HyperShift API Reference
Packages:
hypershift.openshift.io/v1beta1
Package v1beta1 contains the HyperShift API.
The HyperShift API enables creating and managing lightweight, flexible, heterogeneous OpenShift clusters at scale.
HyperShift clusters are deployed in a topology which isolates the “control plane” (e.g. etcd, the API server, controller manager, etc.) from the “data plane” (e.g. worker nodes and their kubelets, and the infrastructure on which they run). This enables “hosted control plane as a service” use cases.
CertificateSigningRequestApproval
CertificateSigningRequestApproval defines the desired state of CertificateSigningRequestApproval
Field | Description |
---|---|
apiVersion
string |
hypershift.openshift.io/v1beta1
|
kind
string
|
CertificateSigningRequestApproval |
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
spec
CertificateSigningRequestApprovalSpec
|
|
status
CertificateSigningRequestApprovalStatus
|
HostedCluster
HostedCluster is the primary representation of a HyperShift cluster and encapsulates the control plane and common data plane configuration. Creating a HostedCluster results in a fully functional OpenShift control plane with no attached nodes. To support workloads (e.g. pods), a HostedCluster may have one or more associated NodePool resources.
Field | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion
string |
hypershift.openshift.io/v1beta1
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kind
string
|
HostedCluster |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
spec
HostedClusterSpec
|
Spec is the desired behavior of the HostedCluster.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
status
HostedClusterStatus
|
Status is the latest observed status of the HostedCluster. |
NodePool
NodePool is a scalable set of worker nodes attached to a HostedCluster. NodePool machine architectures are uniform within a given pool, and are independent of the control plane’s underlying machine architecture.
Field | Description | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
apiVersion
string |
hypershift.openshift.io/v1beta1
|
||||||||||||||||||||||||||||
kind
string
|
NodePool |
||||||||||||||||||||||||||||
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
||||||||||||||||||||||||||||
spec
NodePoolSpec
|
Spec is the desired behavior of the NodePool.
|
||||||||||||||||||||||||||||
status
NodePoolStatus
|
Status is the latest observed status of the NodePool. |
AESCBCSpec
(Appears on: SecretEncryptionSpec)
AESCBCSpec defines metadata about the AESCBC secret encryption strategy
Field | Description |
---|---|
activeKey
Kubernetes core/v1.LocalObjectReference
|
ActiveKey defines the active key used to encrypt new secrets |
backupKey
Kubernetes core/v1.LocalObjectReference
|
(Optional)
BackupKey defines the old key during the rotation process so previously created secrets can continue to be decrypted until they are all re-encrypted with the active key. |
APIServerNetworking
(Appears on: ClusterNetworking)
APIServerNetworking specifies how the APIServer is exposed inside a cluster node.
Field | Description |
---|---|
advertiseAddress
string
|
(Optional)
advertiseAddress is the address that pods within the nodes will use to talk to the API server. This is an address associated with the loopback adapter of each node. If not specified, the controller will take default values. The default values will be set as 172.20.0.1 or fd00::1. This value is immutable. |
port
int32
|
(Optional)
port is the port at which the APIServer is exposed inside a node. Other pods using host networking cannot listen on this port. If omitted 6443 is used. This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. Setting this to 443 is possible only for backward compatibility reasons and it’s discouraged. Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. This value is immutable. |
allowedCIDRBlocks
[]CIDRBlock
|
allowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer If not specified, traffic is allowed from all addresses. This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges |
AWSCloudProviderConfig
(Appears on: AWSPlatformSpec)
AWSCloudProviderConfig specifies AWS networking configuration.
Field | Description |
---|---|
subnet
AWSResourceReference
|
(Optional)
Subnet is the subnet to use for control plane cloud resources. |
zone
string
|
(Optional)
Zone is the availability zone where control plane cloud resources are created. |
vpc
string
|
VPC is the VPC to use for control plane cloud resources. |
AWSEndpointAccessType
(Appears on: AWSPlatformSpec)
AWSEndpointAccessType specifies the publishing scope of cluster endpoints.
Value | Description |
---|---|
"Private" |
Private endpoint access allows only private API server access and private node communication with the control plane. |
"Public" |
Public endpoint access allows public API server access and public node communication with the control plane. |
"PublicAndPrivate" |
PublicAndPrivate endpoint access allows public API server access and private node communication with the control plane. |
AWSKMSAuthSpec
(Appears on: AWSKMSSpec)
AWSKMSAuthSpec defines metadata about the management of credentials used to interact and encrypt data via AWS KMS key.
Field | Description |
---|---|
awsKms
string
|
The referenced role must have a trust relationship that allows it to be assumed via web identity. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html. Example: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “Federated”: “{{ .ProviderARN }}” }, “Action”: “sts:AssumeRoleWithWebIdentity”, “Condition”: { “StringEquals”: { “{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} } } } ] } AWSKMSARN is an ARN value referencing a role appropriate for managing the auth via the AWS KMS key. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “kms:Encrypt”, “kms:Decrypt”, “kms:ReEncrypt”, “kms:GenerateDataKey”, “kms:DescribeKey” ], “Resource”: %q } ] } |
AWSKMSKeyEntry
(Appears on: AWSKMSSpec)
AWSKMSKeyEntry defines metadata to locate the encryption key in AWS
Field | Description |
---|---|
arn
string
|
ARN is the Amazon Resource Name for the encryption key |
AWSKMSSpec
(Appears on: KMSSpec)
AWSKMSSpec defines metadata about the configuration of the AWS KMS Secret Encryption provider
Field | Description |
---|---|
region
string
|
Region contains the AWS region |
activeKey
AWSKMSKeyEntry
|
ActiveKey defines the active key used to encrypt new secrets |
backupKey
AWSKMSKeyEntry
|
(Optional)
BackupKey defines the old key during the rotation process so previously created secrets can continue to be decrypted until they are all re-encrypted with the active key. |
auth
AWSKMSAuthSpec
|
Auth defines metadata about the management of credentials used to interact with AWS KMS |
AWSNodePoolPlatform
(Appears on: NodePoolPlatform)
AWSNodePoolPlatform specifies the configuration of a NodePool when operating on AWS.
Field | Description |
---|---|
instanceType
string
|
InstanceType is an ec2 instance type for node instances (e.g. m5.large). |
instanceProfile
string
|
InstanceProfile is the AWS EC2 instance profile, which is a container for an IAM role that the EC2 instance uses. |
subnet
AWSResourceReference
|
Subnet is the subnet to use for node instances. |
ami
string
|
(Optional)
AMI is the image id to use for node instances. If unspecified, the default is chosen based on the NodePool release payload image. |
securityGroups
[]AWSResourceReference
|
(Optional)
SecurityGroups is an optional set of security groups to associate with node instances. |
rootVolume
Volume
|
(Optional)
RootVolume specifies configuration for the root volume of node instances. |
resourceTags
[]AWSResourceTag
|
(Optional)
ResourceTags is an optional list of additional tags to apply to AWS node instances. These will be merged with HostedCluster scoped tags, and HostedCluster tags take precedence in case of conflicts. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user. |
placement
PlacementOptions
|
(Optional)
placement specifies the placement options for the EC2 instances. |
AWSPlatformSpec
(Appears on: PlatformSpec)
AWSPlatformSpec specifies configuration for clusters running on Amazon Web Services.
Field | Description |
---|---|
region
string
|
Region is the AWS region in which the cluster resides. This configures the OCP control plane cloud integrations, and is used by NodePool to resolve the correct boot AMI for a given release. |
cloudProviderConfig
AWSCloudProviderConfig
|
(Optional)
CloudProviderConfig specifies AWS networking configuration for the control plane. This is mainly used for cloud provider controller config: https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 TODO(dan): should this be named AWSNetworkConfig? |
serviceEndpoints
[]AWSServiceEndpoint
|
(Optional)
ServiceEndpoints specifies optional custom endpoints which will override the default service endpoint of specific AWS Services. There must be only one ServiceEndpoint for a given service name. |
rolesRef
AWSRolesRef
|
RolesRef contains references to various AWS IAM roles required to enable integrations such as OIDC. |
resourceTags
[]AWSResourceTag
|
(Optional)
ResourceTags is a list of additional tags to apply to AWS resources created for the cluster. See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for information on tagging AWS resources. AWS supports a maximum of 50 tags per resource. OpenShift reserves 25 tags for its use, leaving 25 tags available for the user. |
endpointAccess
AWSEndpointAccessType
|
(Optional)
EndpointAccess specifies the publishing scope of cluster endpoints. The default is Public. |
additionalAllowedPrincipals
[]string
|
(Optional)
AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs to be added to the hosted control plane’s VPC Endpoint Service to enable additional VPC Endpoint connection requests to be automatically accepted. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html for more details around VPC Endpoint Service allowed principals. |
multiArch
bool
|
(Optional)
MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based on the HostedCluster release image. This field is used by the NodePool controller to validate the NodePool.Spec.Arch is supported. |
sharedVPC
AWSSharedVPC
|
(Optional)
SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is created in a different AWS account and is shared with the AWS account where the HostedCluster will be created. |
AWSPlatformStatus
(Appears on: PlatformStatus)
AWSPlatformStatus contains status specific to the AWS platform
Field | Description |
---|---|
defaultWorkerSecurityGroupID
string
|
(Optional)
DefaultWorkerSecurityGroupID is the ID of a security group created by the control plane operator. It is always added to worker machines in addition to any security groups specified in the NodePool. |
AWSResourceReference
(Appears on: AWSCloudProviderConfig, AWSNodePoolPlatform)
AWSResourceReference is a reference to a specific AWS resource by ID or filters. Only one of ID or Filters may be specified. Specifying more than one will result in a validation error.
Field | Description |
---|---|
id
string
|
(Optional)
ID of resource |
filters
[]Filter
|
(Optional)
Filters is a set of key/value pairs used to identify a resource They are applied according to the rules defined by the AWS API: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html |
AWSResourceTag
(Appears on: AWSNodePoolPlatform, AWSPlatformSpec)
AWSResourceTag is a tag to apply to AWS resources created for the cluster.
Field | Description |
---|---|
key
string
|
Key is the key of the tag. |
value
string
|
Value is the value of the tag. Some AWS service do not support empty values. Since tags are added to resources in many services, the length of the tag value must meet the requirements of all services. |
AWSRoleCredentials
Field | Description |
---|---|
arn
string
|
|
namespace
string
|
|
name
string
|
AWSRolesRef
(Appears on: AWSPlatformSpec)
AWSRolesRef contains references to various AWS IAM roles required for operators to make calls against the AWS API.
Field | Description |
---|---|
ingressARN
string
|
The referenced role must have a trust relationship that allows it to be assumed via web identity. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html. Example: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “Federated”: “{{ .ProviderARN }}” }, “Action”: “sts:AssumeRoleWithWebIdentity”, “Condition”: { “StringEquals”: { “{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} } } } ] } IngressARN is an ARN value referencing a role appropriate for the Ingress Operator. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “elasticloadbalancing:DescribeLoadBalancers”, “tag:GetResources”, “route53:ListHostedZones” ], “Resource”: “*” }, { “Effect”: “Allow”, “Action”: [ “route53:ChangeResourceRecordSets” ], “Resource”: [ “arn:aws:route53:::PUBLIC_ZONE_ID”, “arn:aws:route53:::PRIVATE_ZONE_ID” ] } ] } |
imageRegistryARN
string
|
ImageRegistryARN is an ARN value referencing a role appropriate for the Image Registry Operator. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “s3:CreateBucket”, “s3:DeleteBucket”, “s3:PutBucketTagging”, “s3:GetBucketTagging”, “s3:PutBucketPublicAccessBlock”, “s3:GetBucketPublicAccessBlock”, “s3:PutEncryptionConfiguration”, “s3:GetEncryptionConfiguration”, “s3:PutLifecycleConfiguration”, “s3:GetLifecycleConfiguration”, “s3:GetBucketLocation”, “s3:ListBucket”, “s3:GetObject”, “s3:PutObject”, “s3:DeleteObject”, “s3:ListBucketMultipartUploads”, “s3:AbortMultipartUpload”, “s3:ListMultipartUploadParts” ], “Resource”: “*” } ] } |
storageARN
string
|
StorageARN is an ARN value referencing a role appropriate for the Storage Operator. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:AttachVolume”, “ec2:CreateSnapshot”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:DeleteSnapshot”, “ec2:DeleteTags”, “ec2:DeleteVolume”, “ec2:DescribeInstances”, “ec2:DescribeSnapshots”, “ec2:DescribeTags”, “ec2:DescribeVolumes”, “ec2:DescribeVolumesModifications”, “ec2:DetachVolume”, “ec2:ModifyVolume” ], “Resource”: “*” } ] } |
networkARN
string
|
NetworkARN is an ARN value referencing a role appropriate for the Network Operator. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:DescribeInstances”, “ec2:DescribeInstanceStatus”, “ec2:DescribeInstanceTypes”, “ec2:UnassignPrivateIpAddresses”, “ec2:AssignPrivateIpAddresses”, “ec2:UnassignIpv6Addresses”, “ec2:AssignIpv6Addresses”, “ec2:DescribeSubnets”, “ec2:DescribeNetworkInterfaces” ], “Resource”: “*” } ] } |
kubeCloudControllerARN
string
|
KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “autoscaling:DescribeAutoScalingGroups”, “autoscaling:DescribeLaunchConfigurations”, “autoscaling:DescribeTags”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeInstances”, “ec2:DescribeImages”, “ec2:DescribeRegions”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSubnets”, “ec2:DescribeVolumes”, “ec2:CreateSecurityGroup”, “ec2:CreateTags”, “ec2:CreateVolume”, “ec2:ModifyInstanceAttribute”, “ec2:ModifyVolume”, “ec2:AttachVolume”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateRoute”, “ec2:DeleteRoute”, “ec2:DeleteSecurityGroup”, “ec2:DeleteVolume”, “ec2:DetachVolume”, “ec2:RevokeSecurityGroupIngress”, “ec2:DescribeVpcs”, “elasticloadbalancing:AddTags”, “elasticloadbalancing:AttachLoadBalancerToSubnets”, “elasticloadbalancing:ApplySecurityGroupsToLoadBalancer”, “elasticloadbalancing:CreateLoadBalancer”, “elasticloadbalancing:CreateLoadBalancerPolicy”, “elasticloadbalancing:CreateLoadBalancerListeners”, “elasticloadbalancing:ConfigureHealthCheck”, “elasticloadbalancing:DeleteLoadBalancer”, “elasticloadbalancing:DeleteLoadBalancerListeners”, “elasticloadbalancing:DescribeLoadBalancers”, “elasticloadbalancing:DescribeLoadBalancerAttributes”, “elasticloadbalancing:DetachLoadBalancerFromSubnets”, “elasticloadbalancing:DeregisterInstancesFromLoadBalancer”, “elasticloadbalancing:ModifyLoadBalancerAttributes”, “elasticloadbalancing:RegisterInstancesWithLoadBalancer”, “elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer”, “elasticloadbalancing:AddTags”, “elasticloadbalancing:CreateListener”, “elasticloadbalancing:CreateTargetGroup”, “elasticloadbalancing:DeleteListener”, “elasticloadbalancing:DeleteTargetGroup”, “elasticloadbalancing:DeregisterTargets”, “elasticloadbalancing:DescribeListeners”, “elasticloadbalancing:DescribeLoadBalancerPolicies”, “elasticloadbalancing:DescribeTargetGroups”, “elasticloadbalancing:DescribeTargetHealth”, “elasticloadbalancing:ModifyListener”, “elasticloadbalancing:ModifyTargetGroup”, “elasticloadbalancing:RegisterTargets”, “elasticloadbalancing:SetLoadBalancerPoliciesOfListener”, “iam:CreateServiceLinkedRole”, “kms:DescribeKey” ], “Resource”: [ “*” ], “Effect”: “Allow” } ] } |
nodePoolManagementARN
string
|
NodePoolManagementARN is an ARN value referencing a role appropriate for the CAPI Controller. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “ec2:AssociateRouteTable”, “ec2:AttachInternetGateway”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:CreateInternetGateway”, “ec2:CreateNatGateway”, “ec2:CreateRoute”, “ec2:CreateRouteTable”, “ec2:CreateSecurityGroup”, “ec2:CreateSubnet”, “ec2:CreateTags”, “ec2:DeleteInternetGateway”, “ec2:DeleteNatGateway”, “ec2:DeleteRouteTable”, “ec2:DeleteSecurityGroup”, “ec2:DeleteSubnet”, “ec2:DeleteTags”, “ec2:DescribeAccountAttributes”, “ec2:DescribeAddresses”, “ec2:DescribeAvailabilityZones”, “ec2:DescribeImages”, “ec2:DescribeInstances”, “ec2:DescribeInternetGateways”, “ec2:DescribeNatGateways”, “ec2:DescribeNetworkInterfaces”, “ec2:DescribeNetworkInterfaceAttribute”, “ec2:DescribeRouteTables”, “ec2:DescribeSecurityGroups”, “ec2:DescribeSubnets”, “ec2:DescribeVpcs”, “ec2:DescribeVpcAttribute”, “ec2:DescribeVolumes”, “ec2:DetachInternetGateway”, “ec2:DisassociateRouteTable”, “ec2:DisassociateAddress”, “ec2:ModifyInstanceAttribute”, “ec2:ModifyNetworkInterfaceAttribute”, “ec2:ModifySubnetAttribute”, “ec2:RevokeSecurityGroupIngress”, “ec2:RunInstances”, “ec2:TerminateInstances”, “tag:GetResources”, “ec2:CreateLaunchTemplate”, “ec2:CreateLaunchTemplateVersion”, “ec2:DescribeLaunchTemplates”, “ec2:DescribeLaunchTemplateVersions”, “ec2:DeleteLaunchTemplate”, “ec2:DeleteLaunchTemplateVersions” ], “Resource”: [ “” ], “Effect”: “Allow” }, { “Condition”: { “StringLike”: { “iam:AWSServiceName”: “elasticloadbalancing.amazonaws.com” } }, “Action”: [ “iam:CreateServiceLinkedRole” ], “Resource”: [ “arn::iam:::role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing” ], “Effect”: “Allow” }, { “Action”: [ “iam:PassRole” ], “Resource”: [ “arn::iam:::role/-worker-role” ], “Effect”: “Allow” }, { “Effect”: “Allow”, “Action”: [ “kms:Decrypt”, “kms:ReEncrypt”, “kms:GenerateDataKeyWithoutPlainText”, “kms:DescribeKey” ], “Resource”: “” }, { “Effect”: “Allow”, “Action”: [ “kms:CreateGrant” ], “Resource”: “”, “Condition”: { “Bool”: { “kms:GrantIsForAWSResource”: true } } } ] } |
controlPlaneOperatorARN
string
|
ControlPlaneOperatorARN is an ARN value referencing a role appropriate for the Control Plane Operator. The following is an example of a valid policy document: { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:CreateVpcEndpoint”, “ec2:DescribeVpcEndpoints”, “ec2:ModifyVpcEndpoint”, “ec2:DeleteVpcEndpoints”, “ec2:CreateTags”, “route53:ListHostedZones”, “ec2:CreateSecurityGroup”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:DeleteSecurityGroup”, “ec2:RevokeSecurityGroupIngress”, “ec2:RevokeSecurityGroupEgress”, “ec2:DescribeSecurityGroups”, “ec2:DescribeVpcs”, ], “Resource”: “*” }, { “Effect”: “Allow”, “Action”: [ “route53:ChangeResourceRecordSets”, “route53:ListResourceRecordSets” ], “Resource”: “arn:aws:route53:::%s” } ] } |
AWSServiceEndpoint
(Appears on: AWSPlatformSpec)
AWSServiceEndpoint stores the configuration for services to override existing defaults of AWS Services.
Field | Description |
---|---|
name
string
|
Name is the name of the AWS service. This must be provided and cannot be empty. |
url
string
|
URL is fully qualified URI with scheme https, that overrides the default generated endpoint for a client. This must be provided and cannot be empty. |
AWSSharedVPC
(Appears on: AWSPlatformSpec)
AWSSharedVPC contains fields needed to create a HostedCluster using a VPC that has been created and shared from a different AWS account than the AWS account where the cluster is getting created.
Field | Description |
---|---|
rolesRef
AWSSharedVPCRolesRef
|
RolesRef contains references to roles in the VPC owner account that enable a HostedCluster on a shared VPC. |
localZoneID
string
|
LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is associated with the HostedCluster’s VPC and exists in the VPC owner account. |
AWSSharedVPCRolesRef
(Appears on: AWSSharedVPC)
AWSSharedVPCRolesRef contains references to AWS IAM roles required for a shared VPC hosted cluster. These roles must exist in the VPC owner’s account.
Field | Description |
---|---|
ingressARN
string
|
IngressARN is an ARN value referencing the role in the VPC owner account that allows the ingress operator in the cluster account to create and manage records in the private DNS hosted zone. The referenced role must have a trust relationship that allows it to be assumed by the ingress operator role in the VPC creator account. Example: { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “Statement1”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress” }, “Action”: “sts:AssumeRole” } ] } The following is an example of the policy document for this role. (Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config) { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “route53:ListHostedZones”, “route53:ListHostedZonesByName”, “route53:ChangeTagsForResource”, “route53:GetAccountLimit”, “route53:GetChange”, “route53:GetHostedZone”, “route53:ListTagsForResource”, “route53:UpdateHostedZoneComment”, “tag:GetResources”, “tag:UntagResources” “route53:ChangeResourceRecordSets”, “route53:ListResourceRecordSets” ], “Resource”: “*” }, ] } |
controlPlaneARN
string
|
ControlPlaneARN is an ARN value referencing the role in the VPC owner account that allows the control plane operator in the cluster account to create and manage a VPC endpoint, its corresponding Security Group, and DNS records in the hypershift local hosted zone. The referenced role must have a trust relationship that allows it to be assumed by the control plane operator role in the VPC creator account. Example: { “Version”: “2012-10-17”, “Statement”: [ { “Sid”: “Statement1”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator” }, “Action”: “sts:AssumeRole” } ] } The following is an example of the policy document for this role. { “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Action”: [ “ec2:CreateVpcEndpoint”, “ec2:DescribeVpcEndpoints”, “ec2:ModifyVpcEndpoint”, “ec2:DeleteVpcEndpoints”, “ec2:CreateTags”, “route53:ListHostedZones”, “ec2:CreateSecurityGroup”, “ec2:AuthorizeSecurityGroupIngress”, “ec2:AuthorizeSecurityGroupEgress”, “ec2:DeleteSecurityGroup”, “ec2:RevokeSecurityGroupIngress”, “ec2:RevokeSecurityGroupEgress”, “ec2:DescribeSecurityGroups”, “ec2:DescribeVpcs”, “route53:ChangeResourceRecordSets”, “route53:ListResourceRecordSets” ], “Resource”: “*” } ] } |
AddressPair
(Appears on: PortSpec)
Field | Description |
---|---|
ipAddress
string
|
IPAddress is the IP address of the allowed address pair. Depending on the configuration of Neutron, it may be supported to specify a CIDR instead of a specific IP address. |
AgentNodePoolPlatform
(Appears on: NodePoolPlatform)
AgentNodePoolPlatform specifies the configuration of a NodePool when operating on the Agent platform.
Field | Description |
---|---|
agentLabelSelector
Kubernetes meta/v1.LabelSelector
|
(Optional)
AgentLabelSelector contains labels that must be set on an Agent in order to be selected for a Machine. |
AgentPlatformSpec
(Appears on: PlatformSpec)
AgentPlatformSpec specifies configuration for agent-based installations.
Field | Description |
---|---|
agentNamespace
string
|
AgentNamespace is the namespace where to search for Agents for this cluster |
AllocationPool
(Appears on: SubnetSpec)
Field | Description |
---|---|
start
string
|
Start represents the start of the AllocationPool, that is the lowest IP of the pool. |
end
string
|
End represents the end of the AlloctionPool, that is the highest IP of the pool. |
AutoNode
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
We expose here internal configuration knobs that won’t be exposed to the service.
Field | Description |
---|---|
provisionerConfig
ProvisionerConfig
|
provisioner is the implementation used for Node auto provisioning. |
AvailabilityPolicy
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
availabilityPolicy specifies a high level availability policy for components.
Value | Description |
---|---|
"HighlyAvailable" |
HighlyAvailable means components should be resilient to problems across fault boundaries as defined by the component to which the policy is attached. This usually means running critical workloads with 3 replicas and with little or no toleration of disruption of the component. |
"SingleReplica" |
SingleReplica means components are not expected to be resilient to problems across most fault boundaries associated with high availability. This usually means running critical workloads with just 1 replica and with toleration of full disruption of the component. |
AzureDiagnosticsStorageAccountType
(Appears on: Diagnostics)
AzureDiagnosticsStorageAccountType specifies the type of storage account for storing Azure VM diagnostics data.
Value | Description |
---|---|
"Disabled" |
|
"Managed" |
|
"UserManaged" |
AzureDiskPersistence
(Appears on: AzureNodePoolOSDisk)
Value | Description |
---|---|
"Ephemeral" |
EphemeralDiskPersistence is the ephemeral disk type. |
"Persistent" |
PersistentDiskPersistence is the persistent disk type. |
AzureDiskStorageAccountType
(Appears on: AzureNodePoolOSDisk)
Value | Description |
---|---|
"Premium_LRS" |
DiskStorageAccountTypesPremiumLRS - Premium SSD locally redundant storage. Best for production and performance sensitive workloads. |
"PremiumV2_LRS" |
DiskStorageAccountTypesPremiumV2LRS - Premium SSD v2 locally redundant storage. Best for production and performance-sensitive workloads that consistently require low latency and high IOPS and throughput. |
"Standard_LRS" |
DiskStorageAccountTypesStandardLRS - Standard HDD locally redundant storage. Best for backup, non-critical, and infrequent access. |
"StandardSSD_LRS" |
DiskStorageAccountTypesStandardSSDLRS - Standard SSD locally redundant storage. Best for web servers, lightly used enterprise applications and dev/test. |
"UltraSSD_LRS" |
DiskStorageAccountTypesUltraSSDLRS - Ultra SSD locally redundant storage. Best for IO-intensive workloads such as SAP HANA, top tier databases (for example, SQL, Oracle), and other transaction-heavy workloads. |
AzureKMSKey
(Appears on: AzureKMSSpec)
Field | Description |
---|---|
keyVaultName
string
|
KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name
Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI:
|
keyName
string
|
KeyName is the name of the keyvault key used for encrypt/decrypt |
keyVersion
string
|
KeyVersion contains the version of the key to use |
AzureKMSSpec
(Appears on: KMSSpec)
AzureKMSSpec defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault
Field | Description |
---|---|
activeKey
AzureKMSKey
|
ActiveKey defines the active key used to encrypt new secrets |
backupKey
AzureKMSKey
|
(Optional)
BackupKey defines the old key during the rotation process so previously created secrets can continue to be decrypted until they are all re-encrypted with the active key. |
kms
ManagedIdentity
|
kms is a pre-existing managed identity used to authenticate with Azure KMS. |
AzureMarketplaceImage
(Appears on: AzureVMImage)
AzureMarketplaceImage specifies the information needed to create an Azure VM from an Azure Marketplace image.
Field | Description |
---|---|
publisher
string
|
publisher is the name of the organization that created the image. It must be between 3 and 50 characters in length, and consist of only lowercase letters, numbers, and hyphens (-) and underscores (_). It must start with a lowercase letter or a number. TODO: Can we explain where a user might find this value, or provide an example of one they might want to use |
offer
string
|
offer specifies the name of a group of related images created by the publisher. TODO: What is the valid character set for this field? What about minimum and maximum lengths? |
sku
string
|
sku specifies an instance of an offer, such as a major release of a distribution. For example, 2204-lts-gen2, 8-lvm-gen2. The value must consist only of lowercase letters, numbers, and hyphens (-) and underscores (). TODO: What about length limits? |
version
string
|
version specifies the version of an image sku. The allowed formats are Major.Minor.Build or ‘latest’. Major, Minor, and Build are decimal numbers, e.g. ‘1.2.0’. Specify ‘latest’ to use the latest version of an image available at deployment time. Even if you use ‘latest’, the VM image will not automatically update after deploy time even if a new version becomes available. |
AzureNodePoolOSDisk
(Appears on: AzureNodePoolPlatform)
Field | Description |
---|---|
sizeGiB
int32
|
(Optional)
SizeGiB is the size in GiB (1024^3 bytes) to assign to the OS disk. This should be between 16 and 65,536 when using the UltraSSD_LRS storage account type and between 16 and 32,767 when using any other storage account type. When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is 30. |
diskStorageAccountType
AzureDiskStorageAccountType
|
(Optional)
diskStorageAccountType is the disk storage account type to use. Valid values are Premium_LRS, PremiumV2_LRS, Standard_LRS, StandardSSD_LRS, UltraSSD_LRS. Note that Standard means a HDD. The disk performance is tied to the disk type, please refer to the Azure documentation for further details https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison. When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default is Premium SSD LRS. |
encryptionSetID
string
|
(Optional)
encryptionSetID is the ID of the DiskEncryptionSet resource to use to encrypt the OS disks for the VMs.
Configuring a DiskEncyptionSet allows greater control over the encryption of the VM OS disk at rest.
Can be used with either platform (Azure) managed, or customer managed encryption keys.
This needs to exist in the same subscription id listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.SubscriptionID.
DiskEncryptionSetID should also exist in a resource group under the same subscription id and the same location
listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.Location.
The encryptionSetID should be in the format |
persistence
AzureDiskPersistence
|
(Optional)
persistence determines whether the OS disk should be persisted beyond the life of the VM. Valid values are Persistent and Ephemeral. When set to Ephmeral, the OS disk will not be persisted to Azure storage and implies restrictions to the VM size and caching type. Full details can be found in the Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks. Ephmeral disks are primarily used for stateless applications, provide lower latency than Persistent disks and also incur no storage costs. When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. |
AzureNodePoolPlatform
(Appears on: NodePoolPlatform)
AzureNodePoolPlatform is the platform specific configuration for an Azure node pool.
Field | Description |
---|---|
vmSize
string
|
vmSize is the Azure VM instance type to use for the nodes being created in the nodepool.
The size naming convention is documented here https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions.
Size names should start with a Family name, which is represented by one of more capital letters, and then be followed by the CPU count.
This is followed by 0 or more additional features, represented by a, b, d, i, l, m, p, t, s, C, and NP, refer to the Azure documentation for an explanation of these features.
Optionally an accelerator such as a GPU can be added, prefixed by an underscore, for example A100, H100 or MI300X.
The size may also be versioned, in which case it should be suffixed with _v |
image
AzureVMImage
|
image is used to configure the VM boot image. If unset, the default image at the location below will be used and
is expected to exist: subscription/ |
osDisk
AzureNodePoolOSDisk
|
osDisk provides configuration for the OS disk for the nodepool. This can be used to configure the size, storage account type, encryption options and whether the disk is persistent or ephemeral. When not provided, the platform will choose reasonable defaults which are subject to change over time. Review the fields within the osDisk for more details. |
availabilityZone
string
|
(Optional)
availabilityZone is the failure domain identifier where the VM should be attached to. This must not be specified for clusters in a location that does not support AvailabilityZone because it would cause a failure from Azure API. |
encryptionAtHost
string
|
(Optional)
encryptionAtHost enables encryption at host on virtual machines. According to Microsoft documentation, this means data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. See https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell for more information. |
subnetID
string
|
subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a
different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must
exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID,
HostedCluster.Spec.Platform.Azure.SubscriptionID.
subnetID is immutable once set.
The subnetID should be in the format |
diagnostics
Diagnostics
|
(Optional)
diagnostics specifies the diagnostics settings for a virtual machine. If not specified, then Boot diagnostics will be disabled. |
machineIdentityID
string
|
(Optional)
machineIdentityID is a user-assigned identity assigned to the VMs used to authenticate with Azure services. The identify is expected to exist under the same resource group as HostedCluster.Spec.Platform.Azure.ResourceGroupName. This user assigned identity is expected to have the Contributor role assigned to it and scoped to the resource group under HostedCluster.Spec.Platform.Azure.ResourceGroupName. If this field is not supplied, the Service Principal credentials will be written to a file on the disk of each VM in order to be accessible by the cloud provider; the aforementioned credentials provided are the same ones as HostedCluster.Spec.Platform.Azure.Credentials. However, this is less secure than using a managed identity. TODO: What is the valid character set for this field? What about minimum and maximum lengths? |
AzurePlatformSpec
(Appears on: PlatformSpec)
AzurePlatformSpec specifies configuration for clusters running on Azure. Generally, the HyperShift API assumes bring your own (BYO) cloud infrastructure resources. For example, resources like a resource group, a subnet, or a vnet would be pre-created and then their names would be used respectively in the ResourceGroupName, SubnetName, VnetName fields of the Hosted Cluster CR. An existing cloud resource is expected to exist under the same SubscriptionID.
Field | Description |
---|---|
credentials
Kubernetes core/v1.LocalObjectReference
|
Credentials is the object containing existing Azure credentials needed for creating and managing cloud infrastructure resources. |
cloud
string
|
Cloud is the cloud environment identifier, valid values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33 |
location
string
|
Location is the Azure region in where all the cloud infrastructure resources will be created. Example: eastus |
resourceGroup
string
|
ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. In ARO HCP, this will be the managed resource group where customer cloud resources will be created. Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. Example: if your resource group ID is /subscriptions/ |
vnetID
string
|
VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group other than the one specified in ResourceGroupName, but it must exist under the same subscription as SubscriptionID. In ARO HCP, this will be the ID of the customer provided VNET. Example: /subscriptions/ |
subnetID
string
|
subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a
different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must
exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID,
HostedCluster.Spec.Platform.Azure.SubscriptionID.
subnetID is immutable once set.
The subnetID should be in the format |
subscriptionID
string
|
SubscriptionID is a unique identifier for an Azure subscription used to manage resources. |
securityGroupID
string
|
SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is expected to exist under the same subscription as SubscriptionID. |
managedIdentities
AzureResourceManagedIdentities
|
managedIdentities contains the managed identities needed for HCP control plane and data plane components that authenticate with Azure’s API. |
AzureResourceManagedIdentities
(Appears on: AzurePlatformSpec)
AzureResourceManagedIdentities contains the managed identities needed for HCP control plane and data plane components that authenticate with Azure’s API.
Field | Description |
---|---|
controlPlane
ControlPlaneManagedIdentities
|
controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to authenticate with Azure’s API. |
dataPlane
DataPlaneManagedIdentities
|
dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with Azure’s API. |
AzureVMImage
(Appears on: AzureNodePoolPlatform)
AzureVMImage represents the different types of boot image sources that can be provided for an Azure VM.
Field | Description |
---|---|
type
AzureVMImageType
|
type is the type of image data that will be provided to the Azure VM. Valid values are “ImageID” and “AzureMarketplace”. ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. AzureMarketplace means the VM will boot from an Azure Marketplace image. Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. |
imageID
string
|
(Optional)
imageID is the Azure resource ID of a VHD image to use to boot the Azure VMs from. TODO: What is the valid character set for this field? What about minimum and maximum lengths? |
azureMarketplace
AzureMarketplaceImage
|
(Optional)
azureMarketplace contains the Azure Marketplace image info to use to boot the Azure VMs from. |
AzureVMImageType
(Appears on: AzureVMImage)
AzureVMImageType is used to specify the source of the Azure VM boot image. Valid values are ImageID and AzureMarketplace.
Value | Description |
---|---|
"AzureMarketplace" |
AzureMarketplace is used to specify the Azure Marketplace image info to use to boot the Azure VMs from. |
"ImageID" |
ImageID is the used to specify that an Azure resource ID of a VHD image is used to boot the Azure VMs from. |
CIDRBlock
(Appears on: APIServerNetworking)
CertificateSigningRequestApprovalSpec
(Appears on: CertificateSigningRequestApproval)
CertificateSigningRequestApprovalSpec defines the desired state of CertificateSigningRequestApproval
CertificateSigningRequestApprovalStatus
(Appears on: CertificateSigningRequestApproval)
CertificateSigningRequestApprovalStatus defines the observed state of CertificateSigningRequestApproval
ClusterAutoscaling
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
ClusterAutoscaling specifies auto-scaling behavior that applies to all NodePools associated with a control plane.
Field | Description |
---|---|
maxNodesTotal
int32
|
(Optional)
maxNodesTotal is the maximum allowable number of nodes for the Autoscaler scale out to be operational. The autoscaler will not grow the cluster beyond this number. If omitted, the autoscaler will not have a maximum limit. number. |
maxPodGracePeriod
int32
|
(Optional)
maxPodGracePeriod is the maximum seconds to wait for graceful pod termination before scaling down a NodePool. The default is 600 seconds. |
maxNodeProvisionTime
string
|
(Optional)
maxNodeProvisionTime is the maximum time to wait for node provisioning before considering the provisioning to be unsuccessful, expressed as a Go duration string. The default is 15 minutes. |
podPriorityThreshold
int32
|
(Optional)
podPriorityThreshold enables users to schedule “best-effort” pods, which shouldn’t trigger autoscaler actions, but only run when there are spare resources available. The default is -10. See the following for more details: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption |
ClusterConfiguration
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
ClusterConfiguration specifies configuration for individual OCP components in the cluster, represented as embedded resources that correspond to the openshift configuration API.
The API for individual configuration items is at: https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html
Field | Description |
---|---|
apiServer
github.com/openshift/api/config/v1.APIServerSpec
|
(Optional)
APIServer holds configuration (like serving certificates, client CA and CORS domains) shared by all API servers in the system, among them especially kube-apiserver and openshift-apiserver. |
authentication
github.com/openshift/api/config/v1.AuthenticationSpec
|
(Optional)
Authentication specifies cluster-wide settings for authentication (like OAuth and webhook token authenticators). |
featureGate
github.com/openshift/api/config/v1.FeatureGateSpec
|
(Optional)
FeatureGate holds cluster-wide information about feature gates. |
image
github.com/openshift/api/config/v1.ImageSpec
|
(Optional)
Image governs policies related to imagestream imports and runtime configuration for external registries. It allows cluster admins to configure which registries OpenShift is allowed to import images from, extra CA trust bundles for external registries, and policies to block or allow registry hostnames. When exposing OpenShift’s image registry to the public, this also lets cluster admins specify the external hostname. Changing this value will trigger a rollout for all existing NodePools in the cluster. TODO(alberto): elaborate why. |
ingress
github.com/openshift/api/config/v1.IngressSpec
|
(Optional)
Ingress holds cluster-wide information about ingress, including the default ingress domain used for routes. |
network
github.com/openshift/api/config/v1.NetworkSpec
|
(Optional)
Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. Please view network.spec for an explanation on what applies when configuring this resource. TODO (csrwng): Add validation here to exclude changes that conflict with networking settings in the HostedCluster.Spec.Networking field. |
oauth
github.com/openshift/api/config/v1.OAuthSpec
|
(Optional)
OAuth holds cluster-wide information about OAuth. It is used to configure the integrated OAuth server. This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. |
operatorhub
github.com/openshift/api/config/v1.OperatorHubSpec
|
(Optional)
OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. |
scheduler
github.com/openshift/api/config/v1.SchedulerSpec
|
(Optional)
Scheduler holds cluster-wide config information to run the Kubernetes Scheduler
and influence its placement decisions. The canonical name for this config is |
proxy
github.com/openshift/api/config/v1.ProxySpec
|
(Optional) |
ClusterNetworkEntry
(Appears on: ClusterNetworking)
ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks are allocated with size 2^HostSubnetLength.
Field | Description |
---|---|
cidr
github.com/openshift/hypershift/api/util/ipnet.IPNet
|
cidr is the IP block address pool. |
hostPrefix
int32
|
(Optional)
hostPrefix is the prefix size to allocate to each node from the CIDR. For example, 24 would allocate 2^(32-24)=2^8=256 addresses to each node. If this field is not used by the plugin, it can be left unset. |
ClusterNetworking
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
clusterNetworking specifies network configuration for a cluster. All CIDRs must be unique. Additional validation to check for CIDRs overlap and consistent network stack is performed by the controllers. Failing that validation will result in the HostedCluster being degraded and the validConfiguration condition being false.
Field | Description |
---|---|
machineNetwork
[]MachineNetworkEntry
|
(Optional)
machineNetwork is the list of IP address pools for machines. This might be used among other things to generate appropriate networking security groups in some clouds providers. Currently only one entry or two for dual stack is supported. This field is immutable. |
clusterNetwork
[]ClusterNetworkEntry
|
(Optional)
clusterNetwork is the list of IP address pools for pods. Defaults to cidr: “10.132.0.0/14”. Currently only one entry is supported. This field is immutable. |
serviceNetwork
[]ServiceNetworkEntry
|
(Optional)
serviceNetwork is the list of IP address pools for services. Defaults to cidr: “172.31.0.0/16”. Currently only one entry is supported. This field is immutable. |
networkType
NetworkType
|
(Optional)
networkType specifies the SDN provider used for cluster networking. Defaults to OVNKubernetes. This field is required and immutable. kubebuilder:validation:XValidation:rule=“self == oldSelf”, message=“networkType is immutable” |
apiServer
APIServerNetworking
|
apiServer contains advanced network settings for the API server that affect how the APIServer is exposed inside a hosted cluster node. |
ClusterVersionStatus
(Appears on: HostedClusterStatus, HostedControlPlaneStatus)
ClusterVersionStatus reports the status of the cluster versioning, including any upgrades that are in progress. The current field will be set to whichever version the cluster is reconciling to, and the conditions array will report whether the update succeeded, is in progress, or is failing.
Field | Description |
---|---|
desired
github.com/openshift/api/config/v1.Release
|
desired is the version that the cluster is reconciling towards. If the cluster is not yet fully initialized desired will be set with the information available, which may be an image or a tag. |
history
[]github.com/openshift/api/config/v1.UpdateHistory
|
(Optional)
history contains a list of the most recent versions applied to the cluster. This value may be empty during cluster startup, and then will be updated when a new update is being applied. The newest update is first in the list and it is ordered by recency. Updates in the history have state Completed if the rollout completed - if an update was failing or halfway applied the state will be Partial. Only a limited amount of update history is preserved. |
observedGeneration
int64
|
observedGeneration reports which version of the spec is being synced. If this value is not equal to metadata.generation, then the desired and conditions fields may represent a previous version. |
availableUpdates
[]github.com/openshift/api/config/v1.Release
|
availableUpdates contains updates recommended for this cluster. Updates which appear in conditionalUpdates but not in availableUpdates may expose this cluster to known issues. This list may be empty if no updates are recommended, if the update service is unavailable, or if an invalid channel has been specified. |
conditionalUpdates
[]github.com/openshift/api/config/v1.ConditionalUpdate
|
(Optional)
conditionalUpdates contains the list of updates that may be recommended for this cluster if it meets specific required conditions. Consumers interested in the set of updates that are actually recommended for this cluster should use availableUpdates. This list may be empty if no updates are recommended, if the update service is unavailable, or if an empty or invalid channel has been specified. |
ComponentResource
(Appears on: ControlPlaneComponentStatus)
ComponentResource defines a resource reconciled by a ControlPlaneComponent.
Field | Description |
---|---|
kind
string
|
kind is the name of the resource schema. |
group
string
|
group is the API group for this resource type. |
name
string
|
name is the name of this resource. |
ConditionType
Value | Description |
---|---|
"AWSDefaultSecurityGroupCreated" |
AWSDefaultSecurityGroupCreated indicates whether the default security group for AWS workers has been created. A failure here indicates that NodePools without a security group will be blocked from creating machines. |
"AWSDefaultSecurityGroupDeleted" |
AWSDefaultSecurityGroupDeleted indicates whether the default security group for AWS workers has been deleted. A failure here indicates that the Security Group has some dependencies that there are still pending cloud resources to be deleted that are using that SG. |
"AWSEndpointAvailable" |
AWSEndpointServiceAvailable indicates whether the AWS Endpoint has been created in the guest VPC |
"AWSEndpointServiceAvailable" |
AWSEndpointServiceAvailable indicates whether the AWS Endpoint Service has been created for the specified NLB in the management VPC |
"CVOScaledDown" |
|
"CloudResourcesDestroyed" |
CloudResourcesDestroyed bubbles up the same condition from HCP. It signals if the cloud provider infrastructure created by Kubernetes in the consumer cloud provider account was destroyed. A failure here may require external user intervention to resolve. E.g. cloud provider perms were corrupted. E.g. the guest cluster was broken and kube resource deletion that affects cloud infra like service type load balancer can’t succeed. |
"ClusterVersionAvailable" |
ClusterVersionAvailable bubbles up Failing configv1.OperatorAvailable from the CVO. |
"ClusterVersionFailing" |
ClusterVersionFailing bubbles up Failing from the CVO. |
"ClusterVersionProgressing" |
ClusterVersionProgressing bubbles up configv1.OperatorProgressing from the CVO. |
"ClusterVersionReleaseAccepted" |
ClusterVersionReleaseAccepted bubbles up Failing ReleaseAccepted from the CVO. |
"ClusterVersionRetrievedUpdates" |
ClusterVersionRetrievedUpdates bubbles up RetrievedUpdates from the CVO. |
"ClusterVersionSucceeding" |
ClusterVersionSucceeding indicates the current status of the desired release version of the HostedCluster as indicated by the Failing condition in the underlying cluster’s ClusterVersion. |
"ClusterVersionUpgradeable" |
ClusterVersionUpgradeable indicates the Upgradeable condition in the underlying cluster’s ClusterVersion. |
"Available" |
ControlPlaneComponentAvailable indicates whether the ControlPlaneComponent is available. |
"Progressing" |
ControlPlaneComponentProgressing indicates whether the ControlPlaneComponent is progressing. |
"EtcdAvailable" |
EtcdAvailable bubbles up the same condition from HCP. It signals if etcd is available. A failure here often means a software bug or a non-stable cluster. |
"EtcdRecoveryActive" |
EtcdRecoveryActive indicates that the Etcd cluster is failing and the recovery job was triggered. |
"EtcdSnapshotRestored" |
|
"ExternalDNSReachable" |
ExternalDNSReachable bubbles up the same condition from HCP. It signals if the configured external DNS is reachable. A failure here requires external user intervention to resolve. E.g. changing the external DNS domain or making sure the domain is created and registered correctly. |
"Available" |
HostedClusterAvailable indicates whether the HostedCluster has a healthy control plane. When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. |
"Degraded" |
HostedClusterDegraded indicates whether the HostedCluster is encountering an error that may require user intervention to resolve. |
"HostedClusterDestroyed" |
HostedClusterDestroyed indicates that a hosted has finished destroying and that it is waiting for a destroy grace period to go away. The grace period is determined by the hypershift.openshift.io/destroy-grace-period annotation in the HostedCluster if present. |
"Progressing" |
HostedClusterProgressing indicates whether the HostedCluster is attempting an initial deployment or upgrade. When this is false for too long and there’s no clear indication in the “Reason”, please check the remaining more granular conditions. |
"Available" |
|
"Degraded" |
|
"IgnitionEndpointAvailable" |
IgnitionEndpointAvailable indicates whether the ignition server for the HostedCluster is available to handle ignition requests. A failure here often means a software bug or a non-stable cluster. |
"IgnitionServerValidReleaseInfo" |
IgnitionServerValidReleaseInfo indicates if the release contains all the images used by the local ignition provider and reports missing images if any. |
"InfrastructureReady" |
InfrastructureReady bubbles up the same condition from HCP. It signals if the infrastructure for a control plane to be operational, e.g. load balancers were created successfully. A failure here may require external user intervention to resolve. E.g. hitting quotas on the cloud provider. |
"KubeAPIServerAvailable" |
KubeAPIServerAvailable bubbles up the same condition from HCP. It signals if the kube API server is available. A failure here often means a software bug or a non-stable cluster. |
"KubeVirtNodesLiveMigratable" |
KubeVirtNodesLiveMigratable indicates if all nodes (VirtualMachines) of the kubevirt hosted cluster can be live migrated without experiencing a node restart |
"PlatformCredentialsFound" |
PlatformCredentialsFound indicates that credentials required for the desired platform are valid. A failure here is unlikely to resolve without the changing user input. |
"ReconciliationActive" |
ReconciliationActive indicates if reconciliation of the HostedCluster is active or paused hostedCluster.spec.pausedUntil. |
"ReconciliationSucceeded" |
ReconciliationSucceeded indicates if the HostedCluster reconciliation succeeded. A failure here often means a software bug or a non-stable cluster. |
"SupportedHostedCluster" |
SupportedHostedCluster indicates whether a HostedCluster is supported by the current configuration of the hypershift-operator. e.g. If HostedCluster requests endpointAcess Private but the hypershift-operator is running on a management cluster outside AWS or is not configured with AWS credentials, the HostedCluster is not supported. A failure here is unlikely to resolve without the changing user input. |
"UnmanagedEtcdAvailable" |
UnmanagedEtcdAvailable indicates whether a user-managed etcd cluster is healthy. |
"ValidAWSIdentityProvider" |
ValidAWSIdentityProvider indicates if the Identity Provider referenced in the cloud credentials is healthy. E.g. for AWS the idp ARN is referenced in the iam roles. “Version”: “2012-10-17”, “Statement”: [ { “Effect”: “Allow”, “Principal”: { “Federated”: “{{ .ProviderARN }}” }, “Action”: “sts:AssumeRoleWithWebIdentity”, “Condition”: { “StringEquals”: { “{{ .ProviderName }}:sub”: {{ .ServiceAccounts }} } } } ] A failure here may require external user intervention to resolve. |
"ValidAWSKMSConfig" |
ValidAWSKMSConfig indicates whether the AWS KMS role and encryption key are valid and operational A failure here indicates that the role or the key are invalid, or the role doesn’t have access to use the key. |
"ValidAzureKMSConfig" |
ValidAzureKMSConfig indicates whether the given KMS input for the Azure platform is valid and operational A failure here indicates that the input is invalid, or permissions are missing to use the encryption key. |
"ValidConfiguration" |
ValidHostedClusterConfiguration signals if the hostedCluster input is valid and supported by the underlying management cluster. A failure here is unlikely to resolve without the changing user input. |
"ValidHostedControlPlaneConfiguration" |
ValidHostedControlPlaneConfiguration bubbles up the same condition from HCP. It signals if the hostedControlPlane input is valid and supported by the underlying management cluster. A failure here is unlikely to resolve without the changing user input. |
"ValidIDPConfiguration" |
ValidIDPConfiguration indicates if the Identity Provider configuration is valid. A failure here may require external user intervention to resolve e.g. the user-provided IDP configuration provided is invalid or the IDP is not reachable. |
"ValidKubeVirtInfraNetworkMTU" |
ValidKubeVirtInfraNetworkMTU indicates if the MTU configured on an infra cluster hosting a guest cluster utilizing kubevirt platform is a sufficient value that will avoid performance degradation due to fragmentation of the double encapsulation in ovn-kubernetes |
"ValidOIDCConfiguration" |
ValidOIDCConfiguration indicates if an AWS cluster’s OIDC condition is detected as invalid. A failure here may require external user intervention to resolve. E.g. oidc was deleted out of band. |
"ValidReleaseImage" |
ValidReleaseImage indicates if the release image set in the spec is valid for the HostedCluster. For example, this can be set false if the HostedCluster itself attempts an unsupported version before 4.9 or an unsupported upgrade e.g y-stream upgrade before 4.11. A failure here is unlikely to resolve without the changing user input. |
"ValidReleaseInfo" |
ValidReleaseInfo bubbles up the same condition from HCP. It indicates if the release contains all the images used by hypershift and reports missing images if any. |
ControlPlaneComponent
ControlPlaneComponent specifies the state of a ControlPlane Component
Field | Description |
---|---|
metadata
Kubernetes meta/v1.ObjectMeta
|
Refer to the Kubernetes API documentation for the fields of the
metadata field.
|
spec
ControlPlaneComponentSpec
|
|
status
ControlPlaneComponentStatus
|
ControlPlaneComponentSpec
(Appears on: ControlPlaneComponent)
ControlPlaneComponentSpec defines the desired state of ControlPlaneComponent
ControlPlaneComponentStatus
(Appears on: ControlPlaneComponent)
ControlPlaneComponentStatus defines the observed state of ControlPlaneComponent
Field | Description |
---|---|
version
string
|
(Optional)
version reports the current version of this component. |
resources
[]ComponentResource
|
(Optional)
resources is a list of the resources reconciled by this component. |
conditions
[]Kubernetes meta/v1.Condition
|
(Optional)
Conditions contains details for the current state of the ControlPlane Component. If there is an error, then the Available condition will be false. Current condition types are: “Available” |
ControlPlaneManagedIdentities
(Appears on: AzureResourceManagedIdentities)
ControlPlaneManagedIdentities contains the managed identities on the HCP control plane needing to authenticate with Azure’s API.
Field | Description |
---|---|
managedIdentitiesKeyVault
ManagedAzureKeyVault
|
managedIdentitiesKeyVault contains information on the management cluster’s managed identities Azure Key Vault. This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring authentication with Azure API. More information on how the Secrets Store CSI driver works to do this can be found here: https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. |
cloudProvider
ManagedIdentity
|
cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller manager. |
nodePoolManagement
ManagedIdentity
|
nodePoolManagement is a pre-existing managed identity associated with the operator managing the NodePools. |
controlPlaneOperator
ManagedIdentity
|
controlPlaneOperator is a pre-existing managed identity associated with the control plane operator. |
imageRegistry
ManagedIdentity
|
imageRegistry is a pre-existing managed identity associated with the cluster-image-registry-operator. |
ingress
ManagedIdentity
|
ingress is a pre-existing managed identity associated with the cluster-ingress-operator. |
network
ManagedIdentity
|
network is a pre-existing managed identity associated with the cluster-network-operator. |
disk
ManagedIdentity
|
diskClientID is a pre-existing managed identity associated with the azure-disk-controller. |
file
ManagedIdentity
|
fileClientID is a pre-existing managed identity associated with the azure-disk-controller. |
DNSSpec
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
DNSSpec specifies the DNS configuration for the hosted cluster ingress.
Field | Description |
---|---|
baseDomain
string
|
baseDomain is the base domain of the hosted cluster. It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. Once set, this field is immutable. When the value is the empty string “”, the controller might default to a value depending on the platform. |
baseDomainPrefix
string
|
(Optional)
baseDomainPrefix is the base domain prefix for the hosted cluster ingress. It will be used to configure ingress in the hosted cluster through the subdomain baseDomainPrefix.baseDomain. If baseDomainPrefix is omitted, the hostedCluster.name will be used as the subdomain. Set baseDomainPrefix to an empty string “”, if you don’t want a prefix at all (not even hostedCluster.name) to be prepended to baseDomain. This field is immutable. |
publicZoneID
string
|
(Optional)
publicZoneID is the Hosted Zone ID where all the DNS records that are publicly accessible to the internet exist. This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. Once set, this value is immutable. |
privateZoneID
string
|
(Optional)
privateZoneID is the Hosted Zone ID where all the DNS records that are only available internally to the cluster exist. This field is optional and mainly leveraged in cloud environments where the DNS records for the .baseDomain are created by controllers in this zone. Once set, this value is immutable. |
DataPlaneManagedIdentities
(Appears on: AzureResourceManagedIdentities)
DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to authenticate with Azure’s API.
Field | Description |
---|---|
imageRegistryMSIClientID
string
|
imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image registry controller. |
diskMSIClientID
string
|
diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. |
fileMSIClientID
string
|
fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. |
Diagnostics
(Appears on: AzureNodePoolPlatform)
Diagnostics specifies the diagnostics settings for a virtual machine.
Field | Description |
---|---|
storageAccountType
AzureDiagnosticsStorageAccountType
|
(Optional)
storageAccountType determines if the storage account for storing the diagnostics data should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). |
userManaged
UserManagedDiagnostics
|
(Optional)
userManaged specifies the diagnostics settings for a virtual machine when the storage account is managed by the user. |
EtcdManagementType
(Appears on: EtcdSpec)
EtcdManagementType is a enum specifying the strategy for managing the cluster’s etcd instance
Value | Description |
---|---|
"Managed" |
Managed means HyperShift should provision and operator the etcd cluster automatically. |
"Unmanaged" |
Unmanaged means HyperShift will not provision or manage the etcd cluster, and the user is responsible for doing so. |
EtcdSpec
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
EtcdSpec specifies configuration for a control plane etcd cluster.
Field | Description |
---|---|
managementType
EtcdManagementType
|
managementType defines how the etcd cluster is managed. This can be either Managed or Unmanaged. This field is immutable. |
managed
ManagedEtcdSpec
|
(Optional)
managed specifies the behavior of an etcd cluster managed by HyperShift. |
unmanaged
UnmanagedEtcdSpec
|
(Optional)
unmanaged specifies configuration which enables the control plane to integrate with an externally managed etcd cluster. |
EtcdTLSConfig
(Appears on: UnmanagedEtcdSpec)
EtcdTLSConfig specifies TLS configuration for HTTPS etcd client endpoints.
Field | Description |
---|---|
clientSecret
Kubernetes core/v1.LocalObjectReference
|
ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It may have the following key/value pairs:
|
Filter
(Appears on: AWSResourceReference)
Filter is a filter used to identify an AWS resource
Field | Description |
---|---|
name
string
|
Name of the filter. Filter names are case-sensitive. |
values
[]string
|
Values includes one or more filter values. Filter values are case-sensitive. |
FilterByNeutronTags
(Appears on: NetworkFilter, RouterFilter, SubnetFilter)
Field | Description |
---|---|
tags
[]NeutronTag
|
(Optional)
Tags is a list of tags to filter by. If specified, the resource must have all of the tags specified to be included in the result. |
tagsAny
[]NeutronTag
|
(Optional)
TagsAny is a list of tags to filter by. If specified, the resource must have at least one of the tags specified to be included in the result. |
notTags
[]NeutronTag
|
(Optional)
NotTags is a list of tags to filter by. If specified, resources which contain all of the given tags will be excluded from the result. |
notTagsAny
[]NeutronTag
|
(Optional)
NotTagsAny is a list of tags to filter by. If specified, resources which contain any of the given tags will be excluded from the result. |
HostedClusterSpec
(Appears on: HostedCluster)
TODO(alberto): Use CEL cidr library for all these validation when all management clusters are >= 1.31. TODO(alberto): Move this down to the networking section when IBMCloud has finished valid input migration.
Field | Description |
---|---|
release
Release
|
release specifies the desired OCP release payload for all the hosted cluster components. This includes those components running management side like the Kube API Server and the CVO but also the operands which land in the hosted cluster data plane like the ingress controller, ovn agents, etc. The maximum and minimum supported release versions are determined by the running Hypersfhit Operator. Attempting to use an unsupported version will result in the HostedCluster being degraded and the validateReleaseImage condition being false. Attempting to use a release with a skew against a NodePool release bigger than N-2 for the y-stream will result in leaving the NodePool in an unsupported state. Changing this field will trigger a rollout of the control plane components. The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. |
controlPlaneRelease
Release
|
(Optional)
controlPlaneRelease is like spec.release but only for the components running on the management cluster. This excludes any operand which will land in the hosted cluster data plane. It is useful when you need to apply patch management side like a CVE, transparently for the hosted cluster. Version input for this field is free, no validation is performed against spec.release or maximum and minimum is performed. If defined, it will dicate the version of the components running management side, while spec.release will dictate the version of the components landing in the hosted cluster data plane. If not defined, spec.release is used for both. Changing this field will trigger a rollout of the control plane. The behavior of the rollout will be driven by the ControllerAvailabilityPolicy and InfrastructureAvailabilityPolicy for PDBs and maxUnavailable and surce policies. |
clusterID
string
|
(Optional)
clusterID uniquely identifies this cluster. This is expected to be an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in hexadecimal digits). As with a Kubernetes metadata.uid, this ID uniquely identifies this cluster in space and time. This value identifies the cluster in metrics pushed to telemetry and metrics produced by the control plane operators. If a value is not specified, a random clusterID will be generated and set by the controller. Once set, this value is immutable. |
infraID
string
|
(Optional)
infraID is a globally unique identifier for the cluster. It must consist of lowercase alphanumeric characters and hyphens (‘-’) only, and start and end with an alphanumeric character. It must be no more than 253 characters in length. This identifier will be used to associate various cloud resources with the HostedCluster and its associated NodePools. infraID is used to compute and tag created resources with “kubernetes.io/cluster/”+hcluster.Spec.InfraID which has contractual meaning for the cloud provider implementations. If a value is not specified, a random infraID will be generated and set by the controller. Once set, this value is immutable. |
updateService
github.com/openshift/api/config/v1.URL
|
(Optional)
updateService may be used to specify the preferred upstream update service. If omitted we will use the appropriate update service for the cluster and region. This is used by the control plane operator to determine and signal the appropriate available upgrades in the hostedCluster.status. |
channel
string
|
(Optional)
channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. If omitted no particular upgrades are suggested. TODO(alberto): Consider the backend to use the default channel by default. Default channel will contain stable updates that are appropriate for production clusters. |
platform
PlatformSpec
|
platform specifies the underlying infrastructure provider for the cluster and is used to configure platform specific behavior. |
controllerAvailabilityPolicy
AvailabilityPolicy
|
(Optional)
controllerAvailabilityPolicy specifies the availability policy applied to critical control plane components like the Kube API Server. Possible values are HighlyAvailable and SingleReplica. The default value is HighlyAvailable. |
infrastructureAvailabilityPolicy
AvailabilityPolicy
|
(Optional)
infrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on the hosted cluster data plane like the ingress controller and image registry controller. Possible values are HighlyAvailable and SingleReplica. The default value is SingleReplica. |
dns
DNSSpec
|
(Optional)
dns specifies the DNS configuration for the hosted cluster ingress. |
networking
ClusterNetworking
|
networking specifies network configuration for the hosted cluster. Defaults to OVNKubernetes with a cluster network of cidr: “10.132.0.0/14” and a service network of cidr: “172.31.0.0/16”. |
autoscaling
ClusterAutoscaling
|
(Optional)
autoscaling specifies auto-scaling behavior that applies to all NodePools associated with this HostedCluster. |
autoNode
AutoNode
|
autoNode specifies the configuration for the autoNode feature. |
etcd
EtcdSpec
|
etcd specifies configuration for the control plane etcd cluster. The default managementType is Managed. Once set, the managementType cannot be changed. |
services
[]ServicePublishingStrategyMapping
|
services specifies how individual control plane services endpoints are published for consumption. This requires APIServer;OAuthServer;Konnectivity;Ignition. This field is immutable for all platforms but IBMCloud. Max is 6 to account for OIDC;OVNSbDb for backward compatibility though they are no-op. -kubebuilder:validation:XValidation:rule=“self.all(s, !(s.service == ‘APIServer’ && s.servicePublishingStrategy.type == ‘Route’) || has(s.servicePublishingStrategy.route.hostname))”,message=“If serviceType is ‘APIServer’ and publishing strategy is ‘Route’, then hostname must be set” -kubebuilder:validation:XValidation:rule=“[‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, ‘Ignition’].all(requiredType, self.exists(s, s.service == requiredType))”,message=“Services list must contain at least ‘APIServer’, ‘OAuthServer’, ‘Konnectivity’, and ‘Ignition’ service types” -kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘Route’ && has(s.servicePublishingStrategy.route) && has(s.servicePublishingStrategy.route.hostname)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘Route’ && (has(y.servicePublishingStrategy.route) && has(y.servicePublishingStrategy.route.hostname) && y.servicePublishingStrategy.route.hostname == x.servicePublishingStrategy.route.hostname)).size() <= 1)”,message=“Each route publishingStrategy ‘hostname’ must be unique within the Services list.” -kubebuilder:validation:XValidation:rule=“self.filter(s, s.servicePublishingStrategy.type == ‘NodePort’ && has(s.servicePublishingStrategy.nodePort) && has(s.servicePublishingStrategy.nodePort.address) && has(s.servicePublishingStrategy.nodePort.port)).all(x, self.filter(y, y.servicePublishingStrategy.type == ‘NodePort’ && (has(y.servicePublishingStrategy.nodePort) && has(y.servicePublishingStrategy.nodePort.address) && y.servicePublishingStrategy.nodePort.address == x.servicePublishingStrategy.nodePort.address && has(y.servicePublishingStrategy.nodePort.port) && y.servicePublishingStrategy.nodePort.port == x.servicePublishingStrategy.nodePort.port )).size() <= 1)”,message=“Each nodePort publishingStrategy ‘nodePort’ and ‘hostname’ must be unique within the Services list.” TODO(alberto): this breaks the cost budget for < 4.17. We should figure why and enable it back. And If not fixable, consider imposing a minimum version on the management cluster. |
pullSecret
Kubernetes core/v1.LocalObjectReference
|
pullSecret is a local reference to a Secret that must have a “.dockerconfigjson” key whose content must be a valid Openshift pull secret JSON. If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. TODO(alberto): Signal this in a condition. This pull secret will be part of every payload generated by the controllers for any NodePool of the HostedCluster and it will be injected into the container runtime of all NodePools. Changing this value will trigger a rollout for all existing NodePools in the cluster. Changing the content of the secret inplace will not trigger a rollout and might result in unpredictable behaviour. TODO(alberto): have our own local reference type to include our opinions and avoid transparent changes. |
sshKey
Kubernetes core/v1.LocalObjectReference
|
(Optional)
sshKey is a local reference to a Secret that must have a “id_rsa.pub” key whose content must be the public part of 1..N SSH keys. If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. TODO(alberto): Signal this in a condition. When sshKey is set, the controllers will generate a machineConfig with the sshAuthorizedKeys https://coreos.github.io/ignition/configuration-v3_2/ populated with this value. This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. Changing this value will trigger a rollout for all existing NodePools in the cluster. |
issuerURL
string
|
(Optional)
issuerURL is an OIDC issuer URL which will be used as the issuer in all ServiceAccount tokens generated by the control plane API server via –service-account-issuer kube api server flag. https://k8s-docs.netlify.app/en/docs/reference/command-line-tools-reference/kube-apiserver/ https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection The default value is kubernetes.default.svc, which only works for in-cluster validation. If the platform is AWS and this value is set, the controller will update an s3 object with the appropriate OIDC documents (using the serviceAccountSigningKey info) into that issuerURL. The expectation is for this s3 url to be backed by an OIDC provider in the AWS IAM. |
serviceAccountSigningKey
Kubernetes core/v1.LocalObjectReference
|
(Optional)
serviceAccountSigningKey is a local reference to a secret that must have a “key” key whose content must be the private key used by the service account token issuer. If not specified, a service account signing key will be generated automatically for the cluster. When specifying a service account signing key, an IssuerURL must also be specified. If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. TODO(alberto): Signal this in a condition. |
configuration
ClusterConfiguration
|
(Optional)
Configuration specifies configuration for individual OCP components in the cluster, represented as embedded resources that correspond to the openshift configuration API. |
auditWebhook
Kubernetes core/v1.LocalObjectReference
|
(Optional)
AuditWebhook contains metadata for configuring an audit webhook endpoint for a cluster to process cluster audit events. It references a secret that contains the webhook information for the audit webhook endpoint. It is a secret because if the endpoint has mTLS the kubeconfig will contain client keys. The kubeconfig needs to be stored in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. |
imageContentSources
[]ImageContentSource
|
(Optional)
imageContentSources specifies image mirrors that can be used by cluster nodes to pull content. When imageContentSources is set, the controllers will generate a machineConfig. This MachineConfig will be part of every payload generated by the controllers for any NodePool of the HostedCluster. Changing this value will trigger a rollout for all existing NodePools in the cluster. |
additionalTrustBundle
Kubernetes core/v1.LocalObjectReference
|
(Optional)
additionalTrustBundle is a local reference to a ConfigMap that must have a “ca-bundle.crt” key whose content must be a PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes If the reference is set but none of the above requirements are met, the HostedCluster will enter a degraded state. TODO(alberto): Signal this in a condition. This will be part of every payload generated by the controllers for any NodePool of the HostedCluster. Changing this value will trigger a rollout for all existing NodePools in the cluster. |
secretEncryption
SecretEncryptionSpec
|
(Optional)
secretEncryption specifies a Kubernetes secret encryption strategy for the control plane. |
fips
bool
|
(Optional)
fips indicates whether this cluster’s nodes will be running in FIPS mode. If set to true, the control plane’s ignition server will be configured to expect that nodes joining the cluster will be FIPS-enabled. |
pausedUntil
string
|
(Optional)
pausedUntil is a field that can be used to pause reconciliation on the HostedCluster controller, resulting in any change to the HostedCluster being ignored. Either a date can be provided in RFC3339 format or a boolean as in ‘true’, ‘false’, ‘True’, ‘False’. If a date is provided: reconciliation is paused on the resource until that date. If the boolean true is provided: reconciliation is paused on the resource until the field is removed. |
olmCatalogPlacement
OLMCatalogPlacement
|
(Optional)
OLMCatalogPlacement specifies the placement of OLM catalog components. By default, this is set to management and OLM catalog components are deployed onto the management cluster. If set to guest, the OLM catalog components will be deployed onto the guest cluster. |
nodeSelector
map[string]string
|
(Optional)
NodeSelector when specified, is propagated to all control plane Deployments and Stateful sets running management side. It must be satisfied by the management Nodes for the pods to be scheduled. Otherwise the HostedCluster will enter a degraded state. Changes to this field will propagate to existing Deployments and StatefulSets. TODO(alberto): add additional validation for the map key/values. |
tolerations
[]Kubernetes core/v1.Toleration
|
(Optional)
Tolerations when specified, define what custom tolerations are added to the hcp pods. |
labels
map[string]string
|
(Optional)
labels when specified, define what custom labels are added to the hcp pods. Changing this day 2 will cause a rollout of all hcp pods. Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set -kubebuilder:validation:XValidation:rule= |
HostedClusterStatus
(Appears on: HostedCluster)
HostedClusterStatus is the latest observed status of a HostedCluster.
Field | Description |
---|---|
version
ClusterVersionStatus
|
(Optional)
Version is the status of the release version applied to the HostedCluster. |
kubeconfig
Kubernetes core/v1.LocalObjectReference
|
(Optional)
KubeConfig is a reference to the secret containing the default kubeconfig for the cluster. |
kubeadminPassword
Kubernetes core/v1.LocalObjectReference
|
(Optional)
KubeadminPassword is a reference to the secret that contains the initial kubeadmin user password for the guest cluster. |
ignitionEndpoint
string
|
(Optional)
IgnitionEndpoint is the endpoint injected in the ign config userdata. It exposes the config for instances to become kubernetes nodes. |
controlPlaneEndpoint
APIEndpoint
|
ControlPlaneEndpoint contains the endpoint information by which external clients can access the control plane. This is populated after the infrastructure is ready. |
oauthCallbackURLTemplate
string
|
OAuthCallbackURLTemplate contains a template for the URL to use as a callback for identity providers. The [identity-provider-name] placeholder must be replaced with the name of an identity provider defined on the HostedCluster. This is populated after the infrastructure is ready. |
conditions
[]Kubernetes meta/v1.Condition
|
(Optional)
Conditions represents the latest available observations of a control plane’s current state. |
payloadArch
PayloadArchType
|
(Optional)
payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: Multi, ARM64, AMD64, S390X, or PPC64LE. |
platform
PlatformStatus
|
(Optional)
Platform contains platform-specific status of the HostedCluster |
HostedControlPlaneSpec
HostedControlPlaneSpec defines the desired state of HostedControlPlane
Field | Description |
---|---|
releaseImage
string
|
ReleaseImage is the release image applied to the hosted control plane. |
controlPlaneReleaseImage
string
|
ControlPlaneReleaseImage specifies the desired OCP release payload for control plane components running on the management cluster. If not defined, ReleaseImage is used |
updateService
github.com/openshift/api/config/v1.URL
|
(Optional)
updateService may be used to specify the preferred upstream update service. By default it will use the appropriate update service for the cluster and region. |
channel
string
|
(Optional)
channel is an identifier for explicitly requesting that a non-default set of updates be applied to this cluster. The default channel will be contain stable updates that are appropriate for production clusters. |
pullSecret
Kubernetes core/v1.LocalObjectReference
|
|
issuerURL
string
|
IssuerURL is an OIDC issuer URL which is used as the issuer in all ServiceAccount tokens generated by the control plane API server. The default value is kubernetes.default.svc, which only works for in-cluster validation. |
networking
ClusterNetworking
|
(Optional)
Networking specifies network configuration for the cluster. Temporarily optional for backward compatibility, required in future releases. |
sshKey
Kubernetes core/v1.LocalObjectReference
|
|
clusterID
string
|
(Optional)
ClusterID is the unique id that identifies the cluster externally. Making it optional here allows us to keep compatibility with previous versions of the control-plane-operator that have no knowledge of this field. |
infraID
string
|
|
platform
PlatformSpec
|
|
dns
DNSSpec
|
|
serviceAccountSigningKey
Kubernetes core/v1.LocalObjectReference
|
(Optional)
ServiceAccountSigningKey is a reference to a secret containing the private key used by the service account token issuer. The secret is expected to contain a single key named “key”. If not specified, a service account signing key will be generated automatically for the cluster. |
controllerAvailabilityPolicy
AvailabilityPolicy
|
(Optional)
ControllerAvailabilityPolicy specifies the availability policy applied to critical control plane components. The default value is SingleReplica. |
infrastructureAvailabilityPolicy
AvailabilityPolicy
|
(Optional)
InfrastructureAvailabilityPolicy specifies the availability policy applied to infrastructure services which run on cluster nodes. The default value is SingleReplica. |
fips
bool
|
(Optional)
FIPS specifies if the nodes for the cluster will be running in FIPS mode |
kubeconfig
KubeconfigSecretRef
|
(Optional)
KubeConfig specifies the name and key for the kubeconfig secret |
services
[]ServicePublishingStrategyMapping
|
Services defines metadata about how control plane services are published in the management cluster. |
auditWebhook
Kubernetes core/v1.LocalObjectReference
|
(Optional)
AuditWebhook contains metadata for configuring an audit webhook endpoint for a cluster to process cluster audit events. It references a secret that contains the webhook information for the audit webhook endpoint. It is a secret because if the endpoint has MTLS the kubeconfig will contain client keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. |
etcd
EtcdSpec
|
Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components use to store data. |
configuration
ClusterConfiguration
|
Configuration embeds resources that correspond to the openshift configuration API: https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html |
imageContentSources
[]ImageContentSource
|
(Optional)
ImageContentSources lists sources/repositories for the release-image content. |
additionalTrustBundle
Kubernetes core/v1.LocalObjectReference
|
(Optional)
AdditionalTrustBundle references a ConfigMap containing a PEM-encoded X.509 certificate bundle |
secretEncryption
SecretEncryptionSpec
|
(Optional)
SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the cluster when applicable. |
pausedUntil
string
|
(Optional)
PausedUntil is a field that can be used to pause reconciliation on a resource. Either a date can be provided in RFC3339 format or a boolean. If a date is provided: reconciliation is paused on the resource until that date. If the boolean true is provided: reconciliation is paused on the resource until the field is removed. |
olmCatalogPlacement
OLMCatalogPlacement
|
(Optional)
OLMCatalogPlacement specifies the placement of OLM catalog components. By default, this is set to management and OLM catalog components are deployed onto the management cluster. If set to guest, the OLM catalog components will be deployed onto the guest cluster. |
autoscaling
ClusterAutoscaling
|
(Optional)
Autoscaling specifies auto-scaling behavior that applies to all NodePools associated with the control plane. |
autoNode
AutoNode
|
autoNode specifies the configuration for the autoNode feature. |
nodeSelector
map[string]string
|
(Optional)
NodeSelector when specified, must be true for the pods managed by the HostedCluster to be scheduled. |
tolerations
[]Kubernetes core/v1.Toleration
|
(Optional)
Tolerations when specified, define what custom tolerations are added to the hcp pods. |
labels
map[string]string
|
(Optional)
labels when specified, define what custom labels are added to the hcp pods. Changing this day 2 will cause a rollout of all hcp pods. Duplicate keys are not supported. If duplicate keys are defined, only the last key/value pair is preserved. Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set -kubebuilder:validation:XValidation:rule= |
HostedControlPlaneStatus
HostedControlPlaneStatus defines the observed state of HostedControlPlane
Field | Description |
---|---|
ready
bool
|
Ready denotes that the HostedControlPlane API Server is ready to receive requests This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 |
initialized
bool
|
Initialized denotes whether or not the control plane has provided a kubeadm-config. Once this condition is marked true, its value is never changed. See the Ready condition for an indication of the current readiness of the cluster’s control plane. This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 |
externalManagedControlPlane
bool
|
ExternalManagedControlPlane indicates to cluster-api that the control plane is managed by an external service. https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 |
controlPlaneEndpoint
APIEndpoint
|
ControlPlaneEndpoint contains the endpoint information by which external clients can access the control plane. This is populated after the infrastructure is ready. |
oauthCallbackURLTemplate
string
|
OAuthCallbackURLTemplate contains a template for the URL to use as a callback for identity providers. The [identity-provider-name] placeholder must be replaced with the name of an identity provider defined on the HostedCluster. This is populated after the infrastructure is ready. |
versionStatus
ClusterVersionStatus
|
(Optional)
versionStatus is the status of the release version applied by the hosted control plane operator. |
version
string
|
Version is the semantic version of the release applied by the hosted control plane operator Deprecated: Use versionStatus.desired.version instead. |
releaseImage
string
|
(Optional)
ReleaseImage is the release image applied to the hosted control plane. Deprecated: Use versionStatus.desired.image instead. |
lastReleaseImageTransitionTime
Kubernetes meta/v1.Time
|
lastReleaseImageTransitionTime is the time of the last update to the current releaseImage property. Deprecated: Use versionStatus.history[0].startedTime instead. |
kubeConfig
KubeconfigSecretRef
|
KubeConfig is a reference to the secret containing the default kubeconfig for this control plane. |
kubeadminPassword
Kubernetes core/v1.LocalObjectReference
|
(Optional)
KubeadminPassword is a reference to the secret containing the initial kubeadmin password for the guest cluster. |
conditions
[]Kubernetes meta/v1.Condition
|
(Optional)
Condition contains details for one aspect of the current state of the HostedControlPlane. Current condition types are: “Available” |
platform
PlatformStatus
|
(Optional)
Platform contains platform-specific status of the HostedCluster |
nodeCount
int
|
NodeCount tracks the number of nodes in the HostedControlPlane. |
IBMCloudKMSAuthSpec
(Appears on: IBMCloudKMSSpec)
IBMCloudKMSAuthSpec defines metadata for how authentication is done with IBM Cloud KMS
Field | Description |
---|---|
type
IBMCloudKMSAuthType
|
Type defines the IBM Cloud KMS authentication strategy |
unmanaged
IBMCloudKMSUnmanagedAuthSpec
|
(Optional)
Unmanaged defines the auth metadata the customer provides to interact with IBM Cloud KMS |
managed
IBMCloudKMSManagedAuthSpec
|
(Optional)
Managed defines metadata around the service to service authentication strategy for the IBM Cloud KMS system (all provider managed). |
IBMCloudKMSAuthType
(Appears on: IBMCloudKMSAuthSpec)
IBMCloudKMSAuthType defines the IBM Cloud KMS authentication strategy
Value | Description |
---|---|
"Managed" |
IBMCloudKMSManagedAuth defines the KMS authentication strategy where the IKS/ROKS platform uses service to service auth to call IBM Cloud KMS APIs (no customer credentials required) |
"Unmanaged" |
IBMCloudKMSUnmanagedAuth defines the KMS authentication strategy where a customer supplies IBM Cloud authentication to interact with IBM Cloud KMS APIs |
IBMCloudKMSKeyEntry
(Appears on: IBMCloudKMSSpec)
IBMCloudKMSKeyEntry defines metadata for an IBM Cloud KMS encryption key
Field | Description |
---|---|
crkID
string
|
CRKID is the customer rook key id |
instanceID
string
|
InstanceID is the id for the key protect instance |
correlationID
string
|
CorrelationID is an identifier used to track all api call usage from hypershift |
url
string
|
URL is the url to call key protect apis over |
keyVersion
int
|
KeyVersion is a unique number associated with the key. The number increments whenever a new key is enabled for data encryption. |
IBMCloudKMSManagedAuthSpec
(Appears on: IBMCloudKMSAuthSpec)
IBMCloudKMSManagedAuthSpec defines metadata around the service to service authentication strategy for the IBM Cloud KMS system (all provider managed).
IBMCloudKMSSpec
(Appears on: KMSSpec)
IBMCloudKMSSpec defines metadata for the IBM Cloud KMS encryption strategy
Field | Description |
---|---|
region
string
|
Region is the IBM Cloud region |
auth
IBMCloudKMSAuthSpec
|
Auth defines metadata for how authentication is done with IBM Cloud KMS |
keyList
[]IBMCloudKMSKeyEntry
|
KeyList defines the list of keys used for data encryption |
IBMCloudKMSUnmanagedAuthSpec
(Appears on: IBMCloudKMSAuthSpec)
IBMCloudKMSUnmanagedAuthSpec defines the auth metadata the customer provides to interact with IBM Cloud KMS
Field | Description |
---|---|
credentials
Kubernetes core/v1.LocalObjectReference
|
Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to call IBM Cloud KMS APIs |
IBMCloudPlatformSpec
(Appears on: NodePoolPlatform, PlatformSpec)
IBMCloudPlatformSpec defines IBMCloud specific settings for components
Field | Description |
---|---|
providerType
github.com/openshift/api/config/v1.IBMCloudProviderType
|
ProviderType is a specific supported infrastructure provider within IBM Cloud. |
ImageContentSource
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
ImageContentSource specifies image mirrors that can be used by cluster nodes to pull content. For cluster workloads, if a container image registry host of the pullspec matches Source then one of the Mirrors are substituted as hosts in the pullspec and tried in order to fetch the image.
Field | Description |
---|---|
source
string
|
Source is the repository that users refer to, e.g. in image pull specifications. |
mirrors
[]string
|
(Optional)
Mirrors are one or more repositories that may also contain the same images. |
InPlaceUpgrade
(Appears on: NodePoolManagement)
InPlaceUpgrade specifies an upgrade strategy which upgrades nodes in-place without any new nodes being created or any old nodes being deleted.
Field | Description |
---|---|
maxUnavailable
k8s.io/apimachinery/pkg/util/intstr.IntOrString
|
(Optional)
maxUnavailable is the maximum number of nodes that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). Absolute number is calculated from percentage by rounding down. Defaults to 1. Example: when this is set to 30%, a max of 30% of the nodes can be made unschedulable/unavailable immediately when the update starts. Once a set of nodes is updated, more nodes can be made unschedulable for update, ensuring that the total number of nodes schedulable at all times during the update is at least 70% of desired nodes. |
KMSProvider
(Appears on: KMSSpec)
KMSProvider defines the supported KMS providers
Value | Description |
---|---|
"AWS" |
|
"Azure" |
|
"IBMCloud" |
KMSSpec
(Appears on: SecretEncryptionSpec)
KMSSpec defines metadata about the kms secret encryption strategy
Field | Description |
---|---|
provider
KMSProvider
|
Provider defines the KMS provider |
ibmcloud
IBMCloudKMSSpec
|
(Optional)
IBMCloud defines metadata for the IBM Cloud KMS encryption strategy |
aws
AWSKMSSpec
|
(Optional)
AWS defines metadata about the configuration of the AWS KMS Secret Encryption provider |
azure
AzureKMSSpec
|
(Optional)
Azure defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault |
KarpenterAWSConfig
(Appears on: KarpenterConfig)
Field | Description |
---|---|
roleARN
string
|
arn specifies the ARN of the Karpenter provisioner. |
KarpenterConfig
(Appears on: ProvisionerConfig)
Field | Description |
---|---|
platform
PlatformType
|
platform specifies the platform-specific configuration for Karpenter. |
aws
KarpenterAWSConfig
|
(Optional)
aws specifies the AWS-specific configuration for Karpenter. |
KubeVirtNodePoolStatus
(Appears on: NodePoolPlatformStatus)
KubeVirtNodePoolStatus contains the KubeVirt platform statuses
Field | Description |
---|---|
cacheName
string
|
(Optional)
CacheName holds the name of the cache DataVolume, if exists |
credentials
KubevirtPlatformCredentials
|
(Optional)
Credentials shows the client credentials used when creating KubeVirt virtual machines. This filed is only exists when the KubeVirt virtual machines are being placed on a cluster separate from the one hosting the Hosted Control Plane components. The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on the same cluster and namespace as the Hosted Control Plane. |
KubevirtCachingStrategy
(Appears on: KubevirtRootVolume)
KubevirtCachingStrategy defines the boot image caching strategy
Field | Description |
---|---|
type
KubevirtCachingStrategyType
|
Type is the type of the caching strategy |
KubevirtCachingStrategyType
(Appears on: KubevirtCachingStrategy)
KubevirtCachingStrategyType is the type of the boot image caching mechanism for the KubeVirt provider
Value | Description |
---|---|
"None" |
KubevirtCachingStrategyNone means that hypershift will not cache the boot image |
"PVC" |
KubevirtCachingStrategyPVC means that hypershift will cache the boot image into a PVC; only relevant when using a QCOW boot image, and is ignored when using a container image |
KubevirtCompute
(Appears on: KubevirtNodePoolPlatform)
KubevirtCompute contains values associated with the virtual compute hardware requested for the VM.
Field | Description |
---|---|
memory
k8s.io/apimachinery/pkg/api/resource.Quantity
|
(Optional)
Memory represents how much guest memory the VM should have |
cores
uint32
|
(Optional)
Cores represents how many cores the guest VM should have |
qosClass
QoSClass
|
(Optional)
QosClass If set to “Guaranteed”, requests the scheduler to place the VirtualMachineInstance on a node with limit memory and CPU, equal to be the requested values, to set the VMI as a Guaranteed QoS Class; See here for more details: https://kubevirt.io/user-guide/operations/node_overcommit/#requesting-the-right-qos-class-for-virtualmachineinstances |
KubevirtDiskImage
(Appears on: KubevirtRootVolume)
KubevirtDiskImage contains values representing where the rhcos image is located
Field | Description |
---|---|
containerDiskImage
string
|
(Optional)
ContainerDiskImage is a string representing the container image that holds the root disk |
KubevirtHostDevice
(Appears on: KubevirtNodePoolPlatform)
Field | Description |
---|---|
deviceName
string
|
DeviceName is the name of the host device that is desired to be utilized in the HostedCluster’s NodePool The device can be any supported PCI device, including GPU, either as a passthrough or a vGPU slice. |
count
int
|
(Optional)
Count is the number of instances the specified host device will be attached to each of the NodePool’s nodes. Default is 1. |
KubevirtManualStorageDriverConfig
(Appears on: KubevirtStorageDriverSpec)
Field | Description |
---|---|
storageClassMapping
[]KubevirtStorageClassMapping
|
(Optional)
StorageClassMapping maps StorageClasses on the infra cluster hosting the KubeVirt VMs to StorageClasses that are made available within the Guest Cluster. NOTE: It is possible that not all capabilities of an infra cluster’s storageclass will be present for the corresponding guest clusters storageclass. |
volumeSnapshotClassMapping
[]KubevirtVolumeSnapshotClassMapping
|
(Optional) |
KubevirtNetwork
(Appears on: KubevirtNodePoolPlatform)
KubevirtNetwork specifies the configuration for a virtual machine network interface
Field | Description |
---|---|
name
string
|
Name specify the network attached to the nodes it is a value with the format “[namespace]/[name]” to reference the multus network attachment definition |
KubevirtNodePoolPlatform
(Appears on: NodePoolPlatform)
KubevirtNodePoolPlatform specifies the configuration of a NodePool when operating on KubeVirt platform.
Field | Description |
---|---|
rootVolume
KubevirtRootVolume
|
RootVolume represents values associated with the VM volume that will host rhcos |
compute
KubevirtCompute
|
(Optional)
Compute contains values representing the virtual hardware requested for the VM |
networkInterfaceMultiqueue
MultiQueueSetting
|
(Optional)
NetworkInterfaceMultiQueue If set to “Enable”, virtual network interfaces configured with a virtio bus will also enable the vhost multiqueue feature for network devices. The number of queues created depends on additional factors of the VirtualMachineInstance, like the number of guest CPUs. |
additionalNetworks
[]KubevirtNetwork
|
(Optional)
AdditionalNetworks specify the extra networks attached to the nodes |
attachDefaultNetwork
bool
|
(Optional)
AttachDefaultNetwork specify if the default pod network should be attached to the nodes this can only be set to false if AdditionalNetworks are configured |
nodeSelector
map[string]string
|
(Optional)
NodeSelector is a selector which must be true for the kubevirt VirtualMachine to fit on a node. Selector which must match a node’s labels for the VM to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
hostDevices
[]KubevirtHostDevice
|
KubevirtHostDevices specifies the host devices (e.g. GPU devices) to be passed from the management cluster, to the nodepool nodes |
KubevirtPersistentVolume
(Appears on: KubevirtVolume)
KubevirtPersistentVolume contains the values involved with provisioning persistent storage for a KubeVirt VM.
Field | Description |
---|---|
size
k8s.io/apimachinery/pkg/api/resource.Quantity
|
(Optional)
Size is the size of the persistent storage volume |
storageClass
string
|
(Optional)
StorageClass is the storageClass used for the underlying PVC that hosts the volume |
accessModes
[]PersistentVolumeAccessMode
|
(Optional)
AccessModes is an array that contains the desired Access Modes the root volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes |
volumeMode
Kubernetes core/v1.PersistentVolumeMode
|
(Optional)
VolumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec. |
KubevirtPlatformCredentials
(Appears on: KubeVirtNodePoolStatus, KubevirtPlatformSpec)
Field | Description |
---|---|
infraKubeConfigSecret
KubeconfigSecretRef
|
InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster that will be used to host the KubeVirt virtual machines for this cluster. |
infraNamespace
string
|
InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig referenced in the InfraKubeConfigSecret must have access to manage the required resources within this namespace. |
KubevirtPlatformSpec
(Appears on: PlatformSpec)
KubevirtPlatformSpec specifies configuration for kubevirt guest cluster installations
Field | Description |
---|---|
baseDomainPassthrough
bool
|
(Optional)
BaseDomainPassthrough toggles whether or not an automatically generated base domain for the guest cluster should be used that is a subdomain of the management cluster’s *.apps DNS. For the KubeVirt platform, the basedomain can be autogenerated using the *.apps domain of the management/infra hosting cluster This makes the guest cluster’s base domain a subdomain of the hypershift infra/mgmt cluster’s base domain. Example: Infra/Mgmt cluster’s DNS Base: example.com Cluster: mgmt-cluster.example.com Apps: *.apps.mgmt-cluster.example.com KubeVirt Guest cluster’s DNS Base: apps.mgmt-cluster.example.com Cluster: guest.apps.mgmt-cluster.example.com Apps: *.apps.guest.apps.mgmt-cluster.example.com This is possible using OCP wildcard routes |
generateID
string
|
(Optional)
GenerateID is used to uniquely apply a name suffix to resources associated with kubevirt infrastructure resources |
credentials
KubevirtPlatformCredentials
|
(Optional)
Credentials defines the client credentials used when creating KubeVirt virtual machines. Defining credentials is only necessary when the KubeVirt virtual machines are being placed on a cluster separate from the one hosting the Hosted Control Plane components. The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on the same cluster and namespace as the Hosted Control Plane. |
storageDriver
KubevirtStorageDriverSpec
|
(Optional)
StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on the infra cluster (hosting the VMs) to the guest cluster. |
KubevirtRootVolume
(Appears on: KubevirtNodePoolPlatform)
KubevirtRootVolume represents the volume that the rhcos disk will be stored and run from.
Field | Description |
---|---|
diskImage
KubevirtDiskImage
|
(Optional)
Image represents what rhcos image to use for the node pool |
KubevirtVolume
KubevirtVolume
|
(Members of KubevirtVolume represents of type of storage to run the image on |
cacheStrategy
KubevirtCachingStrategy
|
(Optional)
CacheStrategy defines the boot image caching strategy. Default - no caching |
KubevirtStorageClassMapping
(Appears on: KubevirtManualStorageDriverConfig)
Field | Description |
---|---|
group
string
|
Group contains which group this mapping belongs to. |
infraStorageClassName
string
|
InfraStorageClassName is the name of the infra cluster storage class that will be exposed to the guest. |
guestStorageClassName
string
|
GuestStorageClassName is the name that the corresponding storageclass will be called within the guest cluster |
KubevirtStorageDriverConfigType
(Appears on: KubevirtStorageDriverSpec)
KubevirtStorageDriverConfigType defines how the kubevirt storage driver is configured.
Value | Description |
---|---|
"Default" |
DefaultKubevirtStorageDriverConfigType means the kubevirt storage driver maps to the underlying infra cluster’s default storageclass |
"Manual" |
ManualKubevirtStorageDriverConfigType means the kubevirt storage driver mapping is explicitly defined. |
"None" |
NoneKubevirtStorageDriverConfigType means no kubevirt storage driver is used |
KubevirtStorageDriverSpec
(Appears on: KubevirtPlatformSpec)
Field | Description |
---|---|
type
KubevirtStorageDriverConfigType
|
(Optional)
Type represents the type of kubevirt csi driver configuration to use |
manual
KubevirtManualStorageDriverConfig
|
(Optional)
Manual is used to explicitly define how the infra storageclasses are mapped to guest storageclasses |
KubevirtVolume
(Appears on: KubevirtRootVolume)
KubevirtVolume represents what kind of storage to use for a KubeVirt VM volume
Field | Description |
---|---|
type
KubevirtVolumeType
|
(Optional)
Type represents the type of storage to associate with the kubevirt VMs. |
persistent
KubevirtPersistentVolume
|
(Optional)
Persistent volume type means the VM’s storage is backed by a PVC VMs that use persistent volumes can survive disruption events like restart and eviction This is the default type used when no storage type is defined. |
KubevirtVolumeSnapshotClassMapping
(Appears on: KubevirtManualStorageDriverConfig)
Field | Description |
---|---|
group
string
|
Group contains which group this mapping belongs to. |
infraVolumeSnapshotClassName
string
|
InfraStorageClassName is the name of the infra cluster volume snapshot class that will be exposed to the guest. |
guestVolumeSnapshotClassName
string
|
GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will be called within the guest cluster |
KubevirtVolumeType
(Appears on: KubevirtVolume)
KubevirtVolumeType is a specific supported KubeVirt volumes
Value | Description |
---|---|
"Persistent" |
KubevirtVolumeTypePersistent represents persistent volume for kubevirt VMs |
LoadBalancerPublishingStrategy
(Appears on: ServicePublishingStrategy)
LoadBalancerPublishingStrategy specifies setting used to expose a service as a LoadBalancer.
Field | Description |
---|---|
hostname
string
|
(Optional)
hostname is the name of the DNS record that will be created pointing to the LoadBalancer and passed through to consumers of the service. If omitted, the value will be inferred from the corev1.Service Load balancer type .status. |
MachineNetworkEntry
(Appears on: ClusterNetworking)
MachineNetworkEntry is a single IP address block for node IP blocks.
Field | Description |
---|---|
cidr
github.com/openshift/hypershift/api/util/ipnet.IPNet
|
CIDR is the IP block address pool for machines within the cluster. |
ManagedAzureKeyVault
(Appears on: ControlPlaneManagedIdentities)
ManagedAzureKeyVault is an Azure Key Vault on the management cluster.
Field | Description |
---|---|
name
string
|
name is the name of the Azure Key Vault on the management cluster. |
tenantID
string
|
tenantID is the tenant ID of the Azure Key Vault on the management cluster. |
ManagedEtcdSpec
(Appears on: EtcdSpec)
ManagedEtcdSpec specifies the behavior of an etcd cluster managed by HyperShift.
Field | Description |
---|---|
storage
ManagedEtcdStorageSpec
|
storage specifies how etcd data is persisted. |
ManagedEtcdStorageSpec
(Appears on: ManagedEtcdSpec)
ManagedEtcdStorageSpec describes the storage configuration for etcd data.
Field | Description |
---|---|
type
ManagedEtcdStorageType
|
type is the kind of persistent storage implementation to use for etcd. Only PersistentVolume is supported at the moment. |
persistentVolume
PersistentVolumeEtcdStorageSpec
|
(Optional)
persistentVolume is the configuration for PersistentVolume etcd storage. With this implementation, a PersistentVolume will be allocated for every etcd member (either 1 or 3 depending on the HostedCluster control plane availability configuration). |
restoreSnapshotURL
[]string
|
(Optional)
restoreSnapshotURL allows an optional URL to be provided where an etcd snapshot can be downloaded, for example a pre-signed URL referencing a storage service. This snapshot will be restored on initial startup, only when the etcd PV is empty. |
ManagedEtcdStorageType
(Appears on: ManagedEtcdStorageSpec)
ManagedEtcdStorageType is a storage type for an etcd cluster.
Value | Description |
---|---|
"PersistentVolume" |
PersistentVolumeEtcdStorage uses PersistentVolumes for etcd storage. |
ManagedIdentity
(Appears on: AzureKMSSpec, ControlPlaneManagedIdentities)
ManagedIdentity contains the client ID, and its certificate name, of a managed identity. This managed identity is used, by an HCP component, to authenticate with the Azure API.
Field | Description |
---|---|
clientID
string
|
clientID is the client ID of a managed identity. |
certificateName
string
|
certificateName is the name of the certificate backing the managed identity. This certificate is expected to reside in an Azure Key Vault on the management cluster. |
MultiQueueSetting
(Appears on: KubevirtNodePoolPlatform)
Value | Description |
---|---|
"Disable" |
|
"Enable" |
NetworkFilter
(Appears on: NetworkParam)
NetworkFilter specifies a query to select an OpenStack network. At least one property must be set.
Field | Description |
---|---|
name
string
|
(Optional)
Name is the name of the network to filter by. |
description
string
|
(Optional)
Description is the description of the network to filter by. |
projectID
string
|
(Optional)
ProjectID is the project ID of the network to filter by. |
FilterByNeutronTags
FilterByNeutronTags
|
(Members of FilterByNeutronTags specifies tags to filter by. |
NetworkParam
(Appears on: OpenStackPlatformSpec, PortSpec)
NetworkParam specifies an OpenStack network. It may be specified by either ID or Filter, but not both.
Field | Description |
---|---|
id
string
|
(Optional)
ID is the ID of the network to use. If ID is provided, the other filters cannot be provided. Must be in UUID format. |
filter
NetworkFilter
|
(Optional)
Filter specifies a filter to select an OpenStack network. If provided, cannot be empty. |
NetworkType
(Appears on: ClusterNetworking)
NetworkType specifies the SDN provider used for cluster networking.
Value | Description |
---|---|
"Calico" |
Calico specifies Calico as the SDN provider |
"OVNKubernetes" |
OVNKubernetes specifies OVN as the SDN provider |
"OpenShiftSDN" |
OpenShiftSDN specifies OpenShiftSDN as the SDN provider |
"Other" |
Other specifies an undefined SDN provider |
NeutronTag
(Appears on: FilterByNeutronTags)
NeutronTag represents a tag on a Neutron resource. It may not be empty and may not contain commas.
NodePoolAutoScaling
(Appears on: NodePoolSpec)
NodePoolAutoScaling specifies auto-scaling behavior for a NodePool.
Field | Description |
---|---|
min
int32
|
Min is the minimum number of nodes to maintain in the pool. Must be >= 1 and <= .Max. |
max
int32
|
Max is the maximum number of nodes allowed in the pool. Must be >= 1 and >= Min. |
NodePoolCondition
(Appears on: NodePoolStatus)
We define our own condition type since metav1.Condition has validation for Reason that might be broken by what we bubble up from CAPI. NodePoolCondition defines an observation of NodePool resource operational state.
Field | Description |
---|---|
type
string
|
Type of condition in CamelCase or in foo.example.com/CamelCase. Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. |
status
Kubernetes core/v1.ConditionStatus
|
Status of the condition, one of True, False, Unknown. |
severity
string
|
(Optional)
Severity provides an explicit classification of Reason code, so the users or machines can immediately understand the current situation and act accordingly. The Severity field MUST be set only when Status=False. |
lastTransitionTime
Kubernetes meta/v1.Time
|
Last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. |
reason
string
|
(Optional)
The reason for the condition’s last transition in CamelCase. The specific API may choose whether or not this field is considered a guaranteed API. This field may not be empty. |
message
string
|
(Optional)
A human readable message indicating details about the transition. This field may be empty. |
observedGeneration
int64
|
NodePoolManagement
(Appears on: NodePoolSpec)
NodePoolManagement specifies behavior for managing nodes in a NodePool, such as upgrade strategies and auto-repair behaviors.
Field | Description |
---|---|
upgradeType
UpgradeType
|
upgradeType specifies the type of strategy for handling upgrades. This can be either “Replace” or “InPlace”. “Replace” will update Nodes by recreating the underlying instances. “InPlace” will update Nodes by applying changes to the existing instances. This might or might not result in a reboot. |
replace
ReplaceUpgrade
|
replace is the configuration for rolling upgrades. It defaults to a RollingUpdate strategy with maxSurge of 1 and maxUnavailable of 0. |
inPlace
InPlaceUpgrade
|
inPlace is the configuration for in-place upgrades. |
autoRepair
bool
|
(Optional)
autoRepair specifies whether health checks should be enabled for machines in the NodePool. The default is false. Enabling this feature will cause the controller to automatically delete unhealthy machines. The unhealthy criteria is reserved for the controller implementation and subject to change. But generally it’s determined by checking the Node ready condition is true and a timeout that might vary depending on the platform provider. AutoRepair will no-op when more than 2 Nodes are unhealthy at the same time. Giving time for the cluster to stabilize or to the user to manually intervene. |
NodePoolPlatform
(Appears on: NodePoolSpec)
NodePoolPlatform specifies the underlying infrastructure provider for the NodePool and is used to configure platform specific behavior.
Field | Description |
---|---|
type
PlatformType
|
Type specifies the platform name. |
aws
AWSNodePoolPlatform
|
(Optional)
AWS specifies the configuration used when operating on AWS. |
ibmcloud
IBMCloudPlatformSpec
|
IBMCloud defines IBMCloud specific settings for components |
kubevirt
KubevirtNodePoolPlatform
|
(Optional)
Kubevirt specifies the configuration used when operating on KubeVirt platform. |
agent
AgentNodePoolPlatform
|
(Optional)
Agent specifies the configuration used when using Agent platform. |
azure
AzureNodePoolPlatform
|
|
powervs
PowerVSNodePoolPlatform
|
(Optional)
PowerVS specifies the configuration used when using IBMCloud PowerVS platform. |
openstack
OpenStackNodePoolPlatform
|
(Optional)
OpenStack specifies the configuration used when using OpenStack platform. |
NodePoolPlatformStatus
(Appears on: NodePoolStatus)
NodePoolPlatformStatus contains specific platform statuses
Field | Description |
---|---|
kubeVirt
KubeVirtNodePoolStatus
|
(Optional)
KubeVirt contains the KubeVirt platform statuses |
NodePoolSpec
(Appears on: NodePool)
NodePoolSpec is the desired behavior of a NodePool.
Field | Description |
---|---|
clusterName
string
|
clusterName is the name of the HostedCluster this NodePool belongs to. If a HostedCluster with this name doesn’t exist, the controller will no-op until it exists. |
release
Release
|
release specifies the OCP release used for the NodePool. This informs the ignition configuration for machines which includes the kubelet version, as well as other platform specific machine properties (e.g. an AMI on the AWS platform). It’s not supported to use a release in a NodePool which minor version skew against the Control Plane release is bigger than N-2. Although there’s no enforcement that prevents this from happening. Attempting to use a release with a bigger skew might result in unpredictable behaviour. Attempting to use a release higher than the HosterCluster one will result in the NodePool being degraded and the ValidReleaseImage condition being false. Attempting to use a release lower than the current NodePool y-stream will result in the NodePool being degraded and the ValidReleaseImage condition being false. Changing this field will trigger a NodePool rollout. |
platform
NodePoolPlatform
|
platform specifies the underlying infrastructure provider for the NodePool and is used to configure platform specific behavior. |
replicas
int32
|
(Optional)
replicas is the desired number of nodes the pool should maintain. If unset, the controller default value is 0. replicas is mutually exclusive with autoscaling. If autoscaling is configured, replicas must be omitted and autoscaling will control the NodePool size internally. |
management
NodePoolManagement
|
management specifies behavior for managing nodes in the pool, such as upgrade strategies and auto-repair behaviors. |
autoScaling
NodePoolAutoScaling
|
(Optional)
autoscaling specifies auto-scaling behavior for the NodePool. autoscaling is mutually exclusive with replicas. If replicas is set, this field must be omitted. |
config
[]Kubernetes core/v1.LocalObjectReference
|
config is a list of references to ConfigMaps containing serialized MachineConfig resources to be injected into the ignition configurations of nodes in the NodePool. The MachineConfig API schema is defined here: Each ConfigMap must have a single key named “config” whose value is the YML with one or more serialized machineconfiguration.openshift.io resources:
This is validated in the backend and signaled back via validMachineConfig condition. Changing this field will trigger a NodePool rollout. |
nodeDrainTimeout
Kubernetes meta/v1.Duration
|
(Optional)
nodeDrainTimeout is the maximum amount of time that the controller will spend on retrying to drain a node until it succeeds. The default value is 0, meaning that the node can retry drain without any time limitations. Changing this field propagate inplace into existing Nodes. |
nodeVolumeDetachTimeout
Kubernetes meta/v1.Duration
|
(Optional)
nodeVolumeDetachTimeout is the maximum amount of time that the controller will spend on detaching volumes from a node. The default value is 0, meaning that the volumes will be detached from the node without any time limitations. After the timeout, any remaining attached volumes will be ignored and the removal of the machine will continue. Changing this field propagate inplace into existing Nodes. |
nodeLabels
map[string]string
|
(Optional)
nodeLabels propagates a list of labels to Nodes, only once on creation. Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set |
taints
[]Taint
|
(Optional)
taints if specified, propagates a list of taints to Nodes, only once on creation. These taints are additive to the ones applied by other controllers |
pausedUntil
string
|
(Optional)
pausedUntil is a field that can be used to pause reconciliation on the NodePool controller. Resulting in any change to the NodePool being ignored. Either a date can be provided in RFC3339 format or a boolean as in ‘true’, ‘false’, ‘True’, ‘False’. If a date is provided: reconciliation is paused on the resource until that date. If the boolean true is provided: reconciliation is paused on the resource until the field is removed. |
tuningConfig
[]Kubernetes core/v1.LocalObjectReference
|
tuningConfig is a list of references to ConfigMaps containing serialized Tuned or PerformanceProfile resources to define the tuning configuration to be applied to nodes in the NodePool. The Tuned API is defined here: The PerformanceProfile API is defined here: https://github.com/openshift/cluster-node-tuning-operator/tree/b41042d42d4ba5bb2e99960248cf1d6ae4935018/pkg/apis/performanceprofile/v2 Each ConfigMap must have a single key named “tuning” whose value is the JSON or YAML of a serialized Tuned or PerformanceProfile. Changing this field will trigger a NodePool rollout. |
arch
string
|
(Optional)
arch is the preferred processor architecture for the NodePool. Different platforms might have different supported architectures. TODO: This is set as optional to prevent validation from failing due to a limitation on client side validation with open API machinery: https://github.com/kubernetes/kubernetes/issues/108768#issuecomment-1253912215 TODO Add s390x to enum validation once the architecture is supported |
NodePoolStatus
(Appears on: NodePool)
NodePoolStatus is the latest observed status of a NodePool.
Field | Description |
---|---|
replicas
int32
|
(Optional)
Replicas is the latest observed number of nodes in the pool. |
version
string
|
Version is the semantic version of the latest applied release specified by the NodePool. |
platform
NodePoolPlatformStatus
|
Platform hols the specific statuses |
conditions
[]NodePoolCondition
|
(Optional)
Conditions represents the latest available observations of the node pool’s current state. |
NodePortPublishingStrategy
(Appears on: ServicePublishingStrategy)
NodePortPublishingStrategy specifies a NodePort used to expose a service.
Field | Description |
---|---|
address
string
|
address is the host/ip that the NodePort service is exposed over. |
port
int32
|
port is the port of the NodePort service. If <=0, the port is dynamically assigned when the service is created. |
OLMCatalogPlacement
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
OLMCatalogPlacement is an enum specifying the placement of OLM catalog components.
Value | Description |
---|---|
"guest" |
GuestOLMCatalogPlacement indicates OLM catalog components will be placed in the guest cluster. |
"management" |
ManagementOLMCatalogPlacement indicates OLM catalog components will be placed in the management cluster. |
OpenStackIdentityReference
(Appears on: OpenStackPlatformSpec)
OpenStackIdentityReference is a reference to an infrastructure provider identity to be used to provision cluster resources.
Field | Description |
---|---|
name
string
|
Name is the name of a secret in the same namespace as the resource being provisioned.
The secret must contain a key named |
cloudName
string
|
CloudName specifies the name of the entry in the clouds.yaml file to use. |
OpenStackNodePoolPlatform
(Appears on: NodePoolPlatform)
Field | Description |
---|---|
flavor
string
|
Flavor is the OpenStack flavor to use for the node instances. |
imageName
string
|
(Optional)
ImageName is the OpenStack Glance image name to use for node instances. If unspecified, the default is chosen based on the NodePool release payload image. |
availabilityZone
string
|
(Optional)
availabilityZone is the nova availability zone in which the provider will create the VM. If not specified, the VM will be created in the default availability zone specified in the nova configuration. Availability zone names must NOT contain : since it is used by admin users to specify hosts where instances are launched in server creation. Also, it must not contain spaces otherwise it will lead to node that belongs to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. The maximum length of availability zone name is 63 as per labels limits. |
additionalPorts
[]PortSpec
|
(Optional)
AdditionalPorts is a list of additional ports to create on the node instances. |
OpenStackPlatformSpec
(Appears on: PlatformSpec)
OpenStackPlatformSpec specifies configuration for clusters running on OpenStack.
Field | Description |
---|---|
identityRef
OpenStackIdentityReference
|
IdentityRef is a reference to a secret holding OpenStack credentials to be used when reconciling the hosted cluster. |
managedSubnets
[]SubnetSpec
|
(Optional)
ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster MachineNetwork, and a router connected to the subnet. Currently only one IPv4 subnet is supported. |
router
RouterParam
|
(Optional)
Router specifies an existing router to be used if ManagedSubnets are specified. If specified, no new router will be created. |
network
NetworkParam
|
(Optional)
Network specifies an existing network to use if no ManagedSubnets are specified. |
subnets
[]SubnetParam
|
(Optional)
Subnets specifies existing subnets to use if not ManagedSubnets are specified. All subnets must be in the network specified by Network. There can be zero, one, or two subnets. If no subnets are specified, all subnets in Network will be used. If 2 subnets are specified, one must be IPv4 and the other IPv6. |
networkMTU
int
|
(Optional)
NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. This value will be used only if the Cluster actuator creates the network. If left empty, the network will have the default MTU defined in Openstack network service. To use this field, the Openstack installation requires the net-mtu neutron API extension. |
externalNetwork
NetworkParam
|
(Optional)
ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. This option is ignored if DisableExternalNetwork is set to true. If ExternalNetwork is defined it must refer to exactly one external network. If ExternalNetwork is not defined or is empty the controller will use any existing external network as long as there is only one. It is an error if ExternalNetwork is not defined and there are multiple external networks unless DisableExternalNetwork is also set. If ExternalNetwork is not defined and there are no external networks the controller will proceed as though DisableExternalNetwork was set. |
disableExternalNetwork
bool
|
(Optional)
DisableExternalNetwork specifies whether or not to attempt to connect the cluster to an external network. This allows for the creation of clusters when connecting to an external network is not possible or desirable, e.g. if using a provider network. |
tags
[]string
|
(Optional)
Tags to set on all resources in cluster which support tags |
ingressFloatingIP
string
|
(Optional)
IngressFloatingIP is an available floating IP in your OpenStack cluster that will be associated with the OpenShift ingress port. When not specified, an IP address will be assigned randomly by the OpenStack cloud provider. When specified, the floating IP has to be pre-created. If the specified value is not a floating IP or is already claimed, the OpenStack cloud provider won’t be able to provision the load balancer. This value must be a valid IPv4 or IPv6 address. |
PayloadArchType
(Appears on: HostedClusterStatus)
Value | Description |
---|---|
"AMD64" |
|
"ARM64" |
|
"Multi" |
|
"PPC64LE" |
|
"S390X" |
PersistentVolumeAccessMode
(Appears on: KubevirtPersistentVolume)
PersistentVolumeEtcdStorageSpec
(Appears on: ManagedEtcdStorageSpec)
PersistentVolumeEtcdStorageSpec is the configuration for PersistentVolume etcd storage.
Field | Description |
---|---|
storageClassName
string
|
(Optional)
storageClassName is the StorageClass of the data volume for each etcd member. See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. TODO(alberto): This shouldn’t really be a pointer. There’s no real different semantic for nil and empty string. Revisit all pointer vs non-pointer choices. |
size
k8s.io/apimachinery/pkg/api/resource.Quantity
|
(Optional)
size is the minimum size of the data volume for each etcd member. Default is 8Gi. This field is immutable |
PlacementOptions
(Appears on: AWSNodePoolPlatform)
PlacementOptions specifies the placement options for the EC2 instances.
Field | Description |
---|---|
tenancy
string
|
(Optional)
Tenancy indicates if instance should run on shared or single-tenant hardware. Possible values: default: NodePool instances run on shared hardware. dedicated: Each NodePool instance runs on single-tenant hardware. host: NodePool instances run on user’s pre-allocated dedicated hosts. |
PlatformSpec
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
PlatformSpec specifies the underlying infrastructure provider for the cluster and is used to configure platform specific behavior.
Field | Description |
---|---|
type
PlatformType
|
Type is the type of infrastructure provider for the cluster. |
aws
AWSPlatformSpec
|
(Optional)
AWS specifies configuration for clusters running on Amazon Web Services. |
agent
AgentPlatformSpec
|
(Optional)
Agent specifies configuration for agent-based installations. |
ibmcloud
IBMCloudPlatformSpec
|
IBMCloud defines IBMCloud specific settings for components |
azure
AzurePlatformSpec
|
Azure defines azure specific settings |
powervs
PowerVSPlatformSpec
|
(Optional)
PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. This field is immutable. Once set, It can’t be changed. |
kubevirt
KubevirtPlatformSpec
|
(Optional)
KubeVirt defines KubeVirt specific settings for cluster components. |
openstack
OpenStackPlatformSpec
|
(Optional)
OpenStack specifies configuration for clusters running on OpenStack. |
PlatformStatus
(Appears on: HostedClusterStatus, HostedControlPlaneStatus)
PlatformStatus contains platform-specific status
Field | Description |
---|---|
aws
AWSPlatformStatus
|
(Optional) |
PlatformType
(Appears on: KarpenterConfig, NodePoolPlatform, PlatformSpec)
PlatformType is a specific supported infrastructure provider.
Value | Description |
---|---|
"AWS" |
AWSPlatform represents Amazon Web Services infrastructure. |
"Agent" |
AgentPlatform represents user supplied insfrastructure booted with agents. |
"Azure" |
AzurePlatform represents Azure infrastructure. |
"IBMCloud" |
IBMCloudPlatform represents IBM Cloud infrastructure. |
"KubeVirt" |
KubevirtPlatform represents Kubevirt infrastructure. |
"None" |
NonePlatform represents user supplied (e.g. bare metal) infrastructure. |
"OpenStack" |
OpenStackPlatform represents OpenStack infrastructure. |
"PowerVS" |
PowerVSPlatform represents PowerVS infrastructure. |
PortSecurityPolicy
(Appears on: PortSpec)
PortSecurityPolicy defines whether or not to enable port security on a port.
Value | Description |
---|---|
"" |
PortSecurityDefault uses the default port security policy. |
"Disabled" |
PortSecurityDisabled disables port security on a port. |
"Enabled" |
PortSecurityEnabled enables port security on a port. |
PortSpec
(Appears on: OpenStackNodePoolPlatform)
PortSpec specifies the options for creating a port.
Field | Description |
---|---|
network
NetworkParam
|
(Optional)
Network is a query for an openstack network that the port will be created or discovered on. This will fail if the query returns more than one network. |
description
string
|
(Optional)
Description is a human-readable description for the port. |
allowedAddressPairs
[]AddressPair
|
(Optional)
AllowedAddressPairs is a list of address pairs which Neutron will allow the port to send traffic from in addition to the port’s addresses. If not specified, the MAC Address will be the MAC Address of the port. Depending on the configuration of Neutron, it may be supported to specify a CIDR instead of a specific IP address. |
vnicType
string
|
(Optional)
VNICType specifies the type of vNIC which this port should be attached to. This is used to determine which mechanism driver(s) to be used to bind the port. The valid values are normal, macvtap, direct, baremetal, direct-physical, virtio-forwarder, smart-nic and remote-managed, although these values will not be validated in this API to ensure compatibility with future neutron changes or custom implementations. What type of vNIC is actually available depends on deployments. If not specified, the Neutron default value is used. |
portSecurityPolicy
PortSecurityPolicy
|
(Optional)
PortSecurityPolicy specifies whether or not to enable port security on the port. Allowed values are “Enabled”, “Disabled” and omitted. When not set, it takes the value of the corresponding field at the network level. |
PowerVSNodePoolImageDeletePolicy
(Appears on: PowerVSNodePoolPlatform)
PowerVSNodePoolImageDeletePolicy defines image delete policy to be used for PowerVSNodePoolPlatform
PowerVSNodePoolPlatform
(Appears on: NodePoolPlatform)
PowerVSNodePoolPlatform specifies the configuration of a NodePool when operating on IBMCloud PowerVS platform.
Field | Description |
---|---|
systemType
string
|
(Optional)
SystemType is the System type used to host the instance. systemType determines the number of cores and memory that is available. Few of the supported SystemTypes are s922,e880,e980. e880 systemType available only in Dallas Datacenters. e980 systemType available in Datacenters except Dallas and Washington. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default. The current default is s922 which is generally available. |
processorType
PowerVSNodePoolProcType
|
(Optional)
ProcessorType is the VM instance processor type. It must be set to one of the following values: Dedicated, Capped or Shared. Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. Shared: Shared among other clients. Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. if the processorType is selected as Dedicated, then Processors value cannot be fractional. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default. The current default is shared. |
processors
k8s.io/apimachinery/pkg/util/intstr.IntOrString
|
(Optional)
Processors is the number of virtual processors in a virtual machine. when the processorType is selected as Dedicated the processors value cannot be fractional. maximum value for the Processors depends on the selected SystemType. when SystemType is set to e880 or e980 maximum Processors value is 143. when SystemType is set to s922 maximum Processors value is 15. minimum value for Processors depends on the selected ProcessorType. when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. when ProcessorType is set as Dedicated, The minimum processors is 1. When omitted, this means that the user has no opinion and the platform is left to choose a reasonable default. The default is set based on the selected ProcessorType. when ProcessorType selected as Dedicated, the default is set to 1. when ProcessorType selected as Shared or Capped, the default is set to 0.5. |
memoryGiB
int32
|
(Optional)
MemoryGiB is the size of a virtual machine’s memory, in GiB. maximum value for the MemoryGiB depends on the selected SystemType. when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. The minimum memory is 32 GiB. When omitted, this means the user has no opinion and the platform is left to choose a reasonable default. The current default is 32. |
image
PowerVSResourceReference
|
(Optional)
Image used for deploying the nodes. If unspecified, the default is chosen based on the NodePool release payload image. |
storageType
PowerVSNodePoolStorageType
|
(Optional)
StorageType for the image and nodes, this will be ignored if Image is specified. The storage tiers in PowerVS are based on I/O operations per second (IOPS). It means that the performance of your storage volumes is limited to the maximum number of IOPS based on volume size and storage tier. Although, the exact numbers might change over time, the Tier 3 storage is currently set to 3 IOPS/GB, and the Tier 1 storage is currently set to 10 IOPS/GB. The default is tier1 |
imageDeletePolicy
PowerVSNodePoolImageDeletePolicy
|
(Optional)
ImageDeletePolicy is policy for the image deletion. delete: delete the image from the infrastructure. retain: delete the image from the openshift but retain in the infrastructure. The default is delete |
PowerVSNodePoolProcType
(Appears on: PowerVSNodePoolPlatform)
PowerVSNodePoolProcType defines processor type to be used for PowerVSNodePoolPlatform
Value | Description |
---|---|
"capped" |
PowerVSNodePoolCappedProcType defines capped processor type |
"dedicated" |
PowerVSNodePoolDedicatedProcType defines dedicated processor type |
"shared" |
PowerVSNodePoolSharedProcType defines shared processor type |
PowerVSNodePoolStorageType
(Appears on: PowerVSNodePoolPlatform)
PowerVSNodePoolStorageType defines storage type to be used for PowerVSNodePoolPlatform
PowerVSPlatformSpec
(Appears on: PlatformSpec)
PowerVSPlatformSpec defines IBMCloud PowerVS specific settings for components
Field | Description |
---|---|
accountID
string
|
AccountID is the IBMCloud account id. This field is immutable. Once set, It can’t be changed. |
cisInstanceCRN
string
|
CISInstanceCRN is the IBMCloud CIS Service Instance’s Cloud Resource Name This field is immutable. Once set, It can’t be changed. |
resourceGroup
string
|
ResourceGroup is the IBMCloud Resource Group in which the cluster resides. This field is immutable. Once set, It can’t be changed. |
region
string
|
Region is the IBMCloud region in which the cluster resides. This configures the OCP control plane cloud integrations, and is used by NodePool to resolve the correct boot image for a given release. This field is immutable. Once set, It can’t be changed. |
zone
string
|
Zone is the availability zone where control plane cloud resources are created. This field is immutable. Once set, It can’t be changed. |
subnet
PowerVSResourceReference
|
Subnet is the subnet to use for control plane cloud resources. This field is immutable. Once set, It can’t be changed. |
serviceInstanceID
string
|
ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. Power VS service is a container for all Power VS instances at a specific geographic region. serviceInstance can be created via IBM Cloud catalog or CLI. ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. More detail about Power VS service instance. https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server This field is immutable. Once set, It can’t be changed. |
vpc
PowerVSVPC
|
VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control plane. This field is immutable. Once set, It can’t be changed. |
kubeCloudControllerCreds
Kubernetes core/v1.LocalObjectReference
|
KubeCloudControllerCreds is a reference to a secret containing cloud credentials with permissions matching the cloud controller policy. This field is immutable. Once set, It can’t be changed. TODO(dan): document the “cloud controller policy” |
nodePoolManagementCreds
Kubernetes core/v1.LocalObjectReference
|
NodePoolManagementCreds is a reference to a secret containing cloud credentials with permissions matching the node pool management policy. This field is immutable. Once set, It can’t be changed. TODO(dan): document the “node pool management policy” |
ingressOperatorCloudCreds
Kubernetes core/v1.LocalObjectReference
|
IngressOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for ingress operator to get authenticated with ibm cloud. |
storageOperatorCloudCreds
Kubernetes core/v1.LocalObjectReference
|
StorageOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for storage operator to get authenticated with ibm cloud. |
imageRegistryOperatorCloudCreds
Kubernetes core/v1.LocalObjectReference
|
ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud credentials for image registry operator to get authenticated with ibm cloud. |
PowerVSResourceReference
(Appears on: PowerVSNodePoolPlatform, PowerVSPlatformSpec)
PowerVSResourceReference is a reference to a specific IBMCloud PowerVS resource by ID, or Name. Only one of ID, or Name may be specified. Specifying more than one will result in a validation error.
Field | Description |
---|---|
id
string
|
(Optional)
ID of resource |
name
string
|
(Optional)
Name of resource |
PowerVSVPC
(Appears on: PowerVSPlatformSpec)
PowerVSVPC specifies IBM Cloud PowerVS LoadBalancer configuration for the control plane.
Field | Description |
---|---|
name
string
|
Name for VPC to used for all the service load balancer. This field is immutable. Once set, It can’t be changed. |
region
string
|
Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic into the OCP cluster. This field is immutable. Once set, It can’t be changed. |
zone
string
|
(Optional)
Zone is the availability zone where load balancer cloud resources are created. This field is immutable. Once set, It can’t be changed. |
subnet
string
|
(Optional)
Subnet is the subnet to use for load balancer. This field is immutable. Once set, It can’t be changed. |
Provisioner
(Appears on: ProvisionerConfig)
provisioner is a enum specifying the strategy for auto managing Nodes.
Value | Description |
---|---|
"Karpenter" |
ProvisionerConfig
(Appears on: AutoNode)
ProvisionerConfig is a enum specifying the strategy for auto managing Nodes.
Field | Description |
---|---|
name
Provisioner
|
name specifies the name of the provisioner to use. |
karpenter
KarpenterConfig
|
(Optional)
karpenter specifies the configuration for the Karpenter provisioner. |
PublishingStrategyType
(Appears on: ServicePublishingStrategy)
PublishingStrategyType defines publishing strategies for services.
QoSClass
(Appears on: KubevirtCompute)
Value | Description |
---|---|
"Burstable" |
|
"Guaranteed" |
Release
(Appears on: HostedClusterSpec, NodePoolSpec)
Release represents the metadata for an OCP release payload image.
Field | Description |
---|---|
image
string
|
Image is the image pullspec of an OCP release payload image. See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. |
ReplaceUpgrade
(Appears on: NodePoolManagement)
ReplaceUpgrade specifies upgrade behavior that replaces existing nodes according to a given strategy.
Field | Description |
---|---|
strategy
UpgradeStrategy
|
strategy is the node replacement strategy for nodes in the pool. In can be either “RollingUpdate” or “OnDelete”. RollingUpdate will rollout Nodes honoring maxSurge and maxUnavailable. OnDelete provide more granular control and will replace nodes as the old ones are manually deleted. |
rollingUpdate
RollingUpdate
|
rollingUpdate specifies a rolling update strategy which upgrades nodes by creating new nodes and deleting the old ones. |
RollingUpdate
(Appears on: ReplaceUpgrade)
RollingUpdate specifies a rolling update strategy which upgrades nodes by creating new nodes and deleting the old ones.
Field | Description |
---|---|
maxUnavailable
k8s.io/apimachinery/pkg/util/intstr.IntOrString
|
(Optional)
maxUnavailable is the maximum number of nodes that can be unavailable during the update. Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). Absolute number is calculated from percentage by rounding down. This can not be 0 if MaxSurge is 0. Defaults to 0. Example: when this is set to 30%, old nodes can be deleted down to 70% of desired nodes immediately when the rolling update starts. Once new nodes are ready, more old nodes be deleted, followed by provisioning new nodes, ensuring that the total number of nodes available at all times during the update is at least 70% of desired nodes. |
maxSurge
k8s.io/apimachinery/pkg/util/intstr.IntOrString
|
(Optional)
maxSurge is the maximum number of nodes that can be provisioned above the desired number of nodes. Value can be an absolute number (ex: 5) or a percentage of desired nodes (ex: 10%). Absolute number is calculated from percentage by rounding up. This can not be 0 if MaxUnavailable is 0. Defaults to 1. Example: when this is set to 30%, new nodes can be provisioned immediately when the rolling update starts, such that the total number of old and new nodes do not exceed 130% of desired nodes. Once old nodes have been deleted, new nodes can be provisioned, ensuring that total number of nodes running at any time during the update is at most 130% of desired nodes. |
RoutePublishingStrategy
(Appears on: ServicePublishingStrategy)
RoutePublishingStrategy specifies options for exposing a service as a Route.
Field | Description |
---|---|
hostname
string
|
(Optional)
Hostname is the name of the DNS record that will be created pointing to the Route and passed through to consumers of the service. If omitted, the value will be inferred from management ingress.Spec.Domain. |
RouterFilter
(Appears on: RouterParam)
RouterFilter specifies a query to select an OpenStack router. At least one property must be set.
Field | Description |
---|---|
name
string
|
(Optional)
Name is the name of the router to filter by. |
description
string
|
(Optional)
Description is the description of the router to filter by. |
projectID
string
|
(Optional)
ProjectID is the project ID of the router to filter by. |
FilterByNeutronTags
FilterByNeutronTags
|
(Members of FilterByNeutronTags specifies tags to filter by. |
RouterParam
(Appears on: OpenStackPlatformSpec)
RouterParam specifies an OpenStack router to use. It may be specified by either ID or filter, but not both.
Field | Description |
---|---|
id
string
|
(Optional)
ID is the ID of the router to use. If ID is provided, the other filters cannot be provided. Must be in UUID format. |
filter
RouterFilter
|
(Optional)
Filter specifies a filter to select an OpenStack router. If provided, cannot be empty. |
SecretEncryptionSpec
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
SecretEncryptionSpec contains metadata about the kubernetes secret encryption strategy being used for the cluster when applicable.
Field | Description |
---|---|
type
SecretEncryptionType
|
Type defines the type of kube secret encryption being used |
kms
KMSSpec
|
(Optional)
KMS defines metadata about the kms secret encryption strategy |
aescbc
AESCBCSpec
|
(Optional)
AESCBC defines metadata about the AESCBC secret encryption strategy |
SecretEncryptionType
(Appears on: SecretEncryptionSpec)
SecretEncryptionType defines the type of kube secret encryption being used.
Value | Description |
---|---|
"aescbc" |
AESCBC uses AES-CBC with PKCS#7 padding to do secret encryption |
"kms" |
KMS integrates with a cloud provider’s key management service to do secret encryption |
ServiceNetworkEntry
(Appears on: ClusterNetworking)
ServiceNetworkEntry is a single IP address block for the service network.
Field | Description |
---|---|
cidr
github.com/openshift/hypershift/api/util/ipnet.IPNet
|
cidr is the IP block address pool for services within the cluster in CIDR format (e.g., 192.168.1.0/24 or 2001:0db8::/64) |
ServicePublishingStrategy
(Appears on: ServicePublishingStrategyMapping)
Field | Description |
---|---|
type
PublishingStrategyType
|
type is the publishing strategy used for the service. It can be LoadBalancer;NodePort;Route;None;S3 |
nodePort
NodePortPublishingStrategy
|
(Optional)
nodePort configures exposing a service using a NodePort. |
loadBalancer
LoadBalancerPublishingStrategy
|
(Optional)
loadBalancer configures exposing a service using a dedicated LoadBalancer. |
route
RoutePublishingStrategy
|
(Optional)
route configures exposing a service using a Route through and an ingress controller behind a cloud Load Balancer. The specifics of the setup are platform dependent. |
ServicePublishingStrategyMapping
(Appears on: HostedClusterSpec, HostedControlPlaneSpec)
ServicePublishingStrategyMapping specifies how individual control plane services endpoints are published for consumption. This includes APIServer;OAuthServer;Konnectivity;Ignition. If a given service is not present in this list, it will be exposed publicly by default.
Field | Description |
---|---|
service
ServiceType
|
service identifies the type of service being published. It can be APIServer;OAuthServer;Konnectivity;Ignition OVNSbDb;OIDC are no-op and kept for backward compatibility. This field is immutable. |
servicePublishingStrategy
ServicePublishingStrategy
|
servicePublishingStrategy specifies how to publish a service endpoint. |
ServiceType
(Appears on: ServicePublishingStrategyMapping)
ServiceType defines what control plane services can be exposed from the management control plane.
SubnetFilter
(Appears on: SubnetParam)
SubnetFilter specifies a filter to select a subnet. At least one parameter must be specified.
Field | Description |
---|---|
name
string
|
(Optional)
Name is the name of the subnet to filter by. |
description
string
|
(Optional)
Description is the description of the subnet to filter by. |
projectID
string
|
(Optional)
ProjectID is the project ID of the subnet to filter by. |
ipVersion
int
|
(Optional)
IPVersion is the IP version of the subnet to filter by. |
gatewayIP
string
|
(Optional)
GatewayIP is the gateway IP of the subnet to filter by. |
cidr
string
|
(Optional)
CIDR is the CIDR of the subnet to filter by. |
ipv6AddressMode
string
|
(Optional)
IPv6AddressMode is the IPv6 address mode of the subnet to filter by. |
ipv6RAMode
string
|
(Optional)
IPv6RAMode is the IPv6 RA mode of the subnet to filter by. |
FilterByNeutronTags
FilterByNeutronTags
|
(Members of FilterByNeutronTags specifies tags to filter by. |
SubnetParam
(Appears on: OpenStackPlatformSpec)
SubnetParam specifies an OpenStack subnet to use. It may be specified by either ID or filter, but not both.
Field | Description |
---|---|
id
string
|
(Optional)
ID is the uuid of the subnet. It will not be validated. |
filter
SubnetFilter
|
(Optional)
Filter specifies a filter to select the subnet. It must match exactly one subnet. |
SubnetSpec
(Appears on: OpenStackPlatformSpec)
Field | Description |
---|---|
dnsNameservers
[]string
|
(Optional)
DNSNameservers holds a list of DNS server addresses that will be provided when creating the subnet. These addresses need to have the same IP version as CIDR. |
allocationPools
[]AllocationPool
|
(Optional)
AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from outside of these ranges manually. |
Taint
(Appears on: NodePoolSpec)
taint is as v1 Core but without TimeAdded. https://github.com/kubernetes/kubernetes/blob/ed8cad1e80d096257921908a52ac69cf1f41a098/staging/src/k8s.io/api/core/v1/types.go#L3037-L3053 Validation replicates the same validation as the upstream https://github.com/kubernetes/kubernetes/blob/9a2a7537f035969a68e432b4cc276dbce8ce1735/pkg/util/taints/taints.go#L273. See also https://kubernetes.io/docs/concepts/overview/working-with-objects/names/.
Field | Description |
---|---|
key
string
|
key is the taint key to be applied to a node. |
value
string
|
(Optional)
value is the taint value corresponding to the taint key. |
effect
Kubernetes core/v1.TaintEffect
|
effect is the effect of the taint on pods that do not tolerate the taint. Valid effects are NoSchedule, PreferNoSchedule and NoExecute. |
UnmanagedEtcdSpec
(Appears on: EtcdSpec)
UnmanagedEtcdSpec specifies configuration which enables the control plane to integrate with an eternally managed etcd cluster.
Field | Description |
---|---|
endpoint
string
|
endpoint is the full etcd cluster client endpoint URL. For example:
If the URL uses an HTTPS scheme, the TLS field is required. |
tls
EtcdTLSConfig
|
tls specifies TLS configuration for HTTPS etcd client endpoints. |
UpgradeStrategy
(Appears on: ReplaceUpgrade)
UpgradeStrategy is a specific strategy for upgrading nodes in a NodePool.
Value | Description |
---|---|
"OnDelete" |
UpgradeStrategyOnDelete replaces old nodes when the deletion of the associated node instances are completed. |
"RollingUpdate" |
UpgradeStrategyRollingUpdate means use a rolling update for nodes. |
UpgradeType
(Appears on: NodePoolManagement)
UpgradeType is a type of high-level upgrade behavior nodes in a NodePool.
Value | Description |
---|---|
"InPlace" |
UpgradeTypeInPlace is a strategy which replaces nodes in-place with no additional node capacity requirements. |
"Replace" |
UpgradeTypeReplace is a strategy which replaces nodes using surge node capacity. |
UserManagedDiagnostics
(Appears on: Diagnostics)
UserManagedDiagnostics specifies the diagnostics settings for a virtual machine when the storage account is managed by the user.
Field | Description |
---|---|
storageAccountURI
string
|
storageAccountURI is the URI of the user-managed storage account.
The URI typically will be |
Volume
(Appears on: AWSNodePoolPlatform)
Volume specifies the configuration options for node instance storage devices.
Field | Description |
---|---|
size
int64
|
Size specifies size (in Gi) of the storage device. Must be greater than the image snapshot size or 8 (whichever is greater). |
type
string
|
Type is the type of the volume. |
iops
int64
|
(Optional)
IOPS is the number of IOPS requested for the disk. This is only valid for type io1. |
encrypted
bool
|
(Optional)
Encrypted is whether the volume should be encrypted or not. |
encryptionKey
string
|
(Optional)
EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. If Encrypted is set and this is omitted, the default AWS key will be used. The key must already exist and be accessible by the controller. |