-
Notifications
You must be signed in to change notification settings - Fork 239
/
configmanagement_v1_configmanagement.yaml
385 lines (385 loc) · 19.8 KB
/
configmanagement_v1_configmanagement.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# [START anthosconfig_crd]
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.5.0
creationTimestamp: null
name: configmanagements.configmanagement.gke.io
spec:
group: configmanagement.gke.io
names:
kind: ConfigManagement
listKind: ConfigManagementList
plural: configmanagements
singular: configmanagement
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: ConfigManagement is the Schema for the ConfigManagement API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
pattern: config-management
type: string
type: object
spec:
description: ConfigManagementSpec defines the desired state of ConfigManagement.
properties:
ConfigSyncDisableFSWatcher:
description: ConfigSyncDisableFSWatcher provides the ability to disable
the fs-watcher process. This field is intentionally left hidden/undocumented
since it is only meant to be used by customers who have very large
repositories. Optional.
type: boolean
ConfigSyncLogLevel:
description: ConfigSyncLogLevel overrides the logging verbosity for
all ConfigSync pods. This field is intentionally left hidden/undocumented
since it is really only used to gather extra logs for support cases.
type: integer
binauthz:
description: 'Deprecated: Does nothing. binauthz can no longer be
enabled/disabled with the ConfigManagement resource; the software
is available as a standalone: https://cloud.google.com/binary-authorization'
properties:
enabled:
description: 'Enable or disable BinAuthz. Default: false.'
type: boolean
policyRef:
description: PolicyRef is a reference to the BinAuthz policy which
will be evaluated. Required if BinAuthz is enabled.
properties:
gkeCluster:
description: BinAuthz policy associated with this GKE-on-GCP
cluster.
properties:
location:
description: Location of this cluster
type: string
name:
description: The name of this cluster according to GKE.
This is not necessarily the same as the hub membership
name.
type: string
project:
description: The name of the GCP project containing this
cluster
type: string
type: object
type: object
type: object
channel:
description: 'Channel specifies a channel that can be used to resolve
a specific addon, eg: stable It will be ignored if Version is specified'
type: string
clusterName:
description: ClusterName, if defined, sets the name for this cluster. If
unset, the cluster is considered to be unnamed, and cannot use ClusterSelectors.
type: string
configConnector:
description: 'Deprecated: Does nothing. ConfigConnector can no longer
be enabled/disabled with the ConfigManagement resource; the software
is available as a standalone: https://cloud.google.com/config-connector'
properties:
enabled:
description: 'Enable or disable the Config Connector. Default:
false.'
type: boolean
type: object
enableLegacyFields:
description: EnableLegacyFields instructs the operator to use spec.git
for generating a RootSync resource in MultiRepo mode. Note that
this should only be set to true if spec.enableMultiRepo is set to
true.
type: boolean
enableMultiRepo:
description: EnableMultiRepo instructs the operator to enable Multi
Repo mode for Config Sync.
type: boolean
git:
description: Git contains configuration specific to importing policies
from a Git repo.
properties:
gcpServiceAccountEmail:
description: 'GCPServiceAccountEmail specifies the GCP service
account used to annotate the Config Sync Kubernetes Service
Account. Note: The field is used when secretType: gcpServiceAccount.'
type: string
policyDir:
description: 'PolicyDir is the absolute path of the directory
that contains the local policy. Default: the root directory
of the repo.'
type: string
proxy:
description: Proxy is a struct that contains options for configuring
access to the Git repo via a proxy. Only has an effect when
secretType is one of ("cookiefile", "none"). Optional.
properties:
httpProxy:
description: HTTPProxy defines a HTTP_PROXY env variable used
to access the Git repo. If both HTTPProxy and HTTPSProxy
are specified, HTTPProxy will be ignored. Optional.
type: string
httpsProxy:
description: HTTPSProxy defines a HTTPS_PROXY env variable
used to access the Git repo. If both HTTPProxy and HTTPSProxy
are specified, HTTPProxy will be ignored. Optional.
type: string
type: object
secretType:
description: SecretType is the type of secret configured for access
to the Git repo. Must be one of ssh, cookiefile, gcenode, token,
gcpserviceaccount or none. Required. The validation of this
is case-sensitive.
pattern: ^(ssh|cookiefile|gcenode|gcpserviceaccount|token|none)$
type: string
syncBranch:
description: 'SyncBranch is the branch to sync from. Default:
"master".'
type: string
syncRepo:
pattern: ^(((https?|git|ssh):\/\/)|git@)
type: string
syncRev:
description: 'SyncRev is the git revision (tag or hash) to check
out. Default: HEAD.'
type: string
syncWait:
description: 'SyncWaitSeconds is the time duration in seconds
between consecutive syncs. Default: 15 seconds. Note that SyncWaitSecs
is not a time.Duration on purpose. This provides a reminder
to developers that customers specify this value using using
integers like "3" in their ConfigManagement YAML. However, time.Duration
is at a nanosecond granularity, and it''s easy to introduce
a bug where it looks like the code is dealing with seconds but
its actually nanoseconds (or vice versa).'
type: integer
type: object
hierarchyController:
description: Hierarchy Controller enables HierarchyController components
as recognized by the "hierarchycontroller.configmanagement.gke.io"
label set to "true".
properties:
enableHierarchicalResourceQuota:
description: 'HierarchicalResourceQuota enforces resource quota
in a hierarchical fashion: a resource quota set for one namespace
provides constraints that limit aggregate resource consumption
for that namespace and all its descendants. Disabling this will
not delete user created hrq CRs, but will delete all the intermediate
resources created by HRQ (specifically the resource quota singletons),
which are labeled with hierarchycontroller.configmanagement.gke.io/hrq
for easier cleanup.'
type: boolean
enablePodTreeLabels:
description: PodTreeLabels copies the tree labels from namespaces
to pods, allowing any system that uses pod logs (such as Stackdriver
logging) to inspect the hierarchy.
type: boolean
enabled:
description: 'Enable or disable the Hierarchy Controller. Default:
false.'
type: boolean
type: object
importer:
description: Importer allows one to override the existing resource
requirements for the importer pod
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute resources
allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
metricsGCPServiceAccountEmail:
description: MetricsGCPServiceAccountEmail specifies a Google Service
Account (GSA) Email with the Monitoring Metric Writer (roles/monitoring.metricWriter)
IAM role. This GSA Email is used to annotate the `default` Kubernetes
ServiceAccount under the `config-management-monitoring` namespace,
which allows Config Sync to export metrics to Cloud Monitoring.
type: string
patches:
items:
type: object
type: array
x-kubernetes-preserve-unknown-fields: true
policyController:
description: Policy Controller enables PolicyController components
as recognized by the "gatekeeper.sh/manifest" label set to "true".
properties:
auditIntervalSeconds:
description: AuditIntervalSeconds. The number of seconds between
audit runs. Defaults to 60 seconds. To disable audit, set this
to 0.
format: int64
type: integer
enabled:
description: 'Enable or disable the Policy Controller. Default:
false.'
type: boolean
exemptableNamespaces:
description: ExemptableNamespaces. The namespaces in this list
are able to have the admission.gatekeeper.sh/ignore label set.
When the label is set, Policy Controller will not be called
for that namespace or any resources contained in it. `gatekeeper-system`
is always exempted.
items:
type: string
type: array
logDeniesEnabled:
description: 'LogDeniesEnabled. If true, Policy Controller will
log all denies and dryrun failures. No effect unless policyController
is enabled. Default: false.'
type: boolean
monitoring:
description: Monitoring specifies the configuration of monitoring.
properties:
backends:
items:
type: string
type: array
type: object
mutation:
description: Mutation specifies the configuration of mutation.
This is a preview feature and may change before becoming generally
available.
properties:
enabled:
description: 'Enable or disable mutation in policy controller.
If true, mutation CRDs, webhook and controller will be deployed
to the cluster. Default: false.'
type: boolean
type: object
referentialRulesEnabled:
description: 'ReferentialRulesEnabled. If true, Policy Controller
will allow `data.inventory` references in the contents of ConstraintTemplate
Rego. No effect unless policyController is enabled. Default:
false.'
type: boolean
templateLibraryInstalled:
description: 'TemplateLibraryInstalled. If true, a set of default
ConstraintTemplates will be deployed to the cluster. ConstraintTemplates
will not be deployed if this is explicitly set to false or if
policyController is not enabled. Default: true.'
type: boolean
type: object
preventDrift:
description: 'preventDrift, if set to `true`, enables the Config Sync
admission webhook to prevent drifts. If set to `false`, disables
the Config Sync admission webhook and does not prevent drifts. Default:
false. Config Sync always corrects drifts no matter the value of
preventDrift.'
type: boolean
sourceFormat:
description: "SourceFormat specifies how the repository is formatted.
See documentation for specifics of what these options do. \n Must
be one of hierarchy, unstructured. Optional. Set to hierarchy if
not specified. \n The validation of this is case-sensitive."
pattern: ^(hierarchy|unstructured|)$
type: string
syncer:
description: Syncer allows one to override the existing resource requirements
for the syncer pod
properties:
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Limits describes the maximum amount of compute resources
allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: 'Requests describes the minimum amount of compute
resources required. If Requests is omitted for a container,
it defaults to Limits if that is explicitly specified, otherwise
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
type: object
type: object
version:
description: Version specifies the exact addon version to be deployed,
eg 1.2.3 It should not be specified if Channel is specified
type: string
type: object
status:
description: ConfigManagementStatus defines the observed state of ConfigManagement.
properties:
configManagementVersion:
description: ConfigManagementVersion is the semantic version number
of the config management system enforced by the currently running
config management operator.
type: string
errors:
items:
type: string
type: array
healthy:
type: boolean
phase:
type: string
required:
- healthy
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []
# [END anthosconfig_crd]