v1.CrossVersionObjectReference":{"properties":{"name":{"type":"string","description":"name is the name of the referent; More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"},"apiVersion":{"description":"apiVersion is the API version of the referent","type":"string"},"kind":{"description":"kind is the kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"}},"required":["kind","name"],"type":"object","x-kubernetes-map-type":"atomic","description":"CrossVersionObjectReference contains enough information to let you identify the referred resource."},"io.k8s.api.autoscaling.v2.HPAScalingRules":{"description":"HPAScalingRules configures the scaling behavior for one direction via scaling Policy Rules and a configurable metric tolerance.\n\nScaling Policy Rules are applied after calculating DesiredReplicas from metrics for the HPA. They can limit the scaling velocity by specifying scaling policies. They can prevent flapping by specifying the stabilization window, so that the number of replicas is not set instantly, instead, the safest value from the stabilization window is chosen.\n\nThe tolerance is applied to the metric values and prevents scaling too eagerly for small metric variations. (Note that setting a tolerance requires enabling the alpha HPAConfigurableTolerance feature gate.)","properties":{"tolerance":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity","description":"tolerance is the tolerance on the ratio between the current and desired metric value under which no updates are made to the desired number of replicas (e.g. 0.01 for 1%). Must be greater than or equal to zero. If not set, the default cluster-wide tolerance is applied (by default 10%).\n\nFor example, if autoscaling is configured with a memory consumption target of 100Mi, and scale-down and scale-up tolerances of 5% and 1% respectively, scaling will be triggered when the actual consumption falls below 95Mi or exceeds 101Mi.\n\nThis is an alpha field and requires enabling the HPAConfigurableTolerance feature gate."},"policies":{"type":"array","x-kubernetes-list-type":"atomic","description":"policies is a list of potential scaling polices which can be used during scaling. If not set, use the default values: - For scale up: allow doubling the number of pods, or an absolute change of 4 pods in a 15s window. - For scale down: allow all pods to be removed in a 15s window.","items":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.HPAScalingPolicy"}},"selectPolicy":{"description":"selectPolicy is used to specify which policy should be used. If not set, the default value Max is used.","type":"string"},"stabilizationWindowSeconds":{"description":"stabilizationWindowSeconds is the number of seconds for which past recommendations should be considered while scaling up or scaling down. StabilizationWindowSeconds must be greater than or equal to zero and less than or equal to 3600 (one hour). If not set, use the default values: - For scale up: 0 (i.e. no stabilization is done). - For scale down: 300 (i.e. the stabilization window is 300 seconds long).","format":"int32","type":"integer"}},"type":"object"},"io.k8s.api.core.v1.Namespace":{"description":"Namespace provides a scope for Names. Use of multiple namespaces is optional.","properties":{"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Namespace"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.core.v1.NamespaceSpec","description":"Spec defines the behavior of the Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"status":{"$ref":"#/definitions/io.k8s.api.core.v1.NamespaceStatus","description":"Status describes the current status of a Namespace. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"Namespace","version":"v1"}]},"io.k8s.api.core.v1.ResourceQuotaList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"ResourceQuotaList","version":"v1"}],"description":"ResourceQuotaList is a list of ResourceQuota items.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"items":{"type":"array","description":"Items is a list of ResourceQuota objects. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuota"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ResourceQuotaList"]},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}}},"io.k8s.api.flowcontrol.v1.FlowSchemaStatus":{"properties":{"conditions":{"x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge","description":"`conditions` is a list of the current states of FlowSchema.","items":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.FlowSchemaCondition"},"type":"array"}},"type":"object","description":"FlowSchemaStatus represents the current state of a FlowSchema."},"io.k8s.api.networking.v1.NetworkPolicySpec":{"description":"NetworkPolicySpec provides the specification of a NetworkPolicy","properties":{"egress":{"type":"array","x-kubernetes-list-type":"atomic","description":"egress is a list of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule"}},"ingress":{"description":"ingress is a list of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyIngressRule"},"type":"array","x-kubernetes-list-type":"atomic"},"podSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"podSelector selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace."},"policyTypes":{"x-kubernetes-list-type":"atomic","description":"policyTypes is a list of rule types that the NetworkPolicy relates to. Valid options are [\"Ingress\"], [\"Egress\"], or [\"Ingress\", \"Egress\"]. If this field is not specified, it will default based on the existence of ingress or egress rules; policies that contain an egress section are assumed to affect egress, and all policies (whether or not they contain an ingress section) are assumed to affect ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8","items":{"type":"string"},"type":"array"}},"required":["podSelector"],"type":"object"},"io.k8s.api.apps.v1.DaemonSetList":{"description":"DaemonSetList is a collection of daemon sets.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"A list of daemon sets.","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.DaemonSet"},"type":"array"},"kind":{"enum":["DaemonSetList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"apps","kind":"DaemonSetList"}]},"io.k8s.api.core.v1.Pod":{"description":"Pod is a collection of containers that can run on a host. This resource is created by clients and scheduled onto hosts.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Pod"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.core.v1.PodSpec","description":"Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"status":{"$ref":"#/definitions/io.k8s.api.core.v1.PodStatus","description":"Most recently observed status of the pod. This data may not be up to date. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"Pod","version":"v1"}]},"io.k8s.api.core.v1.Volume":{"description":"Volume represents a named volume in a pod that may be accessed by any container in the pod.","properties":{"storageos":{"$ref":"#/definitions/io.k8s.api.core.v1.StorageOSVolumeSource","description":"storageOS represents a StorageOS volume attached and mounted on Kubernetes nodes. Deprecated: StorageOS is deprecated and the in-tree storageos type is no longer supported."},"azureDisk":{"$ref":"#/definitions/io.k8s.api.core.v1.AzureDiskVolumeSource","description":"azureDisk represents an Azure Data Disk mount on the host and bind mount to the pod. Deprecated: AzureDisk is deprecated. All operations for the in-tree azureDisk type are redirected to the disk.csi.azure.com CSI driver."},"gitRepo":{"$ref":"#/definitions/io.k8s.api.core.v1.GitRepoVolumeSource","description":"gitRepo represents a git repository at a particular revision. Deprecated: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container."},"glusterfs":{"$ref":"#/definitions/io.k8s.api.core.v1.GlusterfsVolumeSource","description":"glusterfs represents a Glusterfs mount on the host that shares a pod's lifetime. Deprecated: Glusterfs is deprecated and the in-tree glusterfs type is no longer supported. More info: https://examples.k8s.io/volumes/glusterfs/README.md"},"scaleIO":{"$ref":"#/definitions/io.k8s.api.core.v1.ScaleIOVolumeSource","description":"scaleIO represents a ScaleIO persistent volume attached and mounted on Kubernetes nodes. Deprecated: ScaleIO is deprecated and the in-tree scaleIO type is no longer supported."},"vsphereVolume":{"$ref":"#/definitions/io.k8s.api.core.v1.VsphereVirtualDiskVolumeSource","description":"vsphereVolume represents a vSphere volume attached and mounted on kubelets host machine. Deprecated: VsphereVolume is deprecated. All operations for the in-tree vsphereVolume type are redirected to the csi.vsphere.vmware.com CSI driver."},"iscsi":{"$ref":"#/definitions/io.k8s.api.core.v1.ISCSIVolumeSource","description":"iscsi represents an ISCSI Disk resource that is attached to a kubelet's host machine and then exposed to the pod. More info: https://examples.k8s.io/volumes/iscsi/README.md"},"persistentVolumeClaim":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaimVolumeSource","description":"persistentVolumeClaimVolumeSource represents a reference to a PersistentVolumeClaim in the same namespace. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims"},"quobyte":{"$ref":"#/definitions/io.k8s.api.core.v1.QuobyteVolumeSource","description":"quobyte represents a Quobyte mount on the host that shares a pod's lifetime. Deprecated: Quobyte is deprecated and the in-tree quobyte type is no longer supported."},"flocker":{"$ref":"#/definitions/io.k8s.api.core.v1.FlockerVolumeSource","description":"flocker represents a Flocker volume attached to a kubelet's host machine. This depends on the Flocker control service being running. Deprecated: Flocker is deprecated and the in-tree flocker type is no longer supported."},"gcePersistentDisk":{"$ref":"#/definitions/io.k8s.api.core.v1.GCEPersistentDiskVolumeSource","description":"gcePersistentDisk represents a GCE Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: GCEPersistentDisk is deprecated. All operations for the in-tree gcePersistentDisk type are redirected to the pd.csi.storage.gke.io CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk"},"configMap":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapVolumeSource","description":"configMap represents a configMap that should populate this volume"},"emptyDir":{"$ref":"#/definitions/io.k8s.api.core.v1.EmptyDirVolumeSource","description":"emptyDir represents a temporary directory that shares a pod's lifetime. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir"},"fc":{"$ref":"#/definitions/io.k8s.api.core.v1.FCVolumeSource","description":"fc represents a Fibre Channel resource that is attached to a kubelet's host machine and then exposed to the pod."},"name":{"description":"name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"nfs":{"$ref":"#/definitions/io.k8s.api.core.v1.NFSVolumeSource","description":"nfs represents an NFS mount on the host that shares a pod's lifetime More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs"},"portworxVolume":{"$ref":"#/definitions/io.k8s.api.core.v1.PortworxVolumeSource","description":"portworxVolume represents a portworx volume attached and mounted on kubelets host machine. Deprecated: PortworxVolume is deprecated. All operations for the in-tree portworxVolume type are redirected to the pxd.portworx.com CSI driver when the CSIMigrationPortworx feature-gate is on."},"projected":{"$ref":"#/definitions/io.k8s.api.core.v1.ProjectedVolumeSource","description":"projected items for all in one resources secrets, configmaps, and downward API"},"flexVolume":{"$ref":"#/definitions/io.k8s.api.core.v1.FlexVolumeSource","description":"flexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin. Deprecated: FlexVolume is deprecated. Consider using a CSIDriver instead."},"rbd":{"$ref":"#/definitions/io.k8s.api.core.v1.RBDVolumeSource","description":"rbd represents a Rados Block Device mount on the host that shares a pod's lifetime. Deprecated: RBD is deprecated and the in-tree rbd type is no longer supported. More info: https://examples.k8s.io/volumes/rbd/README.md"},"cinder":{"$ref":"#/definitions/io.k8s.api.core.v1.CinderVolumeSource","description":"cinder represents a cinder volume attached and mounted on kubelets host machine. Deprecated: Cinder is deprecated. All operations for the in-tree cinder type are redirected to the cinder.csi.openstack.org CSI driver. More info: https://examples.k8s.io/mysql-cinder-pd/README.md"},"csi":{"$ref":"#/definitions/io.k8s.api.core.v1.CSIVolumeSource","description":"csi (Container Storage Interface) represents ephemeral storage that is handled by certain external CSI drivers."},"ephemeral":{"description":"ephemeral represents a volume that is handled by a cluster storage driver. The volume's lifecycle is tied to the pod that defines it - it will be created before the pod starts, and deleted when the pod is removed.\n\nUse this if: a) the volume is only needed while the pod runs, b) features of normal volumes like restoring from snapshot or capacity\n tracking are needed,\nc) the storage driver is specified through a storage class, and d) the storage driver supports dynamic volume provisioning through\n a PersistentVolumeClaim (see EphemeralVolumeSource for more\n information on the connection between this volume type\n and PersistentVolumeClaim).\n\nUse PersistentVolumeClaim or one of the vendor-specific APIs for volumes that persist for longer than the lifecycle of an individual pod.\n\nUse CSI for light-weight local ephemeral volumes if the CSI driver is meant to be used that way - see the documentation of the driver for more information.\n\nA pod can use both types of ephemeral volumes and persistent volumes at the same time.","$ref":"#/definitions/io.k8s.api.core.v1.EphemeralVolumeSource"},"awsElasticBlockStore":{"description":"awsElasticBlockStore represents an AWS Disk resource that is attached to a kubelet's host machine and then exposed to the pod. Deprecated: AWSElasticBlockStore is deprecated. All operations for the in-tree awsElasticBlockStore type are redirected to the ebs.csi.aws.com CSI driver. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore","$ref":"#/definitions/io.k8s.api.core.v1.AWSElasticBlockStoreVolumeSource"},"cephfs":{"$ref":"#/definitions/io.k8s.api.core.v1.CephFSVolumeSource","description":"cephFS represents a Ceph FS mount on the host that shares a pod's lifetime. Deprecated: CephFS is deprecated and the in-tree cephfs type is no longer supported."},"downwardAPI":{"description":"downwardAPI represents downward API about the pod that should populate this volume","$ref":"#/definitions/io.k8s.api.core.v1.DownwardAPIVolumeSource"},"secret":{"$ref":"#/definitions/io.k8s.api.core.v1.SecretVolumeSource","description":"secret represents a secret that should populate this volume. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret"},"azureFile":{"$ref":"#/definitions/io.k8s.api.core.v1.AzureFileVolumeSource","description":"azureFile represents an Azure File Service mount on the host and bind mount to the pod. Deprecated: AzureFile is deprecated. All operations for the in-tree azureFile type are redirected to the file.csi.azure.com CSI driver."},"hostPath":{"$ref":"#/definitions/io.k8s.api.core.v1.HostPathVolumeSource","description":"hostPath represents a pre-existing file or directory on the host machine that is directly exposed to the container. This is generally used for system agents or other privileged things that are allowed to see the host machine. Most containers will NOT need this. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath"},"image":{"$ref":"#/definitions/io.k8s.api.core.v1.ImageVolumeSource","description":"image represents an OCI object (a container image or artifact) pulled and mounted on the kubelet's host machine. The volume is resolved at pod startup depending on which PullPolicy value is provided:\n\n- Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. - Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. - IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.\n\nThe volume gets re-resolved if the pod gets deleted and recreated, which means that new remote content will become available on pod recreation. A failure to resolve or pull the image during pod startup will block containers from starting and may add significant latency. Failures will be retried using normal volume backoff and will be reported on the pod reason and message. The types of objects that may be mounted by this volume are defined by the container runtime implementation on a host machine and at minimum must include all valid types supported by the container image field. The OCI object gets mounted in a single directory (spec.containers[*].volumeMounts.mountPath) by merging the manifest layers in the same way as for container images. The volume will be mounted read-only (ro) and non-executable files (noexec). Sub path mounts for containers are not supported (spec.containers[*].volumeMounts.subpath) before 1.33. The field spec.securityContext.fsGroupChangePolicy has no effect on this volume type."},"photonPersistentDisk":{"$ref":"#/definitions/io.k8s.api.core.v1.PhotonPersistentDiskVolumeSource","description":"photonPersistentDisk represents a PhotonController persistent disk attached and mounted on kubelets host machine. Deprecated: PhotonPersistentDisk is deprecated and the in-tree photonPersistentDisk type is no longer supported."}},"required":["name"],"type":"object"},"io.k8s.api.networking.v1.ServiceCIDRSpec":{"type":"object","description":"ServiceCIDRSpec define the CIDRs the user wants to use for allocating ClusterIPs for Services.","properties":{"cidrs":{"description":"CIDRs defines the IP blocks in CIDR notation (e.g. \"192.168.0.0/24\" or \"2001:db8::/64\") from which to assign service cluster IPs. Max of two CIDRs is allowed, one of each IP family. This field is immutable.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}}},"io.k8s.api.node.v1.Scheduling":{"description":"Scheduling specifies the scheduling constraints for nodes supporting a RuntimeClass.","properties":{"tolerations":{"x-kubernetes-list-type":"atomic","description":"tolerations are appended (excluding duplicates) to pods running with this RuntimeClass during admission, effectively unioning the set of nodes tolerated by the pod and the RuntimeClass.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Toleration"},"type":"array"},"nodeSelector":{"description":"nodeSelector lists labels that must be present on nodes that support this RuntimeClass. Pods using this RuntimeClass can only be scheduled to a node matched by this selector. The RuntimeClass nodeSelector is merged with a pod's existing nodeSelector. Any conflicts will cause the pod to be rejected in admission.","type":"object","x-kubernetes-map-type":"atomic","additionalProperties":{"type":"string"}}},"type":"object"},"io.k8s.api.resource.v1alpha3.Counter":{"type":"object","description":"Counter describes a quantity associated with a device.","properties":{"value":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity","description":"Value defines how much of a certain device counter is available."}},"required":["value"]},"io.k8s.api.resource.v1beta2.ResourceSliceList":{"description":"ResourceSliceList is a collection of ResourceSlices.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"items":{"description":"Items is the list of resource ResourceSlices.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta2.ResourceSlice"},"type":"array"},"kind":{"enum":["ResourceSliceList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSliceList","version":"v1beta2"}]},"io.k8s.api.storage.v1.VolumeNodeResources":{"description":"VolumeNodeResources is a set of resource limits for scheduling of volumes.","properties":{"count":{"description":"count indicates the maximum number of unique volumes managed by the CSI driver that can be used on a node. A volume that is both attached and mounted on a node is considered to be used once, not twice. The same rule applies for a unique volume that is shared among multiple pods on the same node. If this field is not specified, then the supported number of volumes on this node is unbounded.","format":"int32","type":"integer"}},"type":"object"},"io.k8s.api.autoscaling.v1.Scale":{"properties":{"spec":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.ScaleSpec","description":"spec defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status."},"status":{"$ref":"#/definitions/io.k8s.api.autoscaling.v1.ScaleStatus","description":"status is the current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Scale"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata."}},"type":"object","x-kubernetes-group-version-kind":[{"group":"autoscaling","kind":"Scale","version":"v1"}],"description":"Scale represents a scaling request for a resource."},"io.k8s.api.coordination.v1beta1.LeaseCandidateSpec":{"type":"object","description":"LeaseCandidateSpec is a specification of a Lease.","properties":{"renewTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime","description":"RenewTime is the time that the LeaseCandidate was last updated. Any time a Lease needs to do leader election, the PingTime field is updated to signal to the LeaseCandidate that they should update the RenewTime. Old LeaseCandidate objects are also garbage collected if it has been hours since the last renew. The PingTime field is updated regularly to prevent garbage collection for still active LeaseCandidates."},"strategy":{"description":"Strategy is the strategy that coordinated leader election will use for picking the leader. If multiple candidates for the same Lease return different strategies, the strategy provided by the candidate with the latest BinaryVersion will be used. If there is still conflict, this is a user error and coordinated leader election will not operate the Lease until resolved.","type":"string"},"binaryVersion":{"description":"BinaryVersion is the binary version. It must be in a semver format without leading `v`. This field is required.","type":"string"},"emulationVersion":{"description":"EmulationVersion is the emulation version. It must be in a semver format without leading `v`. EmulationVersion must be less than or equal to BinaryVersion. This field is required when strategy is \"OldestEmulationVersion\"","type":"string"},"leaseName":{"description":"LeaseName is the name of the lease for which this candidate is contending. The limits on this field are the same as on Lease.name. Multiple lease candidates may reference the same Lease.name. This field is immutable.","type":"string"},"pingTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime","description":"PingTime is the last time that the server has requested the LeaseCandidate to renew. It is only done during leader election to check if any LeaseCandidates have become ineligible. When PingTime is updated, the LeaseCandidate will respond by updating RenewTime."}},"required":["leaseName","binaryVersion","strategy"]},"io.k8s.api.core.v1.Binding":{"description":"Binding ties one object to another; for example, a pod is bound to a node by a scheduler.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Binding"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"target":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference","description":"The target object that you want to bind to the standard object."}},"required":["target"],"type":"object","x-kubernetes-group-version-kind":[{"kind":"Binding","version":"v1","group":""}]},"io.k8s.api.core.v1.EnvVar":{"description":"EnvVar represents an environment variable present in a Container.","properties":{"name":{"description":"Name of the environment variable. Must be a C_IDENTIFIER.","type":"string"},"value":{"description":"Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".","type":"string"},"valueFrom":{"$ref":"#/definitions/io.k8s.api.core.v1.EnvVarSource","description":"Source for the environment variable's value. Cannot be used if value is not empty."}},"required":["name"],"type":"object"},"io.k8s.api.core.v1.SecretVolumeSource":{"description":"Adapts a Secret into a volume.\n\nThe contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.","properties":{"defaultMode":{"description":"defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","format":"int32","type":"integer"},"items":{"x-kubernetes-list-type":"atomic","description":"items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"type":"array"},"optional":{"description":"optional field specify whether the Secret or its keys must be defined","type":"boolean"},"secretName":{"description":"secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret","type":"string"}},"type":"object"},"io.k8s.api.core.v1.StorageOSPersistentVolumeSource":{"description":"Represents a StorageOS persistent volume resource.","properties":{"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"secretRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference","description":"secretRef specifies the secret to use for obtaining the StorageOS API credentials. If not specified, default values will be attempted."},"volumeName":{"description":"volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.","type":"string"},"volumeNamespace":{"description":"volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.","type":"string"},"fsType":{"description":"fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"}},"type":"object"},"io.k8s.api.resource.v1alpha3.DeviceTaintSelector":{"description":"DeviceTaintSelector defines which device(s) a DeviceTaintRule applies to. The empty selector matches all devices. Without a selector, no devices are matched.","properties":{"device":{"type":"string","description":"If device is set, only devices with that name are selected. This field corresponds to slice.spec.devices[].name.\n\nSetting also driver and pool may be required to avoid ambiguity, but is not required."},"deviceClassName":{"description":"If DeviceClassName is set, the selectors defined there must be satisfied by a device to be selected. This field corresponds to class.metadata.name.","type":"string"},"driver":{"description":"If driver is set, only devices from that driver are selected. This fields corresponds to slice.spec.driver.","type":"string"},"pool":{"description":"If pool is set, only devices in that pool are selected.\n\nAlso setting the driver name may be useful to avoid ambiguity when different drivers use the same pool name, but this is not required because selecting pools from different drivers may also be useful, for example when drivers with node-local devices use the node name as their pool name.","type":"string"},"selectors":{"description":"Selectors contains the same selection criteria as a ResourceClaim. Currently, CEL expressions are supported. All of these selectors must be satisfied.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus":{"description":"CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition","properties":{"conditions":{"items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionCondition"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","description":"conditions indicate state for particular aspects of a CustomResourceDefinition"},"storedVersions":{"description":"storedVersions lists all versions of CustomResources that were ever persisted. Tracking these versions allows a migration path for stored versions in etcd. The field is mutable so a migration controller can finish a migration to another version (ensuring no old objects are left in storage), and then remove the rest of the versions from this list. Versions may not be removed from `spec.versions` while they exist in this list.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"acceptedNames":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionNames","description":"acceptedNames are the names that are actually being used to serve discovery. They may be different than the names in spec."}},"type":"object"},"io.k8s.api.batch.v1.JobTemplateSpec":{"description":"JobTemplateSpec describes the data a Job should have when created from a template","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata of the jobs created from this template. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.batch.v1.JobSpec","description":"Specification of the desired behavior of the job. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object"},"io.k8s.api.core.v1.LimitRangeItem":{"description":"LimitRangeItem defines a min/max usage limit for any resource that matches on kind.","properties":{"maxLimitRequestRatio":{"additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.","type":"object"},"min":{"additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"Min usage constraints on this kind by resource name.","type":"object"},"type":{"type":"string","description":"Type of resource that this limit applies to."},"default":{"additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"Default resource requirement limit value by resource name if resource limit is omitted.","type":"object"},"defaultRequest":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"DefaultRequest is the default resource requirement request value by resource name if resource request is omitted."},"max":{"additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"Max usage constraints on this kind by resource name.","type":"object"}},"required":["type"],"type":"object"},"io.k8s.api.core.v1.NamespaceStatus":{"description":"NamespaceStatus is information about the current status of a Namespace.","properties":{"conditions":{"description":"Represents the latest available observations of a namespace's current state.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NamespaceCondition"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"phase":{"description":"Phase is the current lifecycle phase of the namespace. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/","type":"string"}},"type":"object"},"io.k8s.api.core.v1.ServiceStatus":{"type":"object","description":"ServiceStatus represents the current status of a service.","properties":{"conditions":{"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge","description":"Current service state","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"}},"loadBalancer":{"$ref":"#/definitions/io.k8s.api.core.v1.LoadBalancerStatus","description":"LoadBalancer contains the current status of the load-balancer, if one is present."}}},"io.k8s.api.resource.v1alpha3.DeviceClaim":{"description":"DeviceClaim defines how to request devices with a ResourceClaim.","properties":{"config":{"x-kubernetes-list-type":"atomic","description":"This field holds configuration for multiple potential drivers which could satisfy requests in this claim. It is ignored while allocating the claim.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration"},"type":"array"},"constraints":{"description":"These constraints must be satisfied by the set of devices that get allocated for the claim.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceConstraint"},"type":"array","x-kubernetes-list-type":"atomic"},"requests":{"description":"Requests represent individual requests for distinct devices which must all be satisfied. If empty, nothing needs to be allocated.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceRequest"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.api.resource.v1alpha3.DeviceClaimConfiguration":{"description":"DeviceClaimConfiguration is used for configuration parameters in DeviceClaim.","properties":{"requests":{"type":"array","x-kubernetes-list-type":"atomic","description":"Requests lists the names of requests where the configuration applies. If empty, it applies to all requests.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format
[/]. If just the main request is given, the configuration applies to all subrequests.","items":{"type":"string"}},"opaque":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.OpaqueDeviceConfiguration","description":"Opaque provides driver-specific configuration parameters."}},"type":"object"},"io.k8s.api.resource.v1beta2.DeviceAttribute":{"properties":{"bool":{"description":"BoolValue is a true/false value.","type":"boolean"},"int":{"description":"IntValue is a number.","format":"int64","type":"integer"},"string":{"description":"StringValue is a string. Must not be longer than 64 characters.","type":"string"},"version":{"description":"VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.","type":"string"}},"type":"object","description":"DeviceAttribute must have exactly one field set."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionList":{"description":"CustomResourceDefinitionList is a list of CustomResourceDefinition objects.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items list individual CustomResourceDefinition objects","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition"},"type":"array"},"kind":{"enum":["CustomResourceDefinitionList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"apiextensions.k8s.io","kind":"CustomResourceDefinitionList"}]},"io.k8s.api.certificates.v1beta1.ClusterTrustBundleList":{"description":"ClusterTrustBundleList is a collection of ClusterTrustBundle objects","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"metadata contains the list metadata."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a collection of ClusterTrustBundle objects","items":{"$ref":"#/definitions/io.k8s.api.certificates.v1beta1.ClusterTrustBundle"},"type":"array"},"kind":{"type":"string","enum":["ClusterTrustBundleList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"ClusterTrustBundleList","version":"v1beta1"}]},"io.k8s.api.core.v1.ServiceList":{"x-kubernetes-group-version-kind":[{"group":"","kind":"ServiceList","version":"v1"}],"description":"ServiceList holds a list of services.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of services","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Service"},"type":"array"},"kind":{"enum":["ServiceList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object"},"io.k8s.api.flowcontrol.v1.Subject":{"description":"Subject matches the originator of a request, as identified by the request authentication system. There are three ways of matching an originator; by user, group, or service account.","properties":{"group":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.GroupSubject","description":"`group` matches based on user group name."},"kind":{"description":"`kind` indicates which one of the other fields is non-empty. Required","type":"string"},"serviceAccount":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.ServiceAccountSubject","description":"`serviceAccount` matches ServiceAccounts."},"user":{"description":"`user` matches based on username.","$ref":"#/definitions/io.k8s.api.flowcontrol.v1.UserSubject"}},"required":["kind"],"type":"object","x-kubernetes-unions":[{"discriminator":"kind","fields-to-discriminateBy":{"group":"Group","serviceAccount":"ServiceAccount","user":"User"}}]},"io.k8s.api.networking.v1.NetworkPolicyIngressRule":{"description":"NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.","properties":{"from":{"description":"from is a list of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"},"type":"array","x-kubernetes-list-type":"atomic"},"ports":{"description":"ports is a list of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.api.resource.v1beta2.AllocationResult":{"description":"AllocationResult contains attributes of an allocated resource.","properties":{"devices":{"$ref":"#/definitions/io.k8s.api.resource.v1beta2.DeviceAllocationResult","description":"Devices is the result of allocating devices."},"nodeSelector":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector","description":"NodeSelector defines where the allocated resources are available. If unset, they are available everywhere."}},"type":"object"},"io.k8s.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry":{"type":"object","description":"ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.","properties":{"time":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"Time is the timestamp of when the ManagedFields entry was added. The timestamp will also be updated if a field is added, the manager changes any of the owned fields value or removes a field. The timestamp does not update when a field is removed from the entry because another manager took it over."},"apiVersion":{"description":"APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.","type":"string"},"fieldsType":{"description":"FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"","type":"string"},"fieldsV1":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.FieldsV1","description":"FieldsV1 holds the first JSON version format as described in the \"FieldsV1\" type."},"manager":{"type":"string","description":"Manager is an identifier of the workflow managing these fields."},"operation":{"type":"string","description":"Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'."},"subresource":{"description":"Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.","type":"string"}}},"io.k8s.api.batch.v1.JobList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"batch","kind":"JobList","version":"v1"}],"description":"JobList is a collection of jobs.","properties":{"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["JobList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"items":{"description":"items is the list of Jobs.","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.Job"},"type":"array"}}},"io.k8s.api.core.v1.ContainerResizePolicy":{"required":["resourceName","restartPolicy"],"type":"object","description":"ContainerResizePolicy represents resource resize policy for the container.","properties":{"resourceName":{"description":"Name of the resource to which this resource resize policy applies. Supported values: cpu, memory.","type":"string"},"restartPolicy":{"description":"Restart policy to apply when specified resource is resized. If not specified, it defaults to NotRequired.","type":"string"}}},"io.k8s.api.admissionregistration.v1.AuditAnnotation":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.","type":"string"},"valueExpression":{"type":"string","description":"valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired."}},"required":["key","valueExpression"],"type":"object"},"io.k8s.api.certificates.v1alpha1.ClusterTrustBundleList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"ClusterTrustBundleList","version":"v1alpha1"}],"description":"ClusterTrustBundleList is a collection of ClusterTrustBundle objects","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a collection of ClusterTrustBundle objects","items":{"$ref":"#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundle"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ClusterTrustBundleList"]},"metadata":{"description":"metadata contains the list metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}}},"io.k8s.api.core.v1.SessionAffinityConfig":{"description":"SessionAffinityConfig represents the configurations of session affinity.","properties":{"clientIP":{"$ref":"#/definitions/io.k8s.api.core.v1.ClientIPConfig","description":"clientIP contains the configurations of Client IP based session affinity."}},"type":"object"},"io.k8s.api.core.v1.VolumeMount":{"required":["name","mountPath"],"type":"object","description":"VolumeMount describes a mounting of a Volume within a container.","properties":{"mountPath":{"description":"Path within the container at which the volume should be mounted. Must not contain ':'.","type":"string"},"mountPropagation":{"description":"mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. When RecursiveReadOnly is set to IfPossible or to Enabled, MountPropagation must be None or unspecified (which defaults to None).","type":"string"},"name":{"description":"This must match the Name of a Volume.","type":"string"},"readOnly":{"type":"boolean","description":"Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false."},"recursiveReadOnly":{"description":"RecursiveReadOnly specifies whether read-only mounts should be handled recursively.\n\nIf ReadOnly is false, this field has no meaning and must be unspecified.\n\nIf ReadOnly is true, and this field is set to Disabled, the mount is not made recursively read-only. If this field is set to IfPossible, the mount is made recursively read-only, if it is supported by the container runtime. If this field is set to Enabled, the mount is made recursively read-only if it is supported by the container runtime, otherwise the pod will not be started and an error will be generated to indicate the reason.\n\nIf this field is set to IfPossible or Enabled, MountPropagation must be set to None (or be unspecified, which defaults to None).\n\nIf this field is not specified, it is treated as an equivalent of Disabled.","type":"string"},"subPath":{"description":"Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).","type":"string"},"subPathExpr":{"description":"Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive.","type":"string"}}},"io.k8s.api.resource.v1beta1.ResourceClaimTemplateSpec":{"required":["spec"],"type":"object","description":"ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation."},"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceClaimSpec","description":"Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here."}}},"io.k8s.api.core.v1.ReplicationControllerList":{"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"type":"array","description":"List of replication controllers. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ReplicationController"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ReplicationControllerList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"ReplicationControllerList","version":"v1"}],"description":"ReplicationControllerList is a collection of replication controllers."},"io.k8s.api.core.v1.ResourceQuota":{"description":"ResourceQuota sets aggregate quota restrictions enforced per namespace","properties":{"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaSpec","description":"Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"status":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceQuotaStatus","description":"Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ResourceQuota"]}},"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"ResourceQuota","version":"v1"}]},"io.k8s.api.networking.v1.NetworkPolicyPort":{"description":"NetworkPolicyPort describes a port to allow traffic on","properties":{"endPort":{"format":"int32","type":"integer","description":"endPort indicates that the range of ports from port to endPort if set, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port."},"port":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString","description":"port represents the port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched."},"protocol":{"description":"protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.","type":"string"}},"type":"object"},"io.k8s.api.networking.v1.ServiceCIDR":{"description":"ServiceCIDR defines a range of IP addresses using CIDR format (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to allocate ClusterIPs to Service objects.","properties":{"status":{"$ref":"#/definitions/io.k8s.api.networking.v1.ServiceCIDRStatus","description":"status represents the current state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ServiceCIDR"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.networking.v1.ServiceCIDRSpec","description":"spec is the desired state of the ServiceCIDR. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"ServiceCIDR","version":"v1"}]},"io.k8s.api.resource.v1alpha3.DeviceClass":{"x-kubernetes-group-version-kind":[{"version":"v1alpha3","group":"resource.k8s.io","kind":"DeviceClass"}],"description":"DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["DeviceClass"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceClassSpec","description":"Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number."}},"required":["spec"],"type":"object"},"io.k8s.api.coordination.v1.Lease":{"description":"Lease defines a lease concept.","properties":{"spec":{"$ref":"#/definitions/io.k8s.api.coordination.v1.LeaseSpec","description":"spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Lease"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"Lease","version":"v1"}]},"io.k8s.api.core.v1.LocalObjectReference":{"type":"object","x-kubernetes-map-type":"atomic","description":"LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.","properties":{"name":{"type":"string","description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"}}},"io.k8s.api.core.v1.NodeDaemonEndpoints":{"description":"NodeDaemonEndpoints lists ports opened by daemons running on the Node.","properties":{"kubeletEndpoint":{"$ref":"#/definitions/io.k8s.api.core.v1.DaemonEndpoint","description":"Endpoint on which Kubelet is listening."}},"type":"object"},"io.k8s.api.resource.v1beta2.ResourceClaim":{"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceClaim","version":"v1beta2"}],"description":"ResourceClaim describes a request for access to resources in the cluster, for use by workloads. For example, if a workload needs an accelerator device with specific properties, this is how that request is expressed. The status stanza tracks whether this claim has been satisfied and what specific resources have been allocated.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","properties":{"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1beta2.ResourceClaimSpec","description":"Spec describes what is being requested and how to configure it. The spec is immutable."},"status":{"$ref":"#/definitions/io.k8s.api.resource.v1beta2.ResourceClaimStatus","description":"Status describes whether the claim is ready to use and what has been allocated."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ResourceClaim"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata"}}},"io.k8s.api.authorization.v1.LabelSelectorAttributes":{"description":"LabelSelectorAttributes indicates a label limited access. Webhook authors are encouraged to * ensure rawSelector and requirements are not both set * consider the requirements field if set * not try to parse or consider the rawSelector field if set. This is to avoid another CVE-2022-2880 (i.e. getting different systems to agree on how exactly to parse a query is not something we want), see https://www.oxeye.io/resources/golang-parameter-smuggling-attack for more details. For the *SubjectAccessReview endpoints of the kube-apiserver: * If rawSelector is empty and requirements are empty, the request is not limited. * If rawSelector is present and requirements are empty, the rawSelector will be parsed and limited if the parsing succeeds. * If rawSelector is empty and requirements are present, the requirements should be honored * If rawSelector is present and requirements are present, the request is invalid.","properties":{"rawSelector":{"description":"rawSelector is the serialization of a field selector that would be included in a query parameter. Webhook implementations are encouraged to ignore rawSelector. The kube-apiserver's *SubjectAccessReview will parse the rawSelector as long as the requirements are not present.","type":"string"},"requirements":{"type":"array","x-kubernetes-list-type":"atomic","description":"requirements is the parsed interpretation of a label selector. All requirements must be met for a resource instance to match the selector. Webhook implementations should handle requirements, but how to handle them is up to the webhook. Since requirements can only limit the request, it is safe to authorize as unlimited request if the requirements are not understood.","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement"}}},"type":"object"},"io.k8s.api.core.v1.Sysctl":{"required":["name","value"],"type":"object","description":"Sysctl defines a kernel parameter to be set","properties":{"name":{"description":"Name of a property to set","type":"string"},"value":{"description":"Value of a property to set","type":"string"}}},"io.k8s.api.resource.v1beta1.AllocatedDeviceStatus":{"type":"object","description":"AllocatedDeviceStatus contains the status of an allocated device, if the driver chooses to report it. This may include driver-specific information.","properties":{"pool":{"description":"This name together with the driver name and the device name field identify which device was allocated (`//`).\n\nMust not be longer than 253 characters and may contain one or more DNS sub-domains separated by slashes.","type":"string"},"conditions":{"description":"Conditions contains the latest observation of the device's state. If the device has been configured according to the class and claim config references, the `Ready` condition should be True.\n\nMust not contain more than 8 entries.","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Condition"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map"},"data":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension","description":"Data contains arbitrary driver-specific data.\n\nThe length of the raw data must be smaller or equal to 10 Ki."},"device":{"description":"Device references one device instance via its name in the driver's resource pool. It must be a DNS label.","type":"string"},"driver":{"description":"Driver specifies the name of the DRA driver whose kubelet plugin should be invoked to process the allocation once the claim is needed on a node.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.","type":"string"},"networkData":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.NetworkDeviceData","description":"NetworkData contains network-related information specific to the device."}},"required":["driver","pool","device"]},"io.k8s.api.resource.v1beta1.ResourceSliceList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSliceList","version":"v1beta1"}],"description":"ResourceSliceList is a collection of ResourceSlices.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource ResourceSlices.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceSlice"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ResourceSliceList"]},"metadata":{"description":"Standard list metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"}}},"io.k8s.api.storage.v1.VolumeAttachmentSource":{"description":"VolumeAttachmentSource represents a volume that should be attached. Right now only PersistentVolumes can be attached via external attacher, in the future we may allow also inline volumes in pods. Exactly one member can be set.","properties":{"inlineVolumeSpec":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeSpec","description":"inlineVolumeSpec contains all the information necessary to attach a persistent volume defined by a pod's inline VolumeSource. This field is populated only for the CSIMigration feature. It contains translated fields from a pod's inline VolumeSource to a PersistentVolumeSpec. This field is beta-level and is only honored by servers that enabled the CSIMigration feature."},"persistentVolumeName":{"description":"persistentVolumeName represents the name of the persistent volume to attach.","type":"string"}},"type":"object"},"io.k8s.api.certificates.v1alpha1.ClusterTrustBundle":{"description":"ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors (root certificates).\n\nClusterTrustBundle objects are considered to be readable by any authenticated user in the cluster, because they can be mounted by pods using the `clusterTrustBundle` projection. All service accounts have read access to ClusterTrustBundles by default. Users who only have namespace-level access to a cluster can read ClusterTrustBundles by impersonating a serviceaccount that they have access to.\n\nIt can be optionally associated with a particular assigner, in which case it contains one valid set of trust anchors for that signer. Signers may have multiple associated ClusterTrustBundles; each is an independent set of trust anchors for that signer. Admission control is used to enforce that only users with permissions on the signer can create or modify the corresponding bundle.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ClusterTrustBundle"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"metadata contains the object metadata."},"spec":{"$ref":"#/definitions/io.k8s.api.certificates.v1alpha1.ClusterTrustBundleSpec","description":"spec contains the signer (if any) and trust anchors."}},"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"group":"certificates.k8s.io","kind":"ClusterTrustBundle","version":"v1alpha1"}]},"io.k8s.api.core.v1.EndpointAddress":{"properties":{"hostname":{"description":"The Hostname of this endpoint","type":"string"},"ip":{"description":"The IP of this endpoint. May not be loopback (127.0.0.0/8 or ::1), link-local (169.254.0.0/16 or fe80::/10), or link-local multicast (224.0.0.0/24 or ff02::/16).","type":"string"},"nodeName":{"description":"Optional: Node hosting this endpoint. This can be used to determine endpoints local to a node.","type":"string"},"targetRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference","description":"Reference to object providing the endpoint."}},"required":["ip"],"type":"object","x-kubernetes-map-type":"atomic","description":"EndpointAddress is a tuple that describes single IP address. Deprecated: This API is deprecated in v1.33+."},"io.k8s.api.core.v1.NodeConfigSource":{"description":"NodeConfigSource specifies a source of node configuration. Exactly one subfield (excluding metadata) must be non-nil. This API is deprecated since 1.22","properties":{"configMap":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapNodeConfigSource","description":"ConfigMap is a reference to a Node's ConfigMap"}},"type":"object"},"io.k8s.api.rbac.v1.ClusterRole":{"description":"ClusterRole is a cluster level, logical grouping of PolicyRules that can be referenced as a unit by a RoleBinding or ClusterRoleBinding.","properties":{"kind":{"type":"string","enum":["ClusterRole"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata."},"rules":{"description":"Rules holds all the PolicyRules for this ClusterRole","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.PolicyRule"},"type":"array","x-kubernetes-list-type":"atomic"},"aggregationRule":{"$ref":"#/definitions/io.k8s.api.rbac.v1.AggregationRule","description":"AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be stomped by the controller."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRole","version":"v1"}]},"io.k8s.api.resource.v1beta1.AllocationResult":{"description":"AllocationResult contains attributes of an allocated resource.","properties":{"devices":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceAllocationResult","description":"Devices is the result of allocating devices."},"nodeSelector":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector","description":"NodeSelector defines where the allocated resources are available. If unset, they are available everywhere."}},"type":"object"},"io.k8s.api.batch.v1.SuccessPolicy":{"description":"SuccessPolicy describes when a Job can be declared as succeeded based on the success of some indexes.","properties":{"rules":{"description":"rules represents the list of alternative rules for the declaring the Jobs as successful before `.status.succeeded >= .spec.completions`. Once any of the rules are met, the \"SucceededCriteriaMet\" condition is added, and the lingering pods are removed. The terminal state for such a Job has the \"Complete\" condition. Additionally, these rules are evaluated in order; Once the Job meets one of the rules, other rules are ignored. At most 20 elements are allowed.","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.SuccessPolicyRule"},"type":"array","x-kubernetes-list-type":"atomic"}},"required":["rules"],"type":"object"},"io.k8s.api.core.v1.EnvVarSource":{"description":"EnvVarSource represents a source for the value of an EnvVar.","properties":{"fieldRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectFieldSelector","description":"Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs."},"resourceFieldRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceFieldSelector","description":"Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported."},"secretKeyRef":{"$ref":"#/definitions/io.k8s.api.core.v1.SecretKeySelector","description":"Selects a key of a secret in the pod's namespace"},"configMapKeyRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ConfigMapKeySelector","description":"Selects a key of a ConfigMap."}},"type":"object"},"io.k8s.api.core.v1.PodStatus":{"description":"PodStatus represents information about the status of a pod. Status may trail the actual state of a system, especially if the node that hosts the pod cannot contact the control plane.","properties":{"ephemeralContainerStatuses":{"x-kubernetes-list-type":"atomic","description":"Statuses for any ephemeral containers that have run in this pod. Each ephemeral container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"type":"array"},"initContainerStatuses":{"description":"Statuses of init containers in this pod. The most recent successful non-restartable init container will have ready = true, the most recently started container will have startTime set. Each init container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-and-container-status","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"type":"array","x-kubernetes-list-type":"atomic"},"podIPs":{"x-kubernetes-patch-strategy":"merge","description":"podIPs holds the IP addresses allocated to the pod. If this field is specified, the 0th entry must match the podIP field. Pods may be allocated at most 1 value for each of IPv4 and IPv6. This list is empty if no IPs have been allocated yet.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodIP"},"type":"array","x-kubernetes-list-map-keys":["ip"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"ip"},"resize":{"description":"Status of resources resize desired for pod's containers. It is empty if no resources resize is pending. Any changes to container resources will automatically set this to \"Proposed\" Deprecated: Resize status is moved to two pod conditions PodResizePending and PodResizeInProgress. PodResizePending will track states where the spec has been resized, but the Kubelet has not yet allocated the resources. PodResizeInProgress will track in-progress resizes, and should be present whenever allocated resources != acknowledged resources.","type":"string"},"hostIPs":{"x-kubernetes-list-type":"atomic","x-kubernetes-patch-merge-key":"ip","x-kubernetes-patch-strategy":"merge","description":"hostIPs holds the IP addresses allocated to the host. If this field is specified, the first entry must match the hostIP field. This list is empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns means that HostIPs will not be updated even if there is a node is assigned to this pod.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.HostIP"},"type":"array"},"message":{"description":"A human readable message indicating details about why the pod is in this condition.","type":"string"},"podIP":{"description":"podIP address allocated to the pod. Routable at least within the cluster. Empty if not yet allocated.","type":"string"},"reason":{"description":"A brief CamelCase message indicating details about why the pod is in this state. e.g. 'Evicted'","type":"string"},"hostIP":{"description":"hostIP holds the IP address of the host to which the pod is assigned. Empty if the pod has not started yet. A pod can be assigned to a node that has a problem in kubelet which in turns mean that HostIP will not be updated even if there is a node is assigned to pod","type":"string"},"nominatedNodeName":{"type":"string","description":"nominatedNodeName is set only when this pod preempts other pods on the node, but it cannot be scheduled right away as preemption victims receive their graceful termination periods. This field does not guarantee that the pod will be scheduled on this node. Scheduler may decide to place the pod elsewhere if other nodes become available sooner. Scheduler may also decide to give the resources on this node to a higher priority pod that is created after preemption. As a result, this field may be different than PodSpec.nodeName when the pod is scheduled."},"phase":{"description":"The phase of a Pod is a simple, high-level summary of where the Pod is in its lifecycle. The conditions array, the reason and message fields, and the individual container status arrays contain more detail about the pod's status. There are five possible phase values:\n\nPending: The pod has been accepted by the Kubernetes system, but one or more of the container images has not been created. This includes time before being scheduled as well as time spent downloading images over the network, which could take a while. Running: The pod has been bound to a node, and all of the containers have been created. At least one container is still running, or is in the process of starting or restarting. Succeeded: All containers in the pod have terminated in success, and will not be restarted. Failed: All containers in the pod have terminated, and at least one container has terminated in failure. The container either exited with non-zero status or was terminated by the system. Unknown: For some reason the state of the pod could not be obtained, typically due to an error in communicating with the host of the pod.\n\nMore info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-phase","type":"string"},"startTime":{"description":"RFC 3339 date and time at which the object was acknowledged by the Kubelet. This is before the Kubelet pulled the container image(s) for the pod.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time"},"conditions":{"description":"Current service state of pod. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-conditions","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodCondition"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"containerStatuses":{"description":"Statuses of containers in this pod. Each container in the pod should have at most one status in this list, and all statuses should be for containers in the pod. However this is not enforced. If a status for a non-existent container is present in the list, or the list has duplicate names, the behavior of various Kubernetes components is not defined and those statuses might be ignored. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#pod-and-container-status","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ContainerStatus"},"type":"array","x-kubernetes-list-type":"atomic"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the pod status was set based upon. This is an alpha field. Enable PodObservedGenerationTracking to be able to use this field.","format":"int64","type":"integer"},"qosClass":{"description":"The Quality of Service (QOS) classification assigned to the pod based on resource requirements See PodQOSClass type for available QOS classes More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/#quality-of-service-classes","type":"string"},"resourceClaimStatuses":{"x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge,retainKeys","description":"Status of resource claims.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodResourceClaimStatus"},"type":"array","x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map"}},"type":"object"},"io.k8s.api.core.v1.RBDVolumeSource":{"description":"Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.","properties":{"monitors":{"description":"monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"pool":{"description":"pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"boolean"},"secretRef":{"$ref":"#/definitions/io.k8s.api.core.v1.LocalObjectReference","description":"secretRef is name of the authentication secret for RBDUser. If provided overrides keyring. Default is nil. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it"},"user":{"description":"user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd","type":"string"},"image":{"description":"image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"},"keyring":{"description":"keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it","type":"string"}},"required":["monitors","image"],"type":"object"},"io.k8s.api.core.v1.ReplicationControllerSpec":{"description":"ReplicationControllerSpec is the specification of a replication controller.","properties":{"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","format":"int32","type":"integer"},"replicas":{"description":"Replicas is the number of desired replicas. This is a pointer to distinguish between explicit zero and unspecified. Defaults to 1. More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#what-is-a-replicationcontroller","format":"int32","type":"integer"},"selector":{"additionalProperties":{"type":"string"},"description":"Selector is a label query over pods that should match the Replicas count. If Selector is empty, it is defaulted to the labels present on the Pod template. Label keys and values that must match in order to be controlled by this replication controller, if empty defaulted to labels on Pod template. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors","type":"object","x-kubernetes-map-type":"atomic"},"template":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec","description":"Template is the object that describes the pod that will be created if insufficient replicas are detected. This takes precedence over a TemplateRef. The only allowed template.spec.restartPolicy value is \"Always\". More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template"}},"type":"object"},"io.k8s.api.resource.v1beta2.ResourcePool":{"properties":{"generation":{"format":"int64","type":"integer","description":"Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state."},"name":{"description":"Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.","type":"string"},"resourceSliceCount":{"description":"ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.","format":"int64","type":"integer"}},"required":["name","generation","resourceSliceCount"],"type":"object","description":"ResourcePool describes the pool that ResourceSlices belong to."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaPropsOrBool":{"description":"JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value. Defaults to true for the boolean property."},"io.k8s.api.authentication.v1.TokenRequest":{"type":"object","x-kubernetes-group-version-kind":[{"group":"authentication.k8s.io","kind":"TokenRequest","version":"v1"}],"description":"TokenRequest requests a token for a given service account.","properties":{"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["TokenRequest"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequestSpec","description":"Spec holds information about the request being evaluated"},"status":{"$ref":"#/definitions/io.k8s.api.authentication.v1.TokenRequestStatus","description":"Status is filled in by the server and indicates whether the token can be authenticated."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}},"required":["spec"]},"io.k8s.api.batch.v1.UncountedTerminatedPods":{"description":"UncountedTerminatedPods holds UIDs of Pods that have terminated but haven't been accounted in Job status counters.","properties":{"failed":{"description":"failed holds UIDs of failed Pods.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"succeeded":{"description":"succeeded holds UIDs of succeeded Pods.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"}},"type":"object"},"io.k8s.api.coordination.v1alpha2.LeaseCandidateList":{"type":"object","x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"LeaseCandidateList","version":"v1alpha2"}],"description":"LeaseCandidateList is a list of Lease objects.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of schema objects.","items":{"$ref":"#/definitions/io.k8s.api.coordination.v1alpha2.LeaseCandidate"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["LeaseCandidateList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"required":["items"]},"io.k8s.api.core.v1.DownwardAPIVolumeFile":{"description":"DownwardAPIVolumeFile represents information to create the file containing the pod field","properties":{"mode":{"description":"Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","format":"int32","type":"integer"},"path":{"description":"Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'","type":"string"},"resourceFieldRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceFieldSelector","description":"Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, requests.cpu and requests.memory) are currently supported."},"fieldRef":{"$ref":"#/definitions/io.k8s.api.core.v1.ObjectFieldSelector","description":"Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported."}},"required":["path"],"type":"object"},"io.k8s.api.core.v1.PodTemplateList":{"description":"PodTemplateList is a list of PodTemplates.","properties":{"items":{"type":"array","description":"List of pod templates","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplate"}},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["PodTemplateList"]},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"PodTemplateList","version":"v1"}]},"io.k8s.api.resource.v1beta1.NetworkDeviceData":{"description":"NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.","properties":{"hardwareAddress":{"description":"HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.\n\nMust not be longer than 128 characters.","type":"string"},"interfaceName":{"description":"InterfaceName specifies the name of the network interface associated with the allocated device. This might be the name of a physical or virtual network interface being configured in the pod.\n\nMust not be longer than 256 characters.","type":"string"},"ips":{"description":"IPs lists the network addresses assigned to the device's network interface. This can include both IPv4 and IPv6 addresses. The IPs are in the CIDR notation, which includes both the address and the associated subnet mask. e.g.: \"192.0.2.5/24\" for IPv4 and \"2001:db8::5/64\" for IPv6.\n\nMust not contain more than 16 entries.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.api.authorization.v1.NonResourceAttributes":{"description":"NonResourceAttributes includes the authorization attributes available for non-resource requests to the Authorizer interface","properties":{"verb":{"description":"Verb is the standard HTTP verb","type":"string"},"path":{"description":"Path is the URL path of the request","type":"string"}},"type":"object"},"io.k8s.api.core.v1.ConfigMapVolumeSource":{"description":"Adapts a ConfigMap into a volume.\n\nThe contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.","properties":{"optional":{"description":"optional specify whether the ConfigMap or its keys must be defined","type":"boolean"},"defaultMode":{"description":"defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","format":"int32","type":"integer"},"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"type":"array","x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"}},"type":"object"},"io.k8s.api.flowcontrol.v1.LimitedPriorityLevelConfiguration":{"description":"LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits. It addresses two issues:\n - How are requests for this priority level limited?\n - What should be done with requests that exceed the limit?","properties":{"borrowingLimitPercent":{"description":"`borrowingLimitPercent`, if present, configures a limit on how many seats this priority level can borrow from other priority levels. The limit is known as this level's BorrowingConcurrencyLimit (BorrowingCL) and is a limit on the total number of seats that this level may borrow at any one time. This field holds the ratio of that limit to the level's nominal concurrency limit. When this field is non-nil, it must hold a non-negative integer and the limit is calculated as follows.\n\nBorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )\n\nThe value of this field can be more than 100, implying that this priority level can borrow a number of seats that is greater than its own nominal concurrency limit (NominalCL). When this field is left `nil`, the limit is effectively infinite.","format":"int32","type":"integer"},"lendablePercent":{"description":"`lendablePercent` prescribes the fraction of the level's NominalCL that can be borrowed by other priority levels. The value of this field must be between 0 and 100, inclusive, and it defaults to 0. The number of seats that other levels can borrow from this level, known as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.\n\nLendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )","format":"int32","type":"integer"},"limitResponse":{"$ref":"#/definitions/io.k8s.api.flowcontrol.v1.LimitResponse","description":"`limitResponse` indicates what to do with requests that can not be executed right now"},"nominalConcurrencyShares":{"description":"`nominalConcurrencyShares` (NCS) contributes to the computation of the NominalConcurrencyLimit (NominalCL) of this level. This is the number of execution seats available at this priority level. This is used both for requests dispatched from this priority level as well as requests dispatched from other priority levels borrowing seats from this level. The server's concurrency limit (ServerCL) is divided among the Limited priority levels in proportion to their NCS values:\n\nNominalCL(i) = ceil( ServerCL * NCS(i) / sum_ncs ) sum_ncs = sum[priority level k] NCS(k)\n\nBigger numbers mean a larger nominal concurrency limit, at the expense of every other priority level.\n\nIf not specified, this field defaults to a value of 30.\n\nSetting this field to zero supports the construction of a \"jail\" for this priority level that is used to hold some request(s)","format":"int32","type":"integer"}},"type":"object"},"io.k8s.api.flowcontrol.v1.ResourcePolicyRule":{"required":["verbs","apiGroups","resources"],"type":"object","description":"ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) either (d1) the request does not specify a namespace (i.e., `Namespace==\"\"`) and clusterScope is true or (d2) the request specifies a namespace and least one member of namespaces matches the request's namespace.","properties":{"namespaces":{"description":"`namespaces` is a list of target namespaces that restricts matches. A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\". Note that \"*\" matches any specified namespace but does not match a request that _does not specify_ a namespace (see the `clusterScope` field for that). This list may be empty, but only if `clusterScope` is true.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"resources":{"description":"`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"apiGroups":{"description":"`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"clusterScope":{"type":"boolean","description":"`clusterScope` indicates whether to match requests that do not specify a namespace (which happens either because the resource is not namespaced or the request targets all namespaces). If this field is omitted or false then the `namespaces` field must contain a non-empty list."}}},"io.k8s.api.flowcontrol.v1.UserSubject":{"type":"object","description":"UserSubject holds detailed information for user-kind subject.","properties":{"name":{"type":"string","description":"`name` is the username that matches, or \"*\" to match all usernames. Required."}},"required":["name"]},"io.k8s.api.policy.v1.Eviction":{"description":"Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods//evictions.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"deleteOptions":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.DeleteOptions","description":"DeleteOptions may be provided"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Eviction"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"ObjectMeta describes the pod that is being evicted."}},"type":"object","x-kubernetes-group-version-kind":[{"group":"policy","kind":"Eviction","version":"v1"}]},"io.k8s.api.resource.v1alpha3.ResourceClaimTemplateSpec":{"description":"ResourceClaimTemplateSpec contains the metadata and fields for a ResourceClaim.","properties":{"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.ResourceClaimSpec","description":"Spec for the ResourceClaim. The entire content is copied unchanged into the ResourceClaim that gets created from this template. The same fields as in a ResourceClaim are also valid here."},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"ObjectMeta may contain labels and annotations that will be copied into the ResourceClaim when creating it. No other fields are allowed and will be rejected during validation."}},"required":["spec"],"type":"object"},"io.k8s.api.apps.v1.StatefulSetSpec":{"description":"A StatefulSetSpec is the specification of a StatefulSet.","properties":{"selector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"selector is a label query over pods that should match the replica count. It must match the pod template's labels. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors"},"volumeClaimTemplates":{"x-kubernetes-list-type":"atomic","description":"volumeClaimTemplates is a list of claims that pods are allowed to reference. The StatefulSet controller is responsible for mapping network identities to claims in a way that maintains the identity of a pod. Every claim in this list must have at least one matching (by name) volumeMount in one container in the template. A claim in this list takes precedence over any volumes in the template, with the same name.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"},"type":"array"},"ordinals":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetOrdinals","description":"ordinals controls the numbering of replica indices in a StatefulSet. The default ordinals behavior assigns a \"0\" index to the first replica and increments the index by one for each additional replica requested."},"podManagementPolicy":{"description":"podManagementPolicy controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default policy is `OrderedReady`, where pods are created in increasing order (pod-0, then pod-1, etc) and the controller will wait until each pod is ready before continuing. When scaling down, the pods are removed in the opposite order. The alternative policy is `Parallel` which will create pods in parallel to match the desired scale without waiting, and on scale down will delete all pods at once.","type":"string"},"revisionHistoryLimit":{"description":"revisionHistoryLimit is the maximum number of revisions that will be maintained in the StatefulSet's revision history. The revision history consists of all revisions not represented by a currently applied StatefulSetSpec version. The default value is 10.","format":"int32","type":"integer"},"serviceName":{"description":"serviceName is the name of the service that governs this StatefulSet. This service must exist before the StatefulSet, and is responsible for the network identity of the set. Pods get DNS/hostnames that follow the pattern: pod-specific-string.serviceName.default.svc.cluster.local where \"pod-specific-string\" is managed by the StatefulSet controller.","type":"string"},"template":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec","description":"template is the object that describes the pod that will be created if insufficient replicas are detected. Each pod stamped out by the StatefulSet will fulfill this Template, but have a unique identity from the rest of the StatefulSet. Each pod will be named with the format -. For example, a pod in a StatefulSet named \"web\" with index number \"3\" would be named \"web-3\". The only allowed template.spec.restartPolicy value is \"Always\"."},"updateStrategy":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetUpdateStrategy","description":"updateStrategy indicates the StatefulSetUpdateStrategy that will be employed to update Pods in the StatefulSet when a revision is made to Template."},"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","format":"int32","type":"integer"},"persistentVolumeClaimRetentionPolicy":{"$ref":"#/definitions/io.k8s.api.apps.v1.StatefulSetPersistentVolumeClaimRetentionPolicy","description":"persistentVolumeClaimRetentionPolicy describes the lifecycle of persistent volume claims created from volumeClaimTemplates. By default, all persistent volume claims are created as needed and retained until manually deleted. This policy allows the lifecycle to be altered, for example by deleting persistent volume claims when their stateful set is deleted, or when their pod is scaled down."},"replicas":{"description":"replicas is the desired number of replicas of the given Template. These are replicas in the sense that they are instantiations of the same Template, but individual replicas also have a consistent identity. If unspecified, defaults to 1.","format":"int32","type":"integer"}},"required":["selector","template"],"type":"object"},"io.k8s.api.core.v1.SecretKeySelector":{"description":"SecretKeySelector selects a key of a Secret.","properties":{"key":{"description":"The key of the secret to select from. Must be a valid secret key.","type":"string"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the Secret or its key must be defined","type":"boolean"}},"required":["key"],"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.resource.v1alpha3.DeviceAttribute":{"description":"DeviceAttribute must have exactly one field set.","properties":{"bool":{"description":"BoolValue is a true/false value.","type":"boolean"},"int":{"description":"IntValue is a number.","format":"int64","type":"integer"},"string":{"description":"StringValue is a string. Must not be longer than 64 characters.","type":"string"},"version":{"description":"VersionValue is a semantic version according to semver.org spec 2.0.0. Must not be longer than 64 characters.","type":"string"}},"type":"object"},"io.k8s.api.resource.v1beta1.ResourcePool":{"properties":{"generation":{"type":"integer","description":"Generation tracks the change in a pool over time. Whenever a driver changes something about one or more of the resources in a pool, it must change the generation in all ResourceSlices which are part of that pool. Consumers of ResourceSlices should only consider resources from the pool with the highest generation number. The generation may be reset by drivers, which should be fine for consumers, assuming that all ResourceSlices in a pool are updated to match or deleted.\n\nCombined with ResourceSliceCount, this mechanism enables consumers to detect pools which are comprised of multiple ResourceSlices and are in an incomplete state.","format":"int64"},"name":{"description":"Name is used to identify the pool. For node-local devices, this is often the node name, but this is not required.\n\nIt must not be longer than 253 characters and must consist of one or more DNS sub-domains separated by slashes. This field is immutable.","type":"string"},"resourceSliceCount":{"description":"ResourceSliceCount is the total number of ResourceSlices in the pool at this generation number. Must be greater than zero.\n\nConsumers can use this to check whether they have seen all ResourceSlices belonging to the same pool.","format":"int64","type":"integer"}},"required":["name","generation","resourceSliceCount"],"type":"object","description":"ResourcePool describes the pool that ResourceSlices belong to."},"io.k8s.api.resource.v1beta1.ResourceSlice":{"description":"ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple , , .\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate.","properties":{"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ResourceSlice"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.ResourceSliceSpec","description":"Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number."},"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"}},"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"ResourceSlice","version":"v1beta1"}]},"io.k8s.api.resource.v1beta2.NetworkDeviceData":{"description":"NetworkDeviceData provides network-related details for the allocated device. This information may be filled by drivers or other components to configure or identify the device within a network context.","properties":{"hardwareAddress":{"description":"HardwareAddress represents the hardware address (e.g. MAC Address) of the device's network interface.\n\nMust not be longer than 128 characters.","type":"string"},"interfaceName":{"description":"InterfaceName specifies the name of the network interface associated with the allocated device. This might be the name of a physical or virtual network interface being configured in the pod.\n\nMust not be longer than 256 characters.","type":"string"},"ips":{"description":"IPs lists the network addresses assigned to the device's network interface. This can include both IPv4 and IPv6 addresses. The IPs are in the CIDR notation, which includes both the address and the associated subnet mask. e.g.: \"192.0.2.5/24\" for IPv4 and \"2001:db8::5/64\" for IPv6.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference":{"description":"ServiceReference holds a reference to Service.legacy.k8s.io","properties":{"namespace":{"description":"namespace is the namespace of the service. Required","type":"string"},"path":{"description":"path is an optional URL path at which the webhook will be contacted.","type":"string"},"port":{"type":"integer","description":"port is an optional service port at which the webhook will be contacted. `port` should be a valid port number (1-65535, inclusive). Defaults to 443 for backward compatibility.","format":"int32"},"name":{"description":"name is the name of the service. Required","type":"string"}},"required":["namespace","name"],"type":"object"},"io.k8s.apimachinery.pkg.apis.meta.v1.APIGroup":{"description":"APIGroup contains the name, the supported versions, and the preferred version of a group.","properties":{"preferredVersion":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery","description":"preferredVersion is the version preferred by the API server, which probably is the storage version."},"serverAddressByClientCIDRs":{"description":"a map of client CIDR to server address that is serving this group. This is to help clients reach servers in the most network-efficient way possible. Clients can use the appropriate server address as per the CIDR that they match. In case of multiple matches, clients should use the longest matching CIDR. The server returns only those CIDRs that it thinks that the client can match. For example: the master will return an internal IP CIDR only, if the client reaches the server using an internal IP. Server looks at X-Forwarded-For header or X-Real-Ip header or request.RemoteAddr (in that order) to get the client IP.","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ServerAddressByClientCIDR"},"type":"array","x-kubernetes-list-type":"atomic"},"versions":{"description":"versions are the versions supported in this group.","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.GroupVersionForDiscovery"},"type":"array","x-kubernetes-list-type":"atomic"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["APIGroup"]},"name":{"description":"name is the name of the group.","type":"string"}},"required":["name","versions"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"APIGroup","version":"v1"}]},"io.k8s.api.certificates.v1.CertificateSigningRequestSpec":{"description":"CertificateSigningRequestSpec contains the certificate request.","properties":{"uid":{"description":"uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"string"},"usages":{"x-kubernetes-list-type":"atomic","description":"usages specifies a set of key usages requested in the issued certificate.\n\nRequests for TLS client certificates typically request: \"digital signature\", \"key encipherment\", \"client auth\".\n\nRequests for TLS serving certificates typically request: \"key encipherment\", \"digital signature\", \"server auth\".\n\nValid values are:\n \"signing\", \"digital signature\", \"content commitment\",\n \"key encipherment\", \"key agreement\", \"data encipherment\",\n \"cert sign\", \"crl sign\", \"encipher only\", \"decipher only\", \"any\",\n \"server auth\", \"client auth\",\n \"code signing\", \"email protection\", \"s/mime\",\n \"ipsec end system\", \"ipsec tunnel\", \"ipsec user\",\n \"timestamping\", \"ocsp signing\", \"microsoft sgc\", \"netscape sgc\"","items":{"type":"string"},"type":"array"},"username":{"description":"username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"string"},"expirationSeconds":{"description":"expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration.\n\nThe v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager.\n\nCertificate signers may not honor this field for various reasons:\n\n 1. Old signer that is unaware of the field (such as the in-tree\n implementations prior to v1.22)\n 2. Signer whose configured maximum is shorter than the requested duration\n 3. Signer whose configured minimum is longer than the requested duration\n\nThe minimum valid value for expirationSeconds is 600, i.e. 10 minutes.","format":"int32","type":"integer"},"extra":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"description":"extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","type":"object"},"groups":{"type":"array","x-kubernetes-list-type":"atomic","description":"groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.","items":{"type":"string"}},"request":{"description":"request contains an x509 certificate signing request encoded in a \"CERTIFICATE REQUEST\" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded.","format":"byte","type":"string","x-kubernetes-list-type":"atomic"},"signerName":{"description":"signerName indicates the requested signer, and is a qualified name.\n\nList/watch requests for CertificateSigningRequests can filter on this field using a \"spec.signerName=NAME\" fieldSelector.\n\nWell-known Kubernetes signers are:\n 1. \"kubernetes.io/kube-apiserver-client\": issues client certificates that can be used to authenticate to kube-apiserver.\n Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 2. \"kubernetes.io/kube-apiserver-client-kubelet\": issues client certificates that kubelets use to authenticate to kube-apiserver.\n Requests for this signer can be auto-approved by the \"csrapproving\" controller in kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n 3. \"kubernetes.io/kubelet-serving\" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely.\n Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the \"csrsigning\" controller in kube-controller-manager.\n\nMore details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers\n\nCustom signerNames can also be specified. The signer defines:\n 1. Trust distribution: how trust (CA bundles) are distributed.\n 2. Permitted subjects: and behavior when a disallowed subject is requested.\n 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested.\n 4. Required, permitted, or forbidden key usages / extended key usages.\n 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin.\n 6. Whether or not requests for CA certificates are allowed.","type":"string"}},"required":["request","signerName"],"type":"object"},"io.k8s.api.core.v1.DaemonEndpoint":{"description":"DaemonEndpoint contains information about a single Daemon endpoint.","properties":{"Port":{"format":"int32","type":"integer","description":"Port number of the given endpoint."}},"required":["Port"],"type":"object"},"io.k8s.api.core.v1.NodeSelector":{"required":["nodeSelectorTerms"],"type":"object","x-kubernetes-map-type":"atomic","description":"A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.","properties":{"nodeSelectorTerms":{"description":"Required. A list of node selector terms. The terms are ORed.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelectorTerm"},"type":"array","x-kubernetes-list-type":"atomic"}}},"io.k8s.api.core.v1.PodAntiAffinity":{"description":"Pod anti affinity is a group of inter pod anti affinity scheduling rules.","properties":{"preferredDuringSchedulingIgnoredDuringExecution":{"type":"array","x-kubernetes-list-type":"atomic","description":"The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.WeightedPodAffinityTerm"}},"requiredDuringSchedulingIgnoredDuringExecution":{"type":"array","x-kubernetes-list-type":"atomic","description":"If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm"}}},"type":"object"},"io.k8s.api.resource.v1beta2.OpaqueDeviceConfiguration":{"description":"OpaqueDeviceConfiguration contains configuration parameters for a driver in a format defined by the driver vendor.","properties":{"driver":{"description":"Driver is used to determine which kubelet plugin needs to be passed these configuration parameters.\n\nAn admission policy provided by the driver developer could use this to decide whether it needs to validate them.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver.","type":"string"},"parameters":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension","description":"Parameters can contain arbitrary data. It is the responsibility of the driver developer to handle validation and versioning. Typically this includes self-identification and a version (\"kind\" + \"apiVersion\" for Kubernetes types), with conversion between different versions.\n\nThe length of the raw data must be smaller or equal to 10 Ki."}},"required":["driver","parameters"],"type":"object"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinition":{"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"group":"apiextensions.k8s.io","kind":"CustomResourceDefinition","version":"v1"}],"description":"CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format <.spec.name>.<.spec.group>.","properties":{"spec":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionSpec","description":"spec describes how the user wants the resources to appear"},"status":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionStatus","description":"status indicates the actual state of the CustomResourceDefinition"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["CustomResourceDefinition"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.WebhookClientConfig":{"description":"WebhookClientConfig contains the information to make a TLS connection with the webhook.","properties":{"caBundle":{"type":"string","description":"caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.","format":"byte"},"service":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ServiceReference","description":"service is a reference to the service for this webhook. Either service or url must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`."},"url":{"description":"url gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either.","type":"string"}},"type":"object"},"io.k8s.api.apps.v1.RollingUpdateDeployment":{"description":"Spec to control the desired behavior of rolling update.","properties":{"maxUnavailable":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString","description":"The maximum number of pods that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 25%. Example: when this is set to 30%, the old ReplicaSet can be scaled down to 70% of desired pods immediately when the rolling update starts. Once new pods are ready, old ReplicaSet can be scaled down further, followed by scaling up the new ReplicaSet, ensuring that the total number of pods available at all times during the update is at least 70% of desired pods."},"maxSurge":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString","description":"The maximum number of pods that can be scheduled above the desired number of pods. Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%). This can not be 0 if MaxUnavailable is 0. Absolute number is calculated from percentage by rounding up. Defaults to 25%. Example: when this is set to 30%, the new ReplicaSet can be scaled up immediately when the rolling update starts, such that the total number of old and new pods do not exceed 130% of desired pods. Once old pods have been killed, new ReplicaSet can be scaled up further, ensuring that total number of pods running at any time during the update is at most 130% of desired pods."}},"type":"object"},"io.k8s.api.core.v1.PodAffinityTerm":{"description":"Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key matches that of any node on which a pod of the set of pods is running","properties":{"labelSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods."},"matchLabelKeys":{"description":"MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both matchLabelKeys and labelSelector. Also, matchLabelKeys cannot be set when labelSelector isn't set.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"mismatchLabelKeys":{"type":"array","x-kubernetes-list-type":"atomic","description":"MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `labelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both mismatchLabelKeys and labelSelector. Also, mismatchLabelKeys cannot be set when labelSelector isn't set.","items":{"type":"string"}},"namespaceSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means \"this pod's namespace\". An empty selector ({}) matches all namespaces."},"namespaces":{"description":"namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means \"this pod's namespace\".","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"topologyKey":{"type":"string","description":"This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed."}},"required":["topologyKey"],"type":"object"},"io.k8s.api.core.v1.WeightedPodAffinityTerm":{"properties":{"podAffinityTerm":{"$ref":"#/definitions/io.k8s.api.core.v1.PodAffinityTerm","description":"Required. A pod affinity term, associated with the corresponding weight."},"weight":{"type":"integer","description":"weight associated with matching the corresponding podAffinityTerm, in the range 1-100.","format":"int32"}},"required":["weight","podAffinityTerm"],"type":"object","description":"The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)"},"io.k8s.api.storagemigration.v1alpha1.MigrationCondition":{"description":"Describes the state of a migration at a certain point.","properties":{"lastUpdateTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"The last time this condition was updated."},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of the condition.","type":"string"}},"required":["type","status"],"type":"object"},"io.k8s.apimachinery.pkg.apis.meta.v1.Time":{"format":"date-time","type":"string","description":"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."},"io.k8s.api.apps.v1.ReplicaSet":{"description":"ReplicaSet ensures that a specified number of pod replicas are running at any given time.","properties":{"status":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetStatus","description":"Status is the most recently observed status of the ReplicaSet. This data may be out of date by some window of time. Populated by the system. Read-only. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ReplicaSet"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"If the Labels of a ReplicaSet are empty, they are defaulted to be the same as the Pod(s) that the ReplicaSet manages. Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.apps.v1.ReplicaSetSpec","description":"Spec defines the specification of the desired behavior of the ReplicaSet. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"apps","kind":"ReplicaSet","version":"v1"}]},"io.k8s.api.core.v1.ComponentStatus":{"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"ComponentStatus","version":"v1"}],"description":"ComponentStatus (and ComponentStatusList) holds the cluster validation info. Deprecated: This API is deprecated in v1.19+","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"conditions":{"description":"List of component conditions observed","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ComponentCondition"},"type":"array","x-kubernetes-list-map-keys":["type"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"type","x-kubernetes-patch-strategy":"merge"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ComponentStatus"]},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"}}},"io.k8s.api.core.v1.ImageVolumeSource":{"description":"ImageVolumeSource represents a image volume resource.","properties":{"pullPolicy":{"description":"Policy for pulling OCI objects. Possible values are: Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails. Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present. IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.","type":"string"},"reference":{"description":"Required: Image or artifact reference to be used. Behaves in the same way as pod.spec.containers[*].image. Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets. More info: https://kubernetes.io/docs/concepts/containers/images This field is optional to allow higher level config management to default or override container images in workload controllers like Deployments and StatefulSets.","type":"string"}},"type":"object"},"io.k8s.api.admissionregistration.v1.Validation":{"required":["expression"],"type":"object","description":"Validation specifies the CEL expression which is used to apply the validation.","properties":{"expression":{"description":"Expression represents the expression which will be evaluated by CEL. ref: https://github.com/google/cel-spec CEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests. - 'oldObject' - The existing object. The value is null for CREATE requests. - 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind. - 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources. - 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the object. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible. Accessible property names are escaped according to the following rules when accessed in the expression: - '__' escapes to '__underscores__' - '.' escapes to '__dot__' - '-' escapes to '__dash__' - '/' escapes to '__slash__' - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1]. Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.","type":"string"},"message":{"description":"Message represents the message displayed when validation fails. The message is required if the Expression contains line breaks. The message must not contain line breaks. If unset, the message is \"failed rule: {Rule}\". e.g. \"must be a URL with the host matching spec.host\" If the Expression contains line breaks. Message is required. The message must not contain line breaks. If unset, the message is \"failed Expression: {Expression}\".","type":"string"},"messageExpression":{"description":"messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. Since messageExpression is used as a failure message, it must evaluate to a string. If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. Example: \"object.x must be less than max (\"+string(params.max)+\")\"","type":"string"},"reason":{"description":"Reason represents a machine-readable description of why this validation failed. If this is the first validation in the list to fail, this reason, as well as the corresponding HTTP response code, are used in the HTTP response to the client. The currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\". If not set, StatusReasonInvalid is used in the response to the client.","type":"string"}}},"io.k8s.api.core.v1.EventSeries":{"properties":{"count":{"description":"Number of occurrences in this series up to the last heartbeat time","format":"int32","type":"integer"},"lastObservedTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime","description":"Time of the last occurrence observed"}},"type":"object","description":"EventSeries contain information on series of events, i.e. thing that was/is happening continuously for some time."},"io.k8s.api.core.v1.Secret":{"description":"Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.","properties":{"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["Secret"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"stringData":{"type":"object","additionalProperties":{"type":"string"},"description":"stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API."},"type":{"description":"Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types","type":"string"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"data":{"description":"Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4","type":"object","additionalProperties":{"type":"string","format":"byte"}},"immutable":{"description":"Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil.","type":"boolean"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"Secret","version":"v1"}]},"io.k8s.api.core.v1.ServicePort":{"properties":{"port":{"description":"The port that will be exposed by this service.","format":"int32","type":"integer"},"protocol":{"description":"The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.","type":"string"},"targetPort":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.util.intstr.IntOrString","description":"Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service"},"appProtocol":{"description":"The application protocol for this port. This is used as a hint for implementations to offer richer behavior for protocols that they understand. This field follows standard Kubernetes label syntax. Valid values are either:\n\n* Un-prefixed protocol names - reserved for IANA standard service names (as per RFC-6335 and https://www.iana.org/assignments/service-names).\n\n* Kubernetes-defined prefixed names:\n * 'kubernetes.io/h2c' - HTTP/2 prior knowledge over cleartext as described in https://www.rfc-editor.org/rfc/rfc9113.html#name-starting-http-2-with-prior-\n * 'kubernetes.io/ws' - WebSocket over cleartext as described in https://www.rfc-editor.org/rfc/rfc6455\n * 'kubernetes.io/wss' - WebSocket over TLS as described in https://www.rfc-editor.org/rfc/rfc6455\n\n* Other protocols should use implementation-defined prefixed names such as mycompany.com/my-custom-protocol.","type":"string"},"name":{"type":"string","description":"The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. Optional if only one ServicePort is defined on this service."},"nodePort":{"description":"The port on each node on which this service is exposed when type is NodePort or LoadBalancer. Usually assigned by the system. If a value is specified, in-range, and not in use it will be used, otherwise the operation will fail. If not specified, a port will be allocated if this Service requires one. If this field is specified when creating a Service which does not need it, creation will fail. This field will be wiped when updating a Service to no longer need it (e.g. changing type from NodePort to ClusterIP). More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport","format":"int32","type":"integer"}},"required":["port"],"type":"object","description":"ServicePort contains information on service's port."},"io.k8s.api.networking.v1.ServiceCIDRList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"ServiceCIDRList","version":"v1"}],"description":"ServiceCIDRList contains a list of ServiceCIDR objects.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is the list of ServiceCIDRs.","items":{"$ref":"#/definitions/io.k8s.api.networking.v1.ServiceCIDR"},"type":"array"},"kind":{"type":"string","enum":["ServiceCIDRList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}}},"io.k8s.api.rbac.v1.RoleList":{"description":"RoleList is a collection of Roles","properties":{"items":{"items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.Role"},"type":"array","description":"Items is a list of Roles"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["RoleList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard object's metadata."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"RoleList","version":"v1"}]},"io.k8s.api.resource.v1alpha3.ResourceClaimSpec":{"description":"ResourceClaimSpec defines what is being requested in a ResourceClaim and how to configure it.","properties":{"devices":{"description":"Devices defines how to request devices.","$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceClaim"}},"type":"object"},"io.k8s.api.admissionregistration.v1alpha1.Variable":{"properties":{"expression":{"type":"string","description":"Expression is the expression that will be evaluated as the value of the variable. The CEL expression has access to the same identifiers as the CEL expressions in Validation."},"name":{"description":"Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. The variable can be accessed in other expressions through `variables` For example, if name is \"foo\", the variable will be available as `variables.foo`","type":"string"}},"required":["name","expression"],"type":"object","description":"Variable is the definition of a variable that is used for composition."},"io.k8s.api.admissionregistration.v1beta1.ParamKind":{"description":"ParamKind is a tuple of Group Kind and Version.","properties":{"apiVersion":{"description":"APIVersion is the API group version the resources belong to. In format of \"group/version\". Required.","type":"string"},"kind":{"description":"Kind is the API kind the resources belong to. Required.","type":"string"}},"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.discovery.v1.Endpoint":{"description":"Endpoint represents a single logical \"backend\" implementing a service.","properties":{"hostname":{"description":"hostname of this endpoint. This field may be used by consumers of endpoints to distinguish endpoints from each other (e.g. in DNS names). Multiple endpoints which use the same hostname should be considered fungible (e.g. multiple A values in DNS). Must be lowercase and pass DNS Label (RFC 1123) validation.","type":"string"},"nodeName":{"type":"string","description":"nodeName represents the name of the Node hosting this endpoint. This can be used to determine endpoints local to a Node."},"targetRef":{"description":"targetRef is a reference to a Kubernetes object that represents this endpoint.","$ref":"#/definitions/io.k8s.api.core.v1.ObjectReference"},"zone":{"description":"zone is the name of the Zone this endpoint exists in.","type":"string"},"addresses":{"description":"addresses of this endpoint. For EndpointSlices of addressType \"IPv4\" or \"IPv6\", the values are IP addresses in canonical form. The syntax and semantics of other addressType values are not defined. This must contain at least one address but no more than 100. EndpointSlices generated by the EndpointSlice controller will always have exactly 1 address. No semantics are defined for additional addresses beyond the first, and kube-proxy does not look at them.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"},"conditions":{"$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointConditions","description":"conditions contains information about the current status of the endpoint."},"deprecatedTopology":{"additionalProperties":{"type":"string"},"description":"deprecatedTopology contains topology information part of the v1beta1 API. This field is deprecated, and will be removed when the v1beta1 API is removed (no sooner than kubernetes v1.24). While this field can hold values, it is not writable through the v1 API, and any attempts to write to it will be silently ignored. Topology information can be found in the zone and nodeName fields instead.","type":"object"},"hints":{"description":"hints contains information associated with how an endpoint should be consumed.","$ref":"#/definitions/io.k8s.api.discovery.v1.EndpointHints"}},"required":["addresses"],"type":"object"},"io.k8s.api.resource.v1beta1.Device":{"description":"Device represents one individual hardware instance that can be selected based on its attributes. Besides the name, exactly one field must be set.","properties":{"basic":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.BasicDevice","description":"Basic defines one device instance."},"name":{"type":"string","description":"Name is unique identifier among all devices managed by the driver in the pool. It must be a DNS label."}},"required":["name"],"type":"object"},"io.k8s.api.networking.v1.IngressClass":{"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["IngressClass"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.networking.v1.IngressClassSpec","description":"spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"networking.k8s.io","kind":"IngressClass"}],"description":"IngressClass represents the class of the Ingress, referenced by the Ingress Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be used to indicate that an IngressClass should be considered default. When a single IngressClass resource has this annotation set to true, new Ingress resources without a class specified will be assigned this default class."},"io.k8s.api.admissionregistration.v1beta1.AuditAnnotation":{"description":"AuditAnnotation describes how to produce an audit annotation for an API request.","properties":{"key":{"description":"key specifies the audit annotation key. The audit annotation keys of a ValidatingAdmissionPolicy must be unique. The key must be a qualified name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the ValidatingAdmissionPolicy to construct an audit annotation key: \"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy and the same audit annotation key, the annotation key will be identical. In this case, the first annotation written with the key will be included in the audit event and all subsequent annotations with the same key will be discarded.\n\nRequired.","type":"string"},"valueExpression":{"description":"valueExpression represents the expression which is evaluated by CEL to produce an audit annotation value. The expression must evaluate to either a string or null value. If the expression evaluates to a string, the audit annotation is included with the string value. If the expression evaluates to null or empty string the audit annotation will be omitted. The valueExpression may be no longer than 5kb in length. If the result of the valueExpression is more than 10kb in length, it will be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an API request, then the valueExpression will be evaluated for each binding. All unique values produced by the valueExpressions will be joined together in a comma-separated list.\n\nRequired.","type":"string"}},"required":["key","valueExpression"],"type":"object"},"io.k8s.api.core.v1.NodeSelectorRequirement":{"type":"object","description":"A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.","properties":{"values":{"x-kubernetes-list-type":"atomic","description":"An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.","items":{"type":"string"},"type":"array"},"key":{"type":"string","description":"The label key that the selector applies to."},"operator":{"description":"Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.","type":"string"}},"required":["key","operator"]},"io.k8s.api.core.v1.PodList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"PodList","version":"v1"}],"description":"PodList is a list of Pods.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"items":{"description":"List of pods. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Pod"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["PodList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}}},"io.k8s.api.core.v1.PortworxVolumeSource":{"description":"PortworxVolumeSource represents a Portworx volume resource.","properties":{"fsType":{"description":"fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.","type":"string"},"readOnly":{"description":"readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.","type":"boolean"},"volumeID":{"description":"volumeID uniquely identifies a Portworx volume","type":"string"}},"required":["volumeID"],"type":"object"},"io.k8s.api.core.v1.ResourceHealth":{"description":"ResourceHealth represents the health of a resource. It has the latest device health information. This is a part of KEP https://kep.k8s.io/4680.","properties":{"health":{"description":"Health of the resource. can be one of:\n - Healthy: operates as normal\n - Unhealthy: reported unhealthy. We consider this a temporary health issue\n since we do not have a mechanism today to distinguish\n temporary and permanent issues.\n - Unknown: The status cannot be determined.\n For example, Device Plugin got unregistered and hasn't been re-registered since.\n\nIn future we may want to introduce the PermanentlyUnhealthy Status.","type":"string"},"resourceID":{"description":"ResourceID is the unique identifier of the resource. See the ResourceID type for more information.","type":"string"}},"required":["resourceID"],"type":"object"},"io.k8s.api.flowcontrol.v1.NonResourcePolicyRule":{"description":"NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.","properties":{"nonResourceURLs":{"type":"array","x-kubernetes-list-type":"set","description":"`nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty. For example:\n - \"/healthz\" is legal\n - \"/hea*\" is illegal\n - \"/hea\" is legal but matches nothing\n - \"/hea/*\" also matches nothing\n - \"/healthz/*\" matches all per-component health checks.\n\"*\" matches all non-resource urls. if it is present, it must be the only entry. Required.","items":{"type":"string"}},"verbs":{"description":"`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. If it is present, it must be the only entry. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"set"}},"required":["verbs","nonResourceURLs"],"type":"object"},"io.k8s.apimachinery.pkg.apis.meta.v1.MicroTime":{"description":"MicroTime is version of Time with microsecond level precision.","format":"date-time","type":"string"},"io.k8s.api.batch.v1.JobCondition":{"properties":{"lastProbeTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"Last time the condition was checked."},"lastTransitionTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"Last time the condition transit from one status to another."},"message":{"type":"string","description":"Human readable message indicating details about last transition."},"reason":{"type":"string","description":"(brief) reason for the condition's last transition."},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of job condition, Complete or Failed.","type":"string"}},"required":["type","status"],"type":"object","description":"JobCondition describes current state of a job."},"io.k8s.api.core.v1.NodeConfigStatus":{"description":"NodeConfigStatus describes the status of the config assigned by Node.Spec.ConfigSource.","properties":{"lastKnownGood":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource","description":"LastKnownGood reports the checkpointed config the node will fall back to when it encounters an error attempting to use the Assigned config. The Assigned config becomes the LastKnownGood config when the node determines that the Assigned config is stable and correct. This is currently implemented as a 10-minute soak period starting when the local record of Assigned config is updated. If the Assigned config is Active at the end of this period, it becomes the LastKnownGood. Note that if Spec.ConfigSource is reset to nil (use local defaults), the LastKnownGood is also immediately reset to nil, because the local default config is always assumed good. You should not make assumptions about the node's method of determining config stability and correctness, as this may change or become configurable in the future."},"active":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource","description":"Active reports the checkpointed config the node is actively using. Active will represent either the current version of the Assigned config, or the current LastKnownGood config, depending on whether attempting to use the Assigned config results in an error."},"assigned":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeConfigSource","description":"Assigned reports the checkpointed config the node will try to use. When Node.Spec.ConfigSource is updated, the node checkpoints the associated config payload to local disk, along with a record indicating intended config. The node refers to this record to choose its config checkpoint, and reports this record in Assigned. Assigned only updates in the status after the record has been checkpointed to disk. When the Kubelet is restarted, it tries to make the Assigned config the Active config by loading and validating the checkpointed payload identified by Assigned."},"error":{"description":"Error describes any problems reconciling the Spec.ConfigSource to the Active config. Errors may occur, for example, attempting to checkpoint Spec.ConfigSource to the local Assigned record, attempting to checkpoint the payload associated with Spec.ConfigSource, attempting to load or validate the Assigned config, etc. Errors may occur at different points while syncing config. Earlier errors (e.g. download or checkpointing errors) will not result in a rollback to LastKnownGood, and may resolve across Kubelet retries. Later errors (e.g. loading or validating a checkpointed config) will result in a rollback to LastKnownGood. In the latter case, it is usually possible to resolve the error by fixing the config assigned in Spec.ConfigSource. You can find additional information for debugging by searching the error message in the Kubelet log. Error is a human-readable description of the error state; machines can check whether or not Error is empty, but should not rely on the stability of the Error text across Kubelet versions.","type":"string"}},"type":"object"},"io.k8s.api.core.v1.NodeList":{"description":"NodeList is the whole list of all Nodes which have been registered with master.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of nodes","items":{"$ref":"#/definitions/io.k8s.api.core.v1.Node"},"type":"array"},"kind":{"type":"string","enum":["NodeList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"NodeList","version":"v1"}]},"io.k8s.api.core.v1.ResourceQuotaStatus":{"properties":{"hard":{"type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/"},"used":{"additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"Used is the current observed total usage of the resource in the namespace.","type":"object"}},"type":"object","description":"ResourceQuotaStatus defines the enforced hard limits and observed use."},"io.k8s.api.networking.v1.NetworkPolicy":{"description":"NetworkPolicy describes what network traffic is allowed for a set of Pods","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["NetworkPolicy"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"description":"spec represents the specification of the desired behavior for this NetworkPolicy.","$ref":"#/definitions/io.k8s.api.networking.v1.NetworkPolicySpec"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"networking.k8s.io","kind":"NetworkPolicy","version":"v1"}]},"io.k8s.api.storage.v1.CSIStorageCapacity":{"x-kubernetes-group-version-kind":[{"group":"storage.k8s.io","kind":"CSIStorageCapacity","version":"v1"}],"description":"CSIStorageCapacity stores the result of one CSI GetCapacity call. For a given StorageClass, this describes the available capacity in a particular topology segment. This can be used when considering where to instantiate new PersistentVolumes.\n\nFor example this can express things like: - StorageClass \"standard\" has \"1234 GiB\" available in \"topology.kubernetes.io/zone=us-east1\" - StorageClass \"localssd\" has \"10 GiB\" available in \"kubernetes.io/hostname=knode-abc123\"\n\nThe following three cases all imply that no capacity is available for a certain combination: - no object exists with suitable topology and storage class name - such an object exists, but the capacity is unset - such an object exists, but the capacity is zero\n\nThe producer of these objects can decide which approach is more suitable.\n\nThey are consumed by the kube-scheduler when a CSI driver opts into capacity-aware scheduling with CSIDriverSpec.StorageCapacity. The scheduler compares the MaximumVolumeSize against the requested size of pending volumes to filter out unsuitable nodes. If MaximumVolumeSize is unset, it falls back to a comparison against the less precise Capacity. If that is also unset, the scheduler assumes that capacity is insufficient and tries some other node.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. The name has no particular meaning. It must be a DNS subdomain (dots allowed, 253 characters). To ensure that there are no conflicts with other CSI drivers on the cluster, the recommendation is to use csisc-, a generated name, or a reverse-domain name which ends with the unique CSI driver name.\n\nObjects are namespaced.\n\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"nodeTopology":{"description":"nodeTopology defines which nodes have access to the storage for which capacity was reported. If not set, the storage is not accessible from any node in the cluster. If empty, the storage is accessible from all nodes. This field is immutable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"storageClassName":{"description":"storageClassName represents the name of the StorageClass that the reported capacity applies to. It must meet the same requirements as the name of a StorageClass object (non-empty, DNS subdomain). If that object no longer exists, the CSIStorageCapacity object is obsolete and should be removed by its creator. This field is immutable.","type":"string"},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"capacity":{"description":"capacity is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThe semantic is currently (CSI spec 1.2) defined as: The available capacity, in bytes, of the storage that can be used to provision volumes. If not set, that information is currently unavailable.","$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["CSIStorageCapacity"]},"maximumVolumeSize":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity","description":"maximumVolumeSize is the value reported by the CSI driver in its GetCapacityResponse for a GetCapacityRequest with topology and parameters that match the previous fields.\n\nThis is defined since CSI spec 1.4.0 as the largest size that may be used in a CreateVolumeRequest.capacity_range.required_bytes field to create a volume with the same parameters as those in GetCapacityRequest. The corresponding value in the Kubernetes API is ResourceRequirements.Requests in a volume claim."}},"required":["storageClassName"],"type":"object"},"io.k8s.api.batch.v1.PodFailurePolicyRule":{"type":"object","description":"PodFailurePolicyRule describes how a pod failure is handled when the requirements are met. One of onExitCodes and onPodConditions, but not both, can be used in each rule.","properties":{"action":{"description":"Specifies the action taken on a pod failure when the requirements are satisfied. Possible values are:\n\n- FailJob: indicates that the pod's job is marked as Failed and all\n running pods are terminated.\n- FailIndex: indicates that the pod's index is marked as Failed and will\n not be restarted.\n- Ignore: indicates that the counter towards the .backoffLimit is not\n incremented and a replacement pod is created.\n- Count: indicates that the pod is handled in the default way - the\n counter towards the .backoffLimit is incremented.\nAdditional values are considered to be added in the future. Clients should react to an unknown action by skipping the rule.","type":"string"},"onExitCodes":{"description":"Represents the requirement on the container exit codes.","$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyOnExitCodesRequirement"},"onPodConditions":{"x-kubernetes-list-type":"atomic","description":"Represents the requirement on the pod conditions. The requirement is represented as a list of pod condition patterns. The requirement is satisfied if at least one pattern matches an actual pod condition. At most 20 elements are allowed.","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyOnPodConditionsPattern"},"type":"array"}},"required":["action"]},"io.k8s.api.networking.v1.IngressStatus":{"type":"object","description":"IngressStatus describe the current state of the Ingress.","properties":{"loadBalancer":{"description":"loadBalancer contains the current status of the load-balancer.","$ref":"#/definitions/io.k8s.api.networking.v1.IngressLoadBalancerStatus"}}},"io.k8s.api.networking.v1.NetworkPolicyPeer":{"properties":{"podSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"podSelector is a label selector which selects pods. This field follows standard label selector semantics; if present but empty, it selects all pods.\n\nIf namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the pods matching podSelector in the policy's own namespace."},"ipBlock":{"$ref":"#/definitions/io.k8s.api.networking.v1.IPBlock","description":"ipBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be."},"namespaceSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"namespaceSelector selects namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.\n\nIf podSelector is also set, then the NetworkPolicyPeer as a whole selects the pods matching podSelector in the namespaces selected by namespaceSelector. Otherwise it selects all pods in the namespaces selected by namespaceSelector."}},"type":"object","description":"NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed"},"io.k8s.api.resource.v1alpha3.ResourceSlice":{"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"type":"string","enum":["ResourceSlice"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"description":"Standard object metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.ResourceSliceSpec","description":"Contains the information published by the driver.\n\nChanging the spec automatically increments the metadata.generation number."}},"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1alpha3","group":"resource.k8s.io","kind":"ResourceSlice"}],"description":"ResourceSlice represents one or more resources in a pool of similar resources, managed by a common driver. A pool may span more than one ResourceSlice, and exactly how many ResourceSlices comprise a pool is determined by the driver.\n\nAt the moment, the only supported resources are devices with attributes and capacities. Each device in a given pool, regardless of how many ResourceSlices, must have a unique name. The ResourceSlice in which a device gets published may change over time. The unique identifier for a device is the tuple , , .\n\nWhenever a driver needs to update a pool, it increments the pool.Spec.Pool.Generation number and updates all ResourceSlices with that new number and new resource definitions. A consumer must only use ResourceSlices with the highest generation number and ignore all others.\n\nWhen allocating all resources in a pool matching certain criteria or when looking for the best solution among several different alternatives, a consumer should check the number of ResourceSlices in a pool (included in each ResourceSlice) to determine whether its view of a pool is complete and if not, should wait until the driver has completed updating the pool.\n\nFor resources that are not local to a node, the node name is not set. Instead, the driver may use a node selector to specify where the devices are available.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate."},"io.k8s.api.storage.v1.CSINodeList":{"description":"CSINodeList is a collection of CSINode objects.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"items":{"$ref":"#/definitions/io.k8s.api.storage.v1.CSINode"},"type":"array","description":"items is the list of CSINode"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["CSINodeList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"kind":"CSINodeList","version":"v1","group":"storage.k8s.io"}]},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"kind":"ValidatingAdmissionPolicyBindingList","version":"v1beta1","group":"admissionregistration.k8s.io"}],"description":"ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of PolicyBinding.","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding"},"type":"array"},"kind":{"type":"string","enum":["ValidatingAdmissionPolicyBindingList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}}},"io.k8s.api.autoscaling.v2.HorizontalPodAutoscalerCondition":{"type":"object","description":"HorizontalPodAutoscalerCondition describes the state of a HorizontalPodAutoscaler at a certain point.","properties":{"reason":{"description":"reason is the reason for the condition's last transition.","type":"string"},"status":{"description":"status is the status of the condition (True, False, Unknown)","type":"string"},"type":{"type":"string","description":"type describes the current condition"},"lastTransitionTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"lastTransitionTime is the last time the condition transitioned from one status to another"},"message":{"type":"string","description":"message is a human-readable explanation containing details about the transition"}},"required":["type","status"]},"io.k8s.api.core.v1.KeyToPath":{"properties":{"key":{"description":"key is the key to project.","type":"string"},"mode":{"description":"mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.","format":"int32","type":"integer"},"path":{"description":"path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.","type":"string"}},"required":["key","path"],"type":"object","description":"Maps a string key to a path within a volume."},"io.k8s.api.core.v1.PersistentVolumeClaimList":{"description":"PersistentVolumeClaimList is a list of PersistentVolumeClaim items.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of persistent volume claims. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolumeClaim"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["PersistentVolumeClaimList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeClaimList","version":"v1"}]},"io.k8s.api.core.v1.ResourceStatus":{"description":"ResourceStatus represents the status of a single resource allocated to a Pod.","properties":{"name":{"type":"string","description":"Name of the resource. Must be unique within the pod and in case of non-DRA resource, match one of the resources from the pod spec. For DRA resources, the value must be \"claim:/\". When this status is reported about a container, the \"claim_name\" and \"request\" must match one of the claims of this container."},"resources":{"type":"array","x-kubernetes-list-map-keys":["resourceID"],"x-kubernetes-list-type":"map","description":"List of unique resources health. Each element in the list contains an unique resource ID and its health. At a minimum, for the lifetime of a Pod, resource ID must uniquely identify the resource allocated to the Pod on the Node. If other Pod on the same Node reports the status with the same resource ID, it must be the same resource they share. See ResourceID type definition for a specific format it has in various use cases.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.ResourceHealth"}}},"required":["name"],"type":"object"},"io.k8s.api.resource.v1beta1.Counter":{"description":"Counter describes a quantity associated with a device.","properties":{"value":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity","description":"Value defines how much of a certain device counter is available."}},"required":["value"],"type":"object"},"io.k8s.api.storagemigration.v1alpha1.GroupVersionResource":{"properties":{"resource":{"description":"The name of the resource.","type":"string"},"version":{"description":"The name of the version.","type":"string"},"group":{"description":"The name of the group.","type":"string"}},"type":"object","description":"The names of the group, the version, and the resource."},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceDefinitionVersion":{"description":"CustomResourceDefinitionVersion describes a version for CRD.","properties":{"deprecationWarning":{"description":"deprecationWarning overrides the default warning returned to API clients. May only be set when `deprecated` is true. The default warning indicates this version is deprecated and recommends use of the newest served version of equal or greater stability, if one exists.","type":"string"},"name":{"description":"name is the version name, e.g. “v1”, “v2beta1”, etc. The custom resources are served under this version at `/apis///...` if `served` is true.","type":"string"},"served":{"description":"served is a flag enabling/disabling this version from being served via REST APIs","type":"boolean"},"subresources":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources","description":"subresources specify what subresources this version of the defined custom resource have."},"additionalPrinterColumns":{"items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceColumnDefinition"},"type":"array","x-kubernetes-list-type":"atomic","description":"additionalPrinterColumns specifies additional columns returned in Table output. See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details. If no columns are specified, a single column displaying the age of the custom resource is used."},"schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation","description":"schema describes the schema used for validation, pruning, and defaulting of this version of the custom resource."},"selectableFields":{"description":"selectableFields specifies paths to fields that may be used as field selectors. A maximum of 8 selectable fields are allowed. See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors","items":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.SelectableField"},"type":"array","x-kubernetes-list-type":"atomic"},"storage":{"description":"storage indicates this version should be used when persisting custom resources to storage. There must be exactly one version with storage=true.","type":"boolean"},"deprecated":{"description":"deprecated indicates this version of the custom resource API is deprecated. When set to true, API requests to this version receive a warning header in the server response. Defaults to false.","type":"boolean"}},"required":["name","served","storage"],"type":"object"},"io.k8s.api.batch.v1.PodFailurePolicy":{"description":"PodFailurePolicy describes how failed pods influence the backoffLimit.","properties":{"rules":{"type":"array","x-kubernetes-list-type":"atomic","description":"A list of pod failure policy rules. The rules are evaluated in order. Once a rule matches a Pod failure, the remaining of the rules are ignored. When no rule matches the Pod failure, the default handling applies - the counter of pod failures is incremented and it is checked against the backoffLimit. At most 20 elements are allowed.","items":{"$ref":"#/definitions/io.k8s.api.batch.v1.PodFailurePolicyRule"}}},"required":["rules"],"type":"object"},"io.k8s.api.core.v1.PodTemplateSpec":{"description":"PodTemplateSpec describes the data a pod should have when created from a template","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.core.v1.PodSpec","description":"Specification of the desired behavior of the pod. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object"},"io.k8s.api.core.v1.SecretProjection":{"description":"Adapts a secret into a projected volume.\n\nThe contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.","properties":{"items":{"description":"items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.","items":{"$ref":"#/definitions/io.k8s.api.core.v1.KeyToPath"},"type":"array","x-kubernetes-list-type":"atomic"},"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"optional field specify whether the Secret or its key must be defined","type":"boolean"}},"type":"object"},"io.k8s.api.networking.v1beta1.ParentReference":{"description":"ParentReference describes a reference to a parent object.","properties":{"namespace":{"description":"Namespace is the namespace of the object being referenced.","type":"string"},"resource":{"description":"Resource is the resource of the object being referenced.","type":"string"},"group":{"description":"Group is the group of the object being referenced.","type":"string"},"name":{"description":"Name is the name of the object being referenced.","type":"string"}},"required":["resource","name"],"type":"object"},"io.k8s.api.rbac.v1.ClusterRoleList":{"description":"ClusterRoleList is a collection of ClusterRoles","properties":{"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ClusterRoleList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard object's metadata."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is a list of ClusterRoles","items":{"$ref":"#/definitions/io.k8s.api.rbac.v1.ClusterRole"},"type":"array"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"rbac.authorization.k8s.io","kind":"ClusterRoleList","version":"v1"}]},"io.k8s.api.resource.v1beta2.DeviceConstraint":{"description":"DeviceConstraint must have exactly one field set besides Requests.","properties":{"matchAttribute":{"description":"MatchAttribute requires that all devices in question have this attribute and that its type and value are the same across those devices.\n\nFor example, if you specified \"dra.example.com/numa\" (a hypothetical example!), then only devices in the same NUMA node will be chosen. A device which does not have that attribute will not be chosen. All devices should use a value of the same type for this attribute because that is part of its specification, but if one device doesn't, then it also will not be chosen.\n\nMust include the domain qualifier.","type":"string"},"requests":{"description":"Requests is a list of the one or more requests in this claim which must co-satisfy this constraint. If a request is fulfilled by multiple devices, then all of the devices must satisfy the constraint. If this is not specified, this constraint applies to all requests in this claim.\n\nReferences to subrequests must include the name of the main request and may include the subrequest using the format
[/]. If just the main request is given, the constraint applies to all subrequests.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.api.autoscaling.v2.MetricValueStatus":{"properties":{"averageUtilization":{"format":"int32","type":"integer","description":"currentAverageUtilization is the current value of the average of the resource metric across all relevant pods, represented as a percentage of the requested value of the resource for the pods."},"averageValue":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity","description":"averageValue is the current value of the average of the metric across all relevant pods (as a quantity)"},"value":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity","description":"value is the current value of the metric (as a quantity)."}},"type":"object","description":"MetricValueStatus holds the current value for a metric"},"io.k8s.api.core.v1.EventSource":{"description":"EventSource contains information for an event.","properties":{"component":{"type":"string","description":"Component from which the event is generated."},"host":{"description":"Node name on which the event is generated.","type":"string"}},"type":"object"},"io.k8s.api.node.v1.Overhead":{"description":"Overhead structure represents the resource overhead associated with running a pod.","properties":{"podFixed":{"description":"podFixed represents the fixed resource overhead associated with running a pod.","type":"object","additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"}}},"type":"object"},"io.k8s.api.resource.v1beta1.DeviceClass":{"properties":{"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClassSpec","description":"Spec defines what can be allocated and how to configure it.\n\nThis is mutable. Consumers have to be prepared for classes changing at any time, either because they get updated or replaced. Claim allocations are done once based on whatever was set in classes at the time of allocation.\n\nChanging the spec automatically increments the metadata.generation number."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["DeviceClass"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata"}},"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClass","version":"v1beta1"}],"description":"DeviceClass is a vendor- or admin-provided resource that contains device configuration and selectors. It can be referenced in the device requests of a claim to apply these presets. Cluster scoped.\n\nThis is an alpha type and requires enabling the DynamicResourceAllocation feature gate."},"io.k8s.api.resource.v1beta1.DeviceClassList":{"description":"DeviceClassList is a collection of classes.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource classes.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.DeviceClass"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["DeviceClassList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClassList","version":"v1beta1"}]},"io.k8s.api.admissionregistration.v1.MutatingWebhook":{"properties":{"admissionReviewVersions":{"x-kubernetes-list-type":"atomic","description":"AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` versions the Webhook expects. API server will try to use first version in the list which it supports. If none of the versions specified in this list supported by API server, validation will fail for this object. If a persisted webhook configuration specifies allowed versions and does not include any versions known to the API Server, calls to the webhook will fail and be subject to the failure policy.","items":{"type":"string"},"type":"array"},"failurePolicy":{"description":"FailurePolicy defines how unrecognized errors from the admission endpoint are handled - allowed values are Ignore or Fail. Defaults to Fail.","type":"string"},"matchPolicy":{"type":"string","description":"matchPolicy defines how the \"rules\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.\n\nDefaults to \"Equivalent\""},"objectSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"ObjectSelector decides whether to run the webhook based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the webhook, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything."},"reinvocationPolicy":{"description":"reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation. Allowed values are \"Never\" and \"IfNeeded\".\n\nNever: the webhook will not be called more than once in a single admission evaluation.\n\nIfNeeded: the webhook will be called at least one additional time as part of the admission evaluation if the object being admitted is modified by other admission plugins after the initial webhook call. Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted. Note: * the number of additional invocations is not guaranteed to be exactly one. * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again. * webhooks that use this option may be reordered to minimize the number of additional invocations. * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.\n\nDefaults to \"Never\".","type":"string"},"sideEffects":{"description":"SideEffects states whether this webhook has side effects. Acceptable values are: None, NoneOnDryRun (webhooks created via v1beta1 may also specify Some or Unknown). Webhooks with side effects MUST implement a reconciliation system, since a request may be rejected by a future step in the admission chain and the side effects therefore need to be undone. Requests with the dryRun attribute will be auto-rejected if they match a webhook with sideEffects == Unknown or Some.","type":"string"},"timeoutSeconds":{"type":"integer","description":"TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, the webhook call will be ignored or the API call will fail based on the failure policy. The timeout value must be between 1 and 30 seconds. Default to 10 seconds.","format":"int32"},"clientConfig":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.WebhookClientConfig","description":"ClientConfig defines how to communicate with the hook. Required"},"matchConditions":{"x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name","x-kubernetes-patch-strategy":"merge","description":"MatchConditions is a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests. There are a maximum of 64 match conditions allowed.\n\nThe exact matching logic is (in order):\n 1. If ANY matchCondition evaluates to FALSE, the webhook is skipped.\n 2. If ALL matchConditions evaluate to TRUE, the webhook is called.\n 3. If any matchCondition evaluates to an error (but none are FALSE):\n - If failurePolicy=Fail, reject the request\n - If failurePolicy=Ignore, the error is ignored and the webhook is skipped","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.MatchCondition"},"type":"array"},"name":{"description":"The name of the admission webhook. Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where \"imagepolicy\" is the name of the webhook, and kubernetes.io is the name of the organization. Required.","type":"string"},"namespaceSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"NamespaceSelector decides whether to run the webhook on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the webhook.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the webhook on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything."},"rules":{"x-kubernetes-list-type":"atomic","description":"Rules describes what operations on what resources/subresources the webhook cares about. The webhook cares about an operation if it matches _any_ Rule. However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks from putting the cluster in a state which cannot be recovered from without completely disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.RuleWithOperations"},"type":"array"}},"required":["name","clientConfig","sideEffects","admissionReviewVersions"],"type":"object","description":"MutatingWebhook describes an admission webhook and the resources and operations it applies to."},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBinding":{"x-kubernetes-group-version-kind":[{"kind":"ValidatingAdmissionPolicyBinding","version":"v1beta1","group":"admissionregistration.k8s.io"}],"description":"ValidatingAdmissionPolicyBinding binds the ValidatingAdmissionPolicy with paramerized resources. ValidatingAdmissionPolicyBinding and parameter CRDs together define how cluster administrators configure policies for clusters.\n\nFor a given admission request, each binding will cause its policy to be evaluated N times, where N is 1 for policies/bindings that don't use params, otherwise N is the number of parameters selected by the binding.\n\nThe CEL expressions of a policy must have a computed CEL cost below the maximum CEL budget. Each evaluation of the policy is given an independent CEL cost budget. Adding/removing policies, bindings, or params can not affect whether a given (policy, binding, param) combination is within its own CEL budget.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"type":"string","enum":["ValidatingAdmissionPolicyBinding"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata."},"spec":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyBindingSpec","description":"Specification of the desired behavior of the ValidatingAdmissionPolicyBinding."}},"type":"object"},"io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicyList":{"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1beta1","group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyList"}],"description":"ValidatingAdmissionPolicyList is a list of ValidatingAdmissionPolicy.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"List of ValidatingAdmissionPolicy.","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.ValidatingAdmissionPolicy"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ValidatingAdmissionPolicyList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}}},"io.k8s.api.core.v1.VolumeMountStatus":{"required":["name","mountPath"],"type":"object","description":"VolumeMountStatus shows status of volume mounts.","properties":{"mountPath":{"type":"string","description":"MountPath corresponds to the original VolumeMount."},"name":{"description":"Name corresponds to the name of the original VolumeMount.","type":"string"},"readOnly":{"description":"ReadOnly corresponds to the original VolumeMount.","type":"boolean"},"recursiveReadOnly":{"description":"RecursiveReadOnly must be set to Disabled, Enabled, or unspecified (for non-readonly mounts). An IfPossible value in the original VolumeMount must be translated to Disabled or Enabled, depending on the mount result.","type":"string"}}},"io.k8s.api.networking.v1.ServiceBackendPort":{"description":"ServiceBackendPort is the service port being referenced.","properties":{"name":{"description":"name is the name of the port on the Service. This is a mutually exclusive setting with \"Number\".","type":"string"},"number":{"description":"number is the numerical port number (e.g. 80) on the Service. This is a mutually exclusive setting with \"Name\".","format":"int32","type":"integer"}},"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.resource.v1alpha3.DeviceTaintRule":{"description":"DeviceTaintRule adds one taint to all devices which match the selector. This has the same effect as if the taint was specified directly in the ResourceSlice by the DRA driver.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceTaintRuleSpec","description":"Spec specifies the selector and one taint.\n\nChanging the spec automatically increments the metadata.generation number."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"type":"string","enum":["DeviceTaintRule"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceTaintRule","version":"v1alpha3"}]},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.ExternalDocumentation":{"description":"ExternalDocumentation allows referencing an external resource for extended documentation.","properties":{"description":{"type":"string"},"url":{"type":"string"}},"type":"object"},"io.k8s.api.apps.v1.ControllerRevision":{"properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"data":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.runtime.RawExtension","description":"Data is the serialized representation of the state."},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ControllerRevision"]},"metadata":{"description":"Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"revision":{"description":"Revision indicates the revision of the state represented by Data.","format":"int64","type":"integer"}},"required":["revision"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"apps","kind":"ControllerRevision"}],"description":"ControllerRevision implements an immutable snapshot of state data. Clients are responsible for serializing and deserializing the objects that contain their internal state. Once a ControllerRevision has been successfully created, it can not be updated. The API Server will fail validation of all requests that attempt to mutate the Data field. ControllerRevisions may, however, be deleted. Note that, due to its use by both the DaemonSet and StatefulSet controllers for update and rollback, this object is beta. However, it may be subject to name and representation changes in future releases, and clients should not depend on its stability. It is primarily for internal use by controllers."},"io.k8s.api.apps.v1.ReplicaSetCondition":{"properties":{"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"reason":{"description":"The reason for the condition's last transition.","type":"string"},"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of replica set condition.","type":"string"},"lastTransitionTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"The last time the condition transitioned from one status to another."}},"required":["type","status"],"type":"object","description":"ReplicaSetCondition describes the state of a replica set at a certain point."},"io.k8s.api.core.v1.ObjectFieldSelector":{"description":"ObjectFieldSelector selects an APIVersioned field of an object.","properties":{"apiVersion":{"description":"Version of the schema the FieldPath is written in terms of, defaults to \"v1\".","type":"string"},"fieldPath":{"description":"Path of the field to select in the specified API version.","type":"string"}},"required":["fieldPath"],"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.core.v1.ResourceQuotaSpec":{"description":"ResourceQuotaSpec defines the desired hard limits to enforce for Quota.","properties":{"hard":{"additionalProperties":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.api.resource.Quantity"},"description":"hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/","type":"object"},"scopeSelector":{"$ref":"#/definitions/io.k8s.api.core.v1.ScopeSelector","description":"scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched."},"scopes":{"type":"array","x-kubernetes-list-type":"atomic","description":"A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.","items":{"type":"string"}}},"type":"object"},"io.k8s.api.resource.v1beta1.DeviceCounterConsumption":{"description":"DeviceCounterConsumption defines a set of counters that a device will consume from a CounterSet.","properties":{"counters":{"additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.Counter"},"description":"Counters defines the counters that will be consumed by the device.\n\nThe maximum number counters in a device is 32. In addition, the maximum number of all counters in all devices is 1024 (for example, 64 devices with 16 counters each).","type":"object"},"counterSet":{"description":"CounterSet is the name of the set from which the counters defined will be consumed.","type":"string"}},"required":["counterSet","counters"],"type":"object"},"io.k8s.api.coordination.v1alpha2.LeaseCandidate":{"description":"LeaseCandidate defines a candidate for a Lease object. Candidates are created such that coordinated leader election will pick the best leader from the list of candidates.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"enum":["LeaseCandidate"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.coordination.v1alpha2.LeaseCandidateSpec","description":"spec contains the specification of the Lease. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status"}},"type":"object","x-kubernetes-group-version-kind":[{"group":"coordination.k8s.io","kind":"LeaseCandidate","version":"v1alpha2"}]},"io.k8s.api.core.v1.ConfigMapKeySelector":{"type":"object","x-kubernetes-map-type":"atomic","description":"Selects a key from a ConfigMap.","properties":{"name":{"description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names","type":"string"},"optional":{"description":"Specify whether the ConfigMap or its key must be defined","type":"boolean"},"key":{"description":"The key to select.","type":"string"}},"required":["key"]},"io.k8s.api.authorization.v1.SubjectAccessReviewSpec":{"description":"SubjectAccessReviewSpec is a description of the access request. Exactly one of ResourceAuthorizationAttributes and NonResourceAuthorizationAttributes must be set","properties":{"extra":{"additionalProperties":{"items":{"type":"string"},"type":"array"},"description":"Extra corresponds to the user.Info.GetExtra() method from the authenticator. Since that is input to the authorizer it needs a reflection here.","type":"object"},"groups":{"description":"Groups is the groups you're testing for.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"nonResourceAttributes":{"$ref":"#/definitions/io.k8s.api.authorization.v1.NonResourceAttributes","description":"NonResourceAttributes describes information for a non-resource access request"},"resourceAttributes":{"$ref":"#/definitions/io.k8s.api.authorization.v1.ResourceAttributes","description":"ResourceAuthorizationAttributes describes information for a resource access request"},"uid":{"description":"UID information about the requesting user.","type":"string"},"user":{"description":"User is the user you're testing for. If you specify \"User\" but not \"Groups\", then is it interpreted as \"What if User were not a member of any groups","type":"string"}},"type":"object"},"io.k8s.api.autoscaling.v2.MetricSpec":{"required":["type"],"type":"object","description":"MetricSpec specifies how to scale based on a single metric (only `type` and one other matching field should be set at once).","properties":{"containerResource":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.ContainerResourceMetricSource","description":"containerResource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing a single container in each pod of the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source."},"external":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.ExternalMetricSource","description":"external refers to a global metric that is not associated with any Kubernetes object. It allows autoscaling based on information coming from components running outside of cluster (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster)."},"object":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.ObjectMetricSource","description":"object refers to a metric describing a single kubernetes object (for example, hits-per-second on an Ingress object)."},"pods":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.PodsMetricSource","description":"pods refers to a metric describing each pod in the current scale target (for example, transactions-processed-per-second). The values will be averaged together before being compared to the target value."},"resource":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.ResourceMetricSource","description":"resource refers to a resource metric (such as those specified in requests and limits) known to Kubernetes describing each pod in the current scale target (e.g. CPU or memory). Such metrics are built in to Kubernetes, and have special scaling options on top of those available to normal per-pod metrics using the \"pods\" source."},"type":{"description":"type is the type of metric source. It should be one of \"ContainerResource\", \"External\", \"Object\", \"Pods\" or \"Resource\", each mapping to a matching field in the object.","type":"string"}}},"io.k8s.api.core.v1.NodeRuntimeHandler":{"description":"NodeRuntimeHandler is a set of runtime handler information.","properties":{"name":{"description":"Runtime handler name. Empty for the default runtime handler.","type":"string"},"features":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeRuntimeHandlerFeatures","description":"Supported features."}},"type":"object"},"io.k8s.api.rbac.v1.PolicyRule":{"description":"PolicyRule holds information that describes a policy rule, but does not contain information about who the rule applies to or which namespace the rule applies to.","properties":{"apiGroups":{"description":"APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed. \"\" represents the core API group and \"*\" represents all API groups.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"nonResourceURLs":{"description":"NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as \"pods\" or \"secrets\") or non-resource URL paths (such as \"/api\"), but not both.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"resourceNames":{"x-kubernetes-list-type":"atomic","description":"ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.","items":{"type":"string"},"type":"array"},"resources":{"description":"Resources is a list of resources this rule applies to. '*' represents all resources.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"verbs":{"description":"Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule. '*' represents all verbs.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}},"required":["verbs"],"type":"object"},"io.k8s.api.resource.v1alpha3.ResourceSliceSpec":{"required":["driver","pool"],"type":"object","description":"ResourceSliceSpec contains the information published by the driver in one ResourceSlice.","properties":{"sharedCounters":{"description":"SharedCounters defines a list of counter sets, each of which has a name and a list of counters available.\n\nThe names of the SharedCounters must be unique in the ResourceSlice.\n\nThe maximum number of SharedCounters is 32.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.CounterSet"},"type":"array","x-kubernetes-list-type":"atomic"},"allNodes":{"description":"AllNodes indicates that all nodes have access to the resources in the pool.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","type":"boolean"},"devices":{"description":"Devices lists some or all of the devices in this pool.\n\nMust not have more than 128 entries.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.Device"},"type":"array","x-kubernetes-list-type":"atomic"},"driver":{"type":"string","description":"Driver identifies the DRA driver providing the capacity information. A field selector can be used to list only ResourceSlice objects with a certain driver name.\n\nMust be a DNS subdomain and should end with a DNS domain owned by the vendor of the driver. This field is immutable."},"nodeName":{"description":"NodeName identifies the node which provides the resources in this pool. A field selector can be used to list only ResourceSlice objects belonging to a certain node.\n\nThis field can be used to limit access from nodes to ResourceSlices with the same node name. It also indicates to autoscalers that adding new nodes of the same type as some old node might also make new resources available.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set. This field is immutable.","type":"string"},"nodeSelector":{"$ref":"#/definitions/io.k8s.api.core.v1.NodeSelector","description":"NodeSelector defines which nodes have access to the resources in the pool, when that pool is not limited to a single node.\n\nMust use exactly one term.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set."},"perDeviceNodeSelection":{"description":"PerDeviceNodeSelection defines whether the access from nodes to resources in the pool is set on the ResourceSlice level or on each device. If it is set to true, every device defined the ResourceSlice must specify this individually.\n\nExactly one of NodeName, NodeSelector, AllNodes, and PerDeviceNodeSelection must be set.","type":"boolean"},"pool":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.ResourcePool","description":"Pool describes the pool that this ResourceSlice belongs to."}}},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresources":{"type":"object","description":"CustomResourceSubresources defines the status and scale subresources for CustomResources.","properties":{"scale":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceScale","description":"scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object."},"status":{"description":"status indicates the custom resource should serve a `/status` subresource. When enabled: 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object. 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.","$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceSubresourceStatus"}}},"io.k8s.api.core.v1.ConfigMapEnvSource":{"description":"ConfigMapEnvSource selects a ConfigMap to populate the environment variables with.\n\nThe contents of the target ConfigMap's Data field will represent the key-value pairs as environment variables.","properties":{"name":{"type":"string","description":"Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"},"optional":{"description":"Specify whether the ConfigMap must be defined","type":"boolean"}},"type":"object"},"io.k8s.api.admissionregistration.v1.NamedRuleWithOperations":{"description":"NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.","properties":{"scope":{"type":"string","description":"scope specifies the scope of this rule. Valid values are \"Cluster\", \"Namespaced\", and \"*\" \"Cluster\" means that only cluster-scoped resources will match this rule. Namespace API objects are cluster-scoped. \"Namespaced\" means that only namespaced resources will match this rule. \"*\" means that there are no scope restrictions. Subresources match the scope of their parent resource. Default is \"*\"."},"apiGroups":{"description":"APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"apiVersions":{"type":"array","x-kubernetes-list-type":"atomic","description":"APIVersions is the API versions the resources belong to. '*' is all versions. If '*' is present, the length of the slice must be one. Required.","items":{"type":"string"}},"operations":{"description":"Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or * for all of those operations and any future admission operations that are added. If '*' is present, the length of the slice must be one. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"},"resourceNames":{"type":"array","x-kubernetes-list-type":"atomic","description":"ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.","items":{"type":"string"}},"resources":{"description":"Resources is a list of resources this rule applies to.\n\nFor example: 'pods' means pods. 'pods/log' means the log subresource of pods. '*' means all resources, but not subresources. 'pods/*' means all subresources of pods. '*/scale' means all scale subresources. '*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not overlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed. Required.","items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.admissionregistration.v1beta1.MatchResources":{"description":"MatchResources decides whether to run the admission control policy on an object based on whether it meets the match criteria. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)","properties":{"excludeResourceRules":{"items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.NamedRuleWithOperations"},"type":"array","x-kubernetes-list-type":"atomic","description":"ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about. The exclude rules take precedence over include rules (if a resource matches both, it is excluded)"},"matchPolicy":{"description":"matchPolicy defines how the \"MatchResources\" list is used to match incoming requests. Allowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, but \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version. For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1, and \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`, a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"","type":"string"},"namespaceSelector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"NamespaceSelector decides whether to run the admission control policy on an object based on whether the namespace for that object matches the selector. If the object itself is a namespace, the matching is performed on object.metadata.labels. If the object is another cluster scoped resource, it never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not associated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose namespace is associated with the \"environment\" of \"prod\" or \"staging\"; you will set the selector as follows: \"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ for more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything."},"objectSelector":{"description":"ObjectSelector decides whether to run the validation based on if the object has matching labels. objectSelector is evaluated against both the oldObject and newObject that would be sent to the cel validation, and is considered to match if either object matches the selector. A null object (oldObject in the case of create, or newObject in the case of delete) or an object that cannot have labels (like a DeploymentRollback or a PodProxyOptions object) is not considered to match. Use the object selector only if the webhook is opt-in, because end users may skip the admission webhook by setting the labels. Default to the empty LabelSelector, which matches everything.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"resourceRules":{"x-kubernetes-list-type":"atomic","description":"ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches. The policy cares about an operation if it matches _any_ Rule.","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1beta1.NamedRuleWithOperations"},"type":"array"}},"type":"object","x-kubernetes-map-type":"atomic"},"io.k8s.api.authorization.v1.LocalSubjectAccessReview":{"description":"LocalSubjectAccessReview checks whether or not a user or group can perform an action in a given namespace. Having a namespace scoped resource makes it much easier to grant namespace scoped policy that includes permissions checking.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["LocalSubjectAccessReview"]},"metadata":{"description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"spec":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewSpec","description":"Spec holds information about the request being evaluated. spec.namespace must be equal to the namespace you made the request against. If empty, it is defaulted."},"status":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectAccessReviewStatus","description":"Status is filled in by the server and indicates whether the request is allowed or not"}},"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"authorization.k8s.io","kind":"LocalSubjectAccessReview"}]},"io.k8s.api.autoscaling.v2.ExternalMetricStatus":{"description":"ExternalMetricStatus indicates the current value of a global metric not associated with any Kubernetes object.","properties":{"current":{"description":"current contains the current value for the given metric","$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricValueStatus"},"metric":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier","description":"metric identifies the target metric by name and selector"}},"required":["metric","current"],"type":"object"},"io.k8s.api.core.v1.ISCSIPersistentVolumeSource":{"description":"ISCSIPersistentVolumeSource represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.","properties":{"chapAuthDiscovery":{"description":"chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication","type":"boolean"},"fsType":{"description":"fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi","type":"string"},"iscsiInterface":{"description":"iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).","type":"string"},"lun":{"format":"int32","type":"integer","description":"lun is iSCSI Target Lun number."},"portals":{"items":{"type":"string"},"type":"array","x-kubernetes-list-type":"atomic","description":"portals is the iSCSI Target Portal List. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260)."},"readOnly":{"description":"readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.","type":"boolean"},"chapAuthSession":{"type":"boolean","description":"chapAuthSession defines whether support iSCSI Session CHAP authentication"},"initiatorName":{"description":"initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface : will be created for the connection.","type":"string"},"iqn":{"description":"iqn is Target iSCSI Qualified Name.","type":"string"},"secretRef":{"$ref":"#/definitions/io.k8s.api.core.v1.SecretReference","description":"secretRef is the CHAP Secret for iSCSI target and initiator authentication"},"targetPortal":{"description":"targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).","type":"string"}},"required":["targetPortal","iqn","lun"],"type":"object"},"io.k8s.api.resource.v1alpha3.DeviceRequest":{"description":"DeviceRequest is a request for devices required for a claim. This is typically a request for a single resource like a device, but can also ask for several identical devices.","properties":{"tolerations":{"description":"If specified, the request's tolerations.\n\nTolerations for NoSchedule are required to allocate a device which has a taint with that effect. The same applies to NoExecute.\n\nIn addition, should any of the allocated devices get tainted with NoExecute after allocation and that effect is not tolerated, then all pods consuming the ResourceClaim get deleted to evict them. The scheduler will not let new pods reserve the claim while it has these tainted devices. Once all pods are evicted, the claim will get deallocated.\n\nThe maximum number of tolerations is 16.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRADeviceTaints feature gate.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceToleration"},"type":"array","x-kubernetes-list-type":"atomic"},"adminAccess":{"description":"AdminAccess indicates that this is a claim for administrative access to the device(s). Claims with AdminAccess are expected to be used for monitoring or other management services for a device. They ignore all ordinary claims to the device with respect to access modes and any resource allocations.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nThis is an alpha field and requires enabling the DRAAdminAccess feature gate. Admin access is disabled if this field is unset or set to false, otherwise it is enabled.","type":"boolean"},"allocationMode":{"description":"AllocationMode and its related fields define how devices are allocated to satisfy this request. Supported values are:\n\n- ExactCount: This request is for a specific number of devices.\n This is the default. The exact number is provided in the\n count field.\n\n- All: This request is for all of the matching devices in a pool.\n At least one device must exist on the node for the allocation to succeed.\n Allocation will fail if some devices are already allocated,\n unless adminAccess is requested.\n\nIf AllocationMode is not specified, the default mode is ExactCount. If the mode is ExactCount and count is not specified, the default count is one. Any other requests must specify this field.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.\n\nMore modes may get added in the future. Clients must refuse to handle requests with unknown modes.","type":"string"},"count":{"description":"Count is used only when the count mode is \"ExactCount\". Must be greater than zero. If AllocationMode is ExactCount and this field is not specified, the default is one.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.","format":"int64","type":"integer"},"deviceClassName":{"description":"DeviceClassName references a specific DeviceClass, which can define additional configuration and selectors to be inherited by this request.\n\nA class is required if no subrequests are specified in the firstAvailable list and no class can be set if subrequests are specified in the firstAvailable list. Which classes are available depends on the cluster.\n\nAdministrators may use this to restrict which devices may get requested by only installing classes with selectors for permitted devices. If users are free to request anything without restrictions, then administrators can create an empty DeviceClass for users to reference.","type":"string"},"firstAvailable":{"description":"FirstAvailable contains subrequests, of which exactly one will be satisfied by the scheduler to satisfy this request. It tries to satisfy them in the order in which they are listed here. So if there are two entries in the list, the scheduler will only check the second one if it determines that the first one cannot be used.\n\nThis field may only be set in the entries of DeviceClaim.Requests.\n\nDRA does not yet implement scoring, so the scheduler will select the first set of devices that satisfies all the requests in the claim. And if the requirements can be satisfied on more than one node, other scheduling features will determine which node is chosen. This means that the set of devices allocated to a claim might not be the optimal set available to the cluster. Scoring will be implemented later.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceSubRequest"},"type":"array","x-kubernetes-list-type":"atomic"},"name":{"type":"string","description":"Name can be used to reference this request in a pod.spec.containers[].resources.claims entry and in a constraint of the claim.\n\nMust be a DNS label."},"selectors":{"type":"array","x-kubernetes-list-type":"atomic","description":"Selectors define criteria which must be satisfied by a specific device in order for that device to be considered for this request. All selectors must be satisfied for a device to be considered.\n\nThis field can only be set when deviceClassName is set and no subrequests are specified in the firstAvailable list.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceSelector"}}},"required":["name"],"type":"object"},"io.k8s.api.resource.v1beta1.CounterSet":{"type":"object","description":"CounterSet defines a named set of counters that are available to be used by devices defined in the ResourceSlice.\n\nThe counters are not allocatable by themselves, but can be referenced by devices. When a device is allocated, the portion of counters it uses will no longer be available for use by other devices.","properties":{"counters":{"additionalProperties":{"$ref":"#/definitions/io.k8s.api.resource.v1beta1.Counter"},"description":"Counters defines the set of counters for this CounterSet The name of each counter must be unique in that set and must be a DNS label.\n\nThe maximum number of counters is 32.","type":"object"},"name":{"description":"Name defines the name of the counter set. It must be a DNS label.","type":"string"}},"required":["name","counters"]},"io.k8s.api.admissionregistration.v1alpha1.ParamKind":{"x-kubernetes-map-type":"atomic","description":"ParamKind is a tuple of Group Kind and Version.","properties":{"apiVersion":{"type":"string","description":"APIVersion is the API group version the resources belong to. In format of \"group/version\". Required."},"kind":{"description":"Kind is the API kind the resources belong to. Required.","type":"string"}},"type":"object"},"io.k8s.api.apiserverinternal.v1alpha1.StorageVersionCondition":{"description":"Describes the state of the storageVersion at a certain point.","properties":{"status":{"description":"Status of the condition, one of True, False, Unknown.","type":"string"},"type":{"description":"Type of the condition.","type":"string"},"lastTransitionTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"Last time the condition transitioned from one status to another."},"message":{"description":"A human readable message indicating details about the transition.","type":"string"},"observedGeneration":{"description":"If set, this represents the .metadata.generation that the condition was set based upon.","format":"int64","type":"integer"},"reason":{"description":"The reason for the condition's last transition.","type":"string"}},"required":["type","status","reason","message"],"type":"object"},"io.k8s.api.authorization.v1.SelfSubjectRulesReview":{"required":["spec"],"type":"object","x-kubernetes-group-version-kind":[{"kind":"SelfSubjectRulesReview","version":"v1","group":"authorization.k8s.io"}],"description":"SelfSubjectRulesReview enumerates the set of actions the current user can perform within a namespace. The returned list of actions may be incomplete depending on the server's authorization mode, and any errors experienced during the evaluation. SelfSubjectRulesReview should be used by UIs to show/hide actions, or to quickly let an end user reason about their permissions. It should NOT Be used by external systems to drive authorization decisions as this raises confused deputy, cache lifetime/revocation, and correctness concerns. SubjectAccessReview, and LocalAccessReview are the correct way to defer authorization decisions to the API server.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"type":"string","enum":["SelfSubjectRulesReview"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"},"spec":{"$ref":"#/definitions/io.k8s.api.authorization.v1.SelfSubjectRulesReviewSpec","description":"Spec holds information about the request being evaluated."},"status":{"description":"Status is filled in by the server and indicates the set of actions a user can perform.","$ref":"#/definitions/io.k8s.api.authorization.v1.SubjectRulesReviewStatus"}}},"io.k8s.api.autoscaling.v2.ExternalMetricSource":{"type":"object","description":"ExternalMetricSource indicates how to scale on a metric not associated with any Kubernetes object (for example length of queue in cloud messaging service, or QPS from loadbalancer running outside of cluster).","properties":{"metric":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricIdentifier","description":"metric identifies the target metric by name and selector"},"target":{"$ref":"#/definitions/io.k8s.api.autoscaling.v2.MetricTarget","description":"target specifies the target value for the given metric"}},"required":["metric","target"]},"io.k8s.api.rbac.v1.AggregationRule":{"description":"AggregationRule describes how to locate ClusterRoles to aggregate into the ClusterRole","properties":{"clusterRoleSelectors":{"description":"ClusterRoleSelectors holds a list of selectors which will be used to find ClusterRoles and create the rules. If any of the selectors match, then the ClusterRole's permissions will be added","items":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"},"type":"array","x-kubernetes-list-type":"atomic"}},"type":"object"},"io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.CustomResourceValidation":{"description":"CustomResourceValidation is a list of validation methods for CustomResources.","properties":{"openAPIV3Schema":{"$ref":"#/definitions/io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1.JSONSchemaProps","description":"openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning."}},"type":"object"},"io.k8s.api.flowcontrol.v1.ServiceAccountSubject":{"description":"ServiceAccountSubject holds detailed information for service-account-kind subject.","properties":{"namespace":{"description":"`namespace` is the namespace of matching ServiceAccount objects. Required.","type":"string"},"name":{"description":"`name` is the name of matching ServiceAccount objects, or \"*\" to match regardless of name. Required.","type":"string"}},"required":["namespace","name"],"type":"object"},"io.k8s.api.coordination.v1.LeaseList":{"description":"LeaseList is a list of Lease objects.","properties":{"apiVersion":{"type":"string","description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"},"items":{"description":"items is a list of schema objects.","items":{"$ref":"#/definitions/io.k8s.api.coordination.v1.Lease"},"type":"array"},"kind":{"type":"string","enum":["LeaseList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"kind":"LeaseList","version":"v1","group":"coordination.k8s.io"}]},"io.k8s.api.admissionregistration.v1.ValidatingWebhookConfiguration":{"description":"ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ValidatingWebhookConfiguration"]},"metadata":{"description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.","$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta"},"webhooks":{"x-kubernetes-patch-strategy":"merge","description":"Webhooks is a list of webhooks and the affected resources and operations.","items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingWebhook"},"type":"array","x-kubernetes-list-map-keys":["name"],"x-kubernetes-list-type":"map","x-kubernetes-patch-merge-key":"name"}},"type":"object","x-kubernetes-group-version-kind":[{"version":"v1","group":"admissionregistration.k8s.io","kind":"ValidatingWebhookConfiguration"}]},"io.k8s.api.admissionregistration.v1.WebhookClientConfig":{"description":"WebhookClientConfig contains the information to make a TLS connection with the webhook","properties":{"caBundle":{"description":"`caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. If unspecified, system trust roots on the apiserver are used.","format":"byte","type":"string"},"service":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ServiceReference","description":"`service` is a reference to the service for this webhook. Either `service` or `url` must be specified.\n\nIf the webhook is running within the cluster, then you should use `service`."},"url":{"type":"string","description":"`url` gives the location of the webhook, in standard URL form (`scheme://host:port/path`). Exactly one of `url` or `service` must be specified.\n\nThe `host` should not refer to a service running in the cluster; use the `service` field instead. The host might be resolved via external DNS in some apiservers (e.g., `kube-apiserver` cannot resolve in-cluster DNS as that would be a layering violation). `host` may also be an IP address.\n\nPlease note that using `localhost` or `127.0.0.1` as a `host` is risky unless you take great care to run this webhook on all hosts which run an apiserver which might need to make calls to this webhook. Such installs are likely to be non-portable, i.e., not easy to turn up in a new cluster.\n\nThe scheme must be \"https\"; the URL must begin with \"https://\".\n\nA path is optional, and if present may be any string permissible in a URL. You may use the path to pass an arbitrary string to the webhook, for example, a cluster identifier.\n\nAttempting to use a user or basic auth e.g. \"user:password@\" is not allowed. Fragments (\"#...\") and query parameters (\"?...\") are not allowed, either."}},"type":"object"},"io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicy":{"type":"object","x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"MutatingAdmissionPolicy","version":"v1alpha1"}],"description":"MutatingAdmissionPolicy describes the definition of an admission mutation policy that mutates the object coming into admission chain.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"type":"string","enum":["MutatingAdmissionPolicy"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta","description":"Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata."},"spec":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1alpha1.MutatingAdmissionPolicySpec","description":"Specification of the desired behavior of the MutatingAdmissionPolicy."}}},"io.k8s.api.apps.v1.DeploymentList":{"description":"DeploymentList is a list of Deployments.","properties":{"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata."},"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of Deployments.","items":{"$ref":"#/definitions/io.k8s.api.apps.v1.Deployment"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["DeploymentList"]}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"apps","kind":"DeploymentList","version":"v1"}]},"io.k8s.api.core.v1.GRPCAction":{"properties":{"port":{"description":"Port number of the gRPC service. Number must be in the range 1 to 65535.","format":"int32","type":"integer"},"service":{"description":"Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).\n\nIf this is not specified, the default behavior is defined by gRPC.","type":"string"}},"required":["port"],"type":"object","description":"GRPCAction specifies an action involving a GRPC service."},"io.k8s.api.resource.v1alpha3.DeviceClassList":{"description":"DeviceClassList is a collection of classes.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"Items is the list of resource classes.","items":{"$ref":"#/definitions/io.k8s.api.resource.v1alpha3.DeviceClass"},"type":"array"},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["DeviceClassList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"resource.k8s.io","kind":"DeviceClassList","version":"v1alpha3"}]},"io.k8s.api.core.v1.PersistentVolumeList":{"description":"PersistentVolumeList is a list of PersistentVolume items.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"description":"items is a list of persistent volumes. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes","items":{"$ref":"#/definitions/io.k8s.api.core.v1.PersistentVolume"},"type":"array"},"kind":{"enum":["PersistentVolumeList"],"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object","x-kubernetes-group-version-kind":[{"group":"","kind":"PersistentVolumeList","version":"v1"}]},"io.k8s.api.core.v1.Taint":{"description":"The node this Taint is attached to has the \"effect\" on any pod that does not tolerate the Taint.","properties":{"effect":{"description":"Required. The effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute.","type":"string"},"key":{"description":"Required. The taint key to be applied to a node.","type":"string"},"timeAdded":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"TimeAdded represents the time at which the taint was added. It is only written for NoExecute taints."},"value":{"type":"string","description":"The taint value corresponding to the taint key."}},"required":["key","effect"],"type":"object"},"io.k8s.api.certificates.v1.CertificateSigningRequestCondition":{"description":"CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object","properties":{"lastTransitionTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition's status is changed, the server defaults this to the current time."},"lastUpdateTime":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.Time","description":"lastUpdateTime is the time of the last update to this condition"},"message":{"description":"message contains a human readable message with details about the request state","type":"string"},"reason":{"description":"reason indicates a brief reason for the request state","type":"string"},"status":{"description":"status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be \"False\" or \"Unknown\".","type":"string"},"type":{"type":"string","description":"type of the condition. Known conditions are \"Approved\", \"Denied\", and \"Failed\".\n\nAn \"Approved\" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.\n\nA \"Denied\" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.\n\nA \"Failed\" condition is added via the /status subresource, indicating the signer failed to issue the certificate.\n\nApproved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added.\n\nOnly one condition of a given type is allowed."}},"required":["type","status"],"type":"object"},"io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBindingList":{"x-kubernetes-group-version-kind":[{"group":"admissionregistration.k8s.io","kind":"ValidatingAdmissionPolicyBindingList","version":"v1"}],"description":"ValidatingAdmissionPolicyBindingList is a list of ValidatingAdmissionPolicyBinding.","properties":{"apiVersion":{"description":"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"items":{"items":{"$ref":"#/definitions/io.k8s.api.admissionregistration.v1.ValidatingAdmissionPolicyBinding"},"type":"array","description":"List of PolicyBinding."},"kind":{"description":"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string","enum":["ValidatingAdmissionPolicyBindingList"]},"metadata":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.ListMeta","description":"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"}},"required":["items"],"type":"object"},"io.k8s.api.apps.v1.DeploymentSpec":{"properties":{"revisionHistoryLimit":{"description":"The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. Defaults to 10.","format":"int32","type":"integer"},"selector":{"$ref":"#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector","description":"Label selector for pods. Existing ReplicaSets whose pods are selected by this will be the ones affected by this deployment. It must match the pod template's labels."},"strategy":{"$ref":"#/definitions/io.k8s.api.apps.v1.DeploymentStrategy","description":"The deployment strategy to use to replace existing pods with new ones.","x-kubernetes-patch-strategy":"retainKeys"},"template":{"$ref":"#/definitions/io.k8s.api.core.v1.PodTemplateSpec","description":"Template describes the pods that will be created. The only allowed template.spec.restartPolicy value is \"Always\"."},"minReadySeconds":{"description":"Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, for it to be considered available. Defaults to 0 (pod will be considered available as soon as it is ready)","format":"int32","type":"integer"},"paused":{"description":"Indicates that the deployment is paused.","type":"boolean"},"progressDeadlineSeconds":{"description":"The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. Defaults to 600s.","format":"int32","type":"integer"},"replicas":{"description":"Number of desired pods. This is a pointer to distinguish between explicit zero and not specified. Defaults to 1.","format":"int32","type":"integer"}},"required":["selector","template"],"type":"object","description":"DeploymentSpec is the specification of the desired behavior of the Deployment."},"io.k8s.api.resource.v1alpha3.DeviceToleration":{"description":"The ResourceClaim this DeviceToleration is attached to tolerates any taint that matches the triple using the matching operator .","properties":{"effect":{"description":"Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule and NoExecute.","type":"string"},"key":{"description":"Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. Must be a label name.","type":"string"},"operator":{"description":"Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a ResourceClaim can tolerate all taints of a particular category.","type":"string"},"tolerationSeconds":{"description":"TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. If larger than zero, the time when the pod needs to be evicted is calculated as